Admin reported user risk

This detection is a manual action. It occurs when an admin manually changes a user's risk level to low, medium, or high. Admins can do this through a user's profile page in the Admin Console or with the User Risk API.

Detection risk level: High, Medium, or Low

This manual change typically occurs as part of an external investigation. You may change the risk level when your EDR/XDR/MDM tool flags a user's device as compromised, or you've received reports of a lost or stolen laptop.

Policy configuration

In your entity risk policy, create separate rules:

Rule 1 (Admin sets high)

• Detection: Admin Reported User Risk
• Entity risk level: High
• Take this action: Universal Logout, or run a Workflow to notify the SOC team to begin an investigation

Rule 2 (Admin sets medium through API)

• Detection: Admin Reported User Risk
• Entity risk level: Medium
• Take this action: Run a Workflow to notify the SOC team to begin an investigation

Remediation strategy

1. Immediate action: The configured policy takes effect immediately. Add the user to your high-risk group while investigations are completed.

2. Investigate: The admin who set the risk is responsible for the investigation (for example, working with the endpoint security team to clean the device).

3. Restore access: After the external incident is resolved, the admin may lower the risk by clearing the session or using the User Risk API.