Veritas Data Insight User's Guide
- Section I. Introduction
- Section II. Data Insight Workspace
- Navigating the Workspace tab
- Analyzing data using the Workspace views
- Viewing access information for files and folders
- Viewing user activity on files or folders
- About visualizing collaboration on a share
- Viewing access information for users and user groups
- Section III. Data Insight reports
- Using Data Insight reports
- About Data Insight security reports
- Permissions reports
- Permissions Search report
- Creating a Permissions Query Template
- Permissions Query Template actions
- Ownership Reports
- About Data Insight storage reports
- About Data Insight custom reports
- Managing reports
- Viewing reports
- Using Data Insight reports
- Section IV. Remediation
- Configuring remediation workflows
- Managing workflow templates
- Creating a workflow using a template
- Managing workflows
- Using the Self-Service Portal
- About the Self-Service Portal
- Managing data
- About managing data using Enterprise Vault and custom scripts
- About adding tags to files, folders, and shares
- Managing permissions
- Configuring remediation workflows
- Appendix A. Command Line Reference
Assessing risky users - an example scenario
This section explains the use of the user risk dossier with the help of an example.
The Workspace > Users list view shows a group of users with a high risk score. Or the risk history graph for a user displays an upward trend in the moving average of the risk score.
Use the risk dossier to dive into the details of the reasons for the high risk score. and to do a comparative analysis of the factors contributing to the risk score between a date in last six months and the current date.
The next steps should be to ascertain why the users display a high risk score. Select a potentially high-risk user based on the risk score (for example, a risk score of more than 90 for a user may warrant some investigation). For this user, determine the following:
The number of alerts generated for that user. Investigate the policies that the user has violated and the severity of the policies that has led Data Insight to generate an alert.
The anomalies - the shares and the access types (op codes) for which deviations are observed. You can either investigate the user by looking at the user's audit history for that day. You can also generate access details report for that user only for that day.
The shares on which the user has access. One of the reason for a high risk score can be that the user has access to a large number of shares. The access could be provided through various groups.
Run the Risky Users Group DQL query to get the groups through which the user has access to those shares.
Explore the user attributes of the above user to get a hint of the groups that the person should be in.
Run the Risky Users Outlier DQL query to identify any outlier user with respect to the user attributes compared against all high-risky users.
Typically, Administrator users may show up in the report output due to high access. But the high access to any other type of user should be investigated.
Once you have determined the reasons for a high risk score, you can do the following to further drill down and take remediation actions:
Click on the share name in the Accessible Shares/ Sensitive Shares to navigate to the Permissions tab or the Anomaly Spectrum graph to navigate to the Audit Logs tab .
>To get exact details of the permissions due to which the user has high access, create a Permission Search report scoped on selected shares to report on all groups that the user is part of which may have granted permission to the user on some of these shares. You can then evaluate whether the user has excessive privileges. The report may help you understand if the user is accidentally added to a group which may have given the user excessive privileges.
Explore group memberships and if required, use the custom action framework (
> > ) to change group memberships to align user accesses if found to be excessive. It can also be used to change CIFS permissions, if required.For more information about configuring permissions remediation, see the Veritas Data Insight Administration Guide.