User Watchlist

User Watchlist

UEBA user watchlists allows the selection and monitoring of specific users or users imported from a list. This feature is helpful for managers to monitor activity for employees flagged by security or HR systems or to generally track a group of users User Confidence Index (UCI) change.

Navigate to the Incidents > Behavior Analytics page, the Incidents list page displays. Only account admins can create, edit, or delete watchlists. All other users, (non-admins) have view permission.

View a List of Your Watchlists

Click the User Confidence All Users dropdown and select a watchlist name. Optionally, you can search for a particular watchlist if you know the name from the All Users dropdown.

(1) The list of users filters to show only the users on the particular watchlist. (2) The score chart to the right of the user list, refreshes with the details for the first user on the list. (3) Select or search for a name to view the score chart for the specific user.

Manage a Watchlist

Click the User Confidence dropdown and scroll to the bottom > Manage Watchlist. Optionally, you can access the Manage Watchlist from the Add to Watchlist dropdown.

The Manage Watchlist window displays.

Create a Watchlist

Click the User Confidence dropdown and scroll the bottom > Manage Watchlist > New Watchlist. The New Watchlist window displays.

1. Type a name for your watchlist. The watchlist name must be unique from other watchlist names.

2. In the Users box, you can type user emails separated by a new line. The max number of users per watchlist is 300. Users must already exist in your account. Users that are not associated with your account cannot be saved/added to a watchlist.

3. Optionally, click Import from CSV to use a CSV file to add users to the new watchlist, replace users from the new watchlist, or download a sample CSV watchlist.

4. Optionally, click Export.

5. Optionally, admins can configure each watchlist with its own UCI threshold alert level in addition to the global UCI threshold alert.

   Select the checkbox to raise an alert if the user’s UCI drops below a set threshold within 24 hours. If you select the checkbox, you must enter a User Confidence Index value (number from 1 – 999) for users on this new watchlist. When the users UCI drops below the value you define, an alert is generated in Skope IT.

6. Click Save.

View Skope IT UCI Threshold Alerts

1. Navigate to Skope IT > Events & Alerts > Alerts.

2. Filter for UCI threshold alerts. For example, (alert_name eq ‘UCI threshold alert’)

3. Click the magnifying icon to view Alert Details. Fields of interest: User Watchlist name, the reason the system generated the alert (Scenario), UCI value that triggered the alert, etc.

   

Edit a Watchlist

1. Click the pencil icon by the Watchlist name.

2. Make edits to the existing watchlist. In addition to all the create new watchlist actions, admins can edit the name of this watchlist. Note, all watchlist names must be unique or you cannot save your changes/edits.

3. Click Save.

Add to Watchlist

This list shows the watchlists to which the user does not belong. Select a watchlist name from the list to add the user to the specified watchlist.

Optionally, you can scroll to the bottom of the list to access the Manage Watchlist window. The User Confidence dropdown > Manage Watchlist option is the same as this access point.

You can see the list of watchlists to which this user belongs from the Behavior Analytics list page.

Delete a Watchlist

There are two ways to access the Manage Watchlist window.

1. User Confidence dropdown > Manage Watchlist.

   

2. Add to Watchlist > Manage Watchlist.

The Manage Watchlist window displays all watchlists for your organization. Select the trash icon to delete a watchlist. You cannot undo/reverse this operation.