Skip to main content

Threat Intelligence

The Threat Intelligence dashboard is your security command center. It aggregates risk signals from across your platform so you can quickly spot anomalies, investigate suspicious activity, and understand where threats are coming from.

Getting here

  1. Click Insights in the left sidebar.
  2. Click Threat Intelligence.

What you see

On the main page, the dashboard shows a set of summary cards. Each card highlights a different dimension of risk. Click any card to open a detailed view with expanded data.

Summary cards

CardWhat it tells you
Total Risk EventsA count of all risk-scored events in the selected period
Risk Heat MapA world map showing where risk events are geographically concentrated
Browser DistributionWhich browsers your users are using and which are unusual
Risk EventsA breakdown of high, medium, and low risk events
User RiskWhich individual users have the highest cumulative risk score
OS DistributionThe operating systems in use across your user base
High Risk TypesThe most common high-risk patterns detected by the risk engine

Drilling into the details

Clicking a card opens a full-page detail view. Here is what each one offers:

High Risk Model

A list of flagged users or sessions with their individual risk scores and the factors that contributed to the score. Use this to prioritize who to investigate first.

FactorDescription
IP ReputationThe risk level of the IP address based on known malicious activity
GeovelocityWhether the user is logging in from geographically distant locations in a short time frame
Anonymous NetworkWhether the user is connecting through a known proxy or VPN service, or the IP address is known as "private"
Shared DeviceWhether the user is sharing a device with other accounts, which can indicate account takeover

Risk Events

ColumnDescription
High RiskThe authentication has been flagged as high risk requiring step-up authentication (multiple factors)
Medium RiskThe authentication has been flagged as medium risk alerting the user or requiring a simple step-up authentication
Low RiskThe authentication has been flagged as low risk and is allowed to proceed without interruption

For more details on how risk events are scored, see the nevisAdapt Adaptive Authentication.

Risk Heat Map

An interactive world map. Risk events appear as pins that cluster together when many events originate from the same area. Zoom in to investigate a specific region. Darker clusters mean more concentrated risk activity.

User Risk

A ranked list of users sorted by their cumulative risk score. Click a user to open their context panel, which shows:

The context panel opens at the bottom of the page and can be easy to miss on smaller screens.

  • Devices — every device they have registered or used
  • Event history — a timeline of their recent activity
  • Sessions — their active and recent sessions

Browser Distribution

A chart breaking down which browsers your users are on. Unusual browser spikes can indicate scripted attacks or compromised sessions.

Filtering the data

FilterHow to use it
Time periodUse the period selector (Day / Week / Month / 6 months) at the top of the page
User filterIn detail views, use the user selector to narrow results to a specific person

Common workflows

Investigate a high-risk user

  1. Open Threat Intelligence.
  2. Click the User Risk card.
  3. Click the user with the highest score.
  4. Review their Event history and Devices in the context panel.
  5. If needed, navigate to Identities to take action on their account.

Spot a geographic attack pattern

  1. Open Threat Intelligence.
  2. Click the Risk Heat Map card.
  3. Look for clusters in unexpected regions.
  4. Zoom in to identify the specific area.
  5. Use the time period selector to check whether this is a new or ongoing pattern.

Review unusual browser activity

  1. Open Threat Intelligence.
  2. Click the Browser Distribution card.
  3. Compare the browser mix against your expected user base.
  4. Investigate spikes in unusual or outdated browsers.

What can I do with this information?

  • Use the insights from the High Risk Model to prioritize investigations and focus on the riskiest users or sessions first.
  • Risk over time trends can help you evaluate whether your security measures are effective or if risk levels are rising, indicating a potential attack or vulnerability.
  • Correlate risk events with recent changes in your platform to quickly spot if a new vulnerability is being exploited.
  • Use the detailed user context to make informed decisions about whether to lock an account, require additional verification, or reach out to a user about suspicious activity.
  • Monitor trends in risk over time to evaluate the effectiveness of your security measures and identify areas for improvement.
  • Combine insights from this dashboard with the Identity Analytics dashboard to get a fuller picture of user behavior and risk.
  • Use the data to inform your security policies and configuration in the Customization section of the console.
  • Share insights with your team to raise awareness of emerging threats and coordinate your response efforts.
  • Regularly review this dashboard to stay ahead of potential threats and ensure your platform remains secure.