Session influenced user risk
This detection is recorded when a user's session risk level changes to High.
Detection risk level: Medium
If the user's active session exhibits patterns that match session hijacking, token theft, or token replay, ITP elevates the session risk to High. As a result, ITP elevates the entity (user) risk to Medium. To learn more about session protection and available configuration options, see Session protection.
MITRE tactic
MITRE technique
Use Alternate Authentication Material: Web Session Cookie
Policy configuration
- Detection: Session influenced User Risk
- Take this action: Run a Workflow to notify an admin
Remediation strategy
Investigate the session that's flagged as high risk for any malicious activity. Run the
following query in the System Log: eventType eq "user.risk.detect" and debugContext.debugData.risk co
"detectionName=Session Influenced User Risk"
You can view the session activity using the externalSessionId that's populated in the relevant
user.risk.detect event.