Admin reported user risk

This detection is a manual action. It occurs when an admin manually changes a user's risk level to low, medium, or high. Admins can do this through a user's profile page in the Admin Console or with the User Risk API.

Detection risk level: High, Medium, or Low

This manual change typically occurs as part of an external investigation. You may change the risk level when your EDR/XDR/MDM tool flags a user's device as compromised, or you've received reports of a lost or stolen laptop.

Policy configuration

In your entity risk policy, create separate rules:

Rule 1 (Admin sets high)

• Detection: Admin Reported User Risk
• Entity risk level: High
• Take this action: Universal Logout, or run a Workflow to notify the SOC team to begin an investigation

Rule 2 (Admin sets medium through API)

• Detection: Admin Reported User Risk
• Entity risk level: Medium
• Take this action: Run a Workflow to notify the SOC team to begin an investigation

Remediation strategy

1. Immediate action: The configured policy takes effect immediately. Add the user to your high-risk group while investigations are completed.

2. Investigate: The admin who set the risk is responsible for the investigation (for example, working with the endpoint security team to clean the device). Run the following query in the System Log: eventType eq "user.risk.detect" and debugContext.debugData.risk co "detectionName=Admin Reported User Risk"

3. Restore access: After the external incident is resolved, the admin may lower the risk by clearing the session or using the User Risk API.