View and analyze Privileged Risky Activity events

This topic describes how to view Privileged Risky Activity events in the Explorer page and analyze detailed information about a Privileged Risky Activity event.

Overview

In the ISI Explorer page, you can view information about Privileged Risky Activity events that occurred within a specific time period.

A Privileged Risky Activity event is generated when a command is entered during a privileged session. If more than one command is entered in a single session, each command will appear as a separate event in the table.

A Security Alert event is also generated for Privileged Risky Activity events and any type of risky behavior. See View Security Alert events for more information.

The Events table lists all event types and includes detailed information about the events. You can filter the Events table to show only Privileged Risky Activity events or Security Alert events.

You can get specific detailed information for a Privileged Risky Activity event such as the command entered during a privileged session, the session ID, user information, and a remediation notification if one is set for this event. For more information about setting a remediation action, see Set a remediation action for a rule.

In the Privilege Cloud Monitoring page, you can view risk information about an event and get targeted information about a specific session. For more information, see View risk information in the Privilege Cloud Monitoring page.

View Privileged.RiskyActivity events

View a Privileged.RiskyActivity event from an alert

In the alert that you received about an event, click the link to the Explorer page.

A new browser tab opens. The ISI Explorer page appears with the specific event's session details window open.
Review the session details. See Investigate a Privileged.RiskyActivity event for more information.

View Privileged.RiskyActivity events from the Explorer page

From Privilege Cloud, click the Service picker, and select Identity Security Intelligence (ISI).

A new browser tab opens and displays the ISI Explorer page.
At the top of the Explorer page, in the Query field, enter the query for Privileged Risky Activity events, event_type = 'Privileged.RiskyActivity', and click Apply.

To view all event types, leave the Query field empty.
The default time frame is 15 days. To select a different time frame, click the Calendar button , and select the time frame that you want.
To view Privileged.RiskyActivity events in the Events table, scroll to the bottom of the Explorer page. To expand the table, rest your mouse pointer in the table and click the double arrow in the top-right corner of the table.

Events table

The Events table contains several details for each event. The following details are specifically helpful for Privileged.RiskyActivity events:

Event details	Description
Action	The command activity that was detected for this event.
Risk Score	The risk score defined for this command activity. For more information about Privileged Risky Activity rules and defining the risk score, see Manage Privileged Risky Activity rules.

Event details

Description

Action

The command activity that was detected for this event.

Risk Score

The risk score defined for this command activity.

For more information about Privileged Risky Activity rules and defining the risk score, see Manage Privileged Risky Activity rules.

There may be Privileged.RiskyActivity events that have the same Session ID. This happens when more than one command was entered during a privileged session. Each command entered during a session will appear as a separate event.

Analyze a Privileged.RiskyActivity event

You can analyze a Privileged Risky Activity event by viewing the details of an event or by investigating the details of the session in which the event occurred.

View Privileged.RiskyActivity event details

On the Explorer page, in the Events table, locate the specific Privileged.RiskyActivity event, and anywhere in the event row, right-click and select Event Details.

The Event Details window contains several details about the event including the Event ID, Risk Level, Risk Score, and Session ID.

Investigate a Privileged.RiskyActivity event

Investigating an event gives you focused information about the session as well as access to details about the session in the Privilege Cloud Monitoring page.

On the Explorer page, in the Event table, locate the specific Privileged.RiskyActivity event, and anywhere in the event row, right-click and select Investigate.

The Investigate window contains the following information:
- Session ID
- User information: the user that performed the risky command, user account name, machine name, and machine ID
- Start time and date of the session, and the session duration
- Session risk score and the command activity that had the highest risk during the session (highlighted in the red box)
- One or more command patterns entered during the same session that match the command pattern defined in a Privileged Risky Activity rule, and the defined risk score for the pattern. The number that follows the command pattern represents the number of commands entered during this session that match this specific pattern.
- Recommended action or notification that remediation has been initiated
To view details about the session or play the session recording, click the Go to Session Monitoring page link at the bottom of the Investigate window. For more information about the Privilege Cloud Monitoring page, see View risk information in the Privilege Cloud Monitoring page.