The departing employee risk report shows you a summary of risky activity an employee on the Departing watchlist has had in the last 90 days. In the report, you can see a summary of the alerts the user has triggered, the number of cases they were involved in, how many critical events they've caused, and how many events they have that correspond to the most common exfiltration scenarios for departing employees. Use the report to make your offboarding triage tasks more streamlined and consistent.
To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr.
Departing employee risk report
To open the report:
- Go to User Activity > Watchlists.
- Select the Departing watchlist.
- Find the user and click Risk report.
The risk report slides in from the right.
|a||Export events||Click to send all of the employee's events for the past 90 days to a CSV file.|
|c||View profile||Click to see the employee's User profile.|
Do one of the following:
Notes are limited to 1000 characters.
Shows how many cases exist for the user, the number of alerts they've triggered, and how many critical events they've had in the past 90 days.
Note: The case and alert counts are not visible if you do not have the appropriate permissions.
|f||Risk indicators||Shows the user's top risk indicators sorted by the number of the user's critical events.|
|g||View critical events||Click to see the user's critical events in Forensic Search.|
|h||Common risk scenarios in the last 90 days||
Shows the top risk scenarios for departing employees and the user's file event counts for each scenario.
The same risk scenarios are always shown, and do not change based on the user's file activity. To see the user's most active file activity by risk indicator, see the Risk indicators section of the report.