Risk Vector rating carrying over to associated users of incident


Article ID: 195874


Updated On:


Information Centric Analytics Data Loss Prevention Core Package


A customer created a Risk Vector based on the DIM incidents of a particular collection of users. Users who are not members of this collection but had received e-mail sent from users in this collection were inheriting the risk score associations of the users in the collection.


User A is associated with a Risk Vector definition ('Risk Vector 1') and sends an e-mail internally to User B. User B is not associated with the Risk Vector definition for 'Risk Vector 1'; however, due to User A sending e-mail to User B, Risk Fabric applies the risk score associated with the Risk Vector 'Risk Vector 1' to User B.


A user's risk score is based on his or her inclusion in a set of users that correspond to a Risk Vector definition. For a Risk Vector definition that includes multiple user IDs on a given DIM incident (e.g., e-mail), recipient IDs will be transitively associated with the risk score associated with that Risk Vector.


Adding a filter in Analyzer to include only source users in DIM incidents (where a source and destination are identified, e.g., e-mail) in entity collection and event scenario definitions will isolate risk score associations from destination users.