Understanding User Risk Score

Users are assigned a risk score based on risky activities identified via API scans.

The score is the sum total of the number of events identified from the following two activities within a rolling 30 day window:

  1. Files Matching DLP shared Externally or Publicly.
  2. Files Matching Malware and not Quarantined.

To Risk Score of the user can be seen by navigating to IAM > Users and Groups.

Admins can view a full breakdown of the Risk Scorecard in the User/Device Activity page.

Note:

Risk scores will only update once the original scan event has expired past the 30 day rolling window. Meaning if an admin manually remediates files that triggered one of the above, then the user risk score will still remain the same.

For example, if a user has a risk score of 10 because they have 7 files that match DLP patterns that are shared publicly/externally and 3 files that are identified as malware and have not been quarantined and an admin goes in an manually quarantines the 3 malware files, the user risk score will still remain at 10 until the date those scan events occurred passes the 30 day rolling window threshold.