After a risk analysis, investigate each reported threat event and set its handling status. This lets you track the progress and outcome of your threat response.
Prerequisites
You have configured a risk analysis policy.
View and handle threat events
-
Go to the Risk Handling page. In the Pending list, view threat events and their handling status. Click Handle to set the Handling Status and Handling Description.
-
Click Details to view the details of a threat event.
Type
Description
Actions
Anomalous activity type and details
Shows threat event details and the risk assessment result, grouped by risk scenario.
—
Basic Information
Displays key information about the event, including User Information, Anomalous Behavior, First Detected time, End Time, risk analysis Report Time, handling Status and Description, and Suggestions for this risk type.
Click Handle or click Risk Handling in the upper-right corner. Use the suggestions to set the Handling Status and Handling Description.
Risky Behavior
Displays user actions associated with the threat event.
Click Details to view the Basic Information and Network Information for the risky action.
For Detection of Outbound Transfer of Sensitive Data events, you can view the sensitive file's Key Information, Sensitive Message, Screenshot Evidence, and the triggered Hit Policy. The details also include the Office Terminal, Outbound Transfer Channel, and Account Information used to exfiltrate the file. You can also download and preview the sensitive file.
Risk Intelligence Analysis
Risk Intelligence Analysis currently supports only the sensitive data exfiltration detection scenario.
-
Go to the Risk Handling page. In the Pending list, find the threat event and click Details in the Actions column.
-
On the event details page, in the Risky Behavior list, click the icon in the AI Analysis column.
-
A Risk Intelligence Analysis panel appears, displaying the analysis results.