Threat Intelligence
The Threat Intelligence dashboard is your security command center. It aggregates risk signals from across your platform so you can quickly spot anomalies, investigate suspicious activity, and understand where threats are coming from.
Getting here
- Click Insights in the left sidebar.
- Click Threat Intelligence.
What you see
On the main page, the dashboard shows a set of summary cards. Each card highlights a different dimension of risk. Click any card to open a detailed view with expanded data.
Summary cards
| Card | What it tells you |
|---|---|
| Total Risk Events | A count of all risk-scored events in the selected period |
| Risk Heat Map | A world map showing where risk events are geographically concentrated |
| Browser Distribution | Which browsers your users are using and which are unusual |
| Risk Events | A breakdown of high, medium, and low risk events |
| User Risk | Which individual users have the highest cumulative risk score |
| OS Distribution | The operating systems in use across your user base |
| High Risk Types | The most common high-risk patterns detected by the risk engine |
Drilling into the details
Clicking a card opens a full-page detail view. Here is what each one offers:
High Risk Model
A list of flagged users or sessions with their individual risk scores and the factors that contributed to the score. Use this to prioritize who to investigate first.
| Factor | Description |
|---|---|
| IP Reputation | The risk level of the IP address based on known malicious activity |
| Geovelocity | Whether the user is logging in from geographically distant locations in a short time frame |
| Anonymous Network | Whether the user is connecting through a known proxy or VPN service, or the IP address is known as "private" |
| Shared Device | Whether the user is sharing a device with other accounts, which can indicate account takeover |
Risk Events
| Column | Description |
|---|---|
| High Risk | The authentication has been flagged as high risk requiring step-up authentication (multiple factors) |
| Medium Risk | The authentication has been flagged as medium risk alerting the user or requiring a simple step-up authentication |
| Low Risk | The authentication has been flagged as low risk and is allowed to proceed without interruption |
For more details on how risk events are scored, see the nevisAdapt Adaptive Authentication.
Risk Heat Map
An interactive world map. Risk events appear as pins that cluster together when many events originate from the same area. Zoom in to investigate a specific region. Darker clusters mean more concentrated risk activity.
User Risk
A ranked list of users sorted by their cumulative risk score. Click a user to open their context panel, which shows:
The context panel opens at the bottom of the page and can be easy to miss on smaller screens.
- Devices — every device they have registered or used
- Event history — a timeline of their recent activity
- Sessions — their active and recent sessions
Browser Distribution
A chart breaking down which browsers your users are on. Unusual browser spikes can indicate scripted attacks or compromised sessions.
Filtering the data
| Filter | How to use it |
|---|---|
| Time period | Use the period selector (Day / Week / Month / 6 months) at the top of the page |
| User filter | In detail views, use the user selector to narrow results to a specific person |
Common workflows
Investigate a high-risk user
- Open Threat Intelligence.
- Click the User Risk card.
- Click the user with the highest score.
- Review their Event history and Devices in the context panel.
- If needed, navigate to Identities to take action on their account.
Spot a geographic attack pattern
- Open Threat Intelligence.
- Click the Risk Heat Map card.
- Look for clusters in unexpected regions.
- Zoom in to identify the specific area.
- Use the time period selector to check whether this is a new or ongoing pattern.
Review unusual browser activity
- Open Threat Intelligence.
- Click the Browser Distribution card.
- Compare the browser mix against your expected user base.
- Investigate spikes in unusual or outdated browsers.
What can I do with this information?
- Use the insights from the High Risk Model to prioritize investigations and focus on the riskiest users or sessions first.
- Risk over time trends can help you evaluate whether your security measures are effective or if risk levels are rising, indicating a potential attack or vulnerability.
- Correlate risk events with recent changes in your platform to quickly spot if a new vulnerability is being exploited.
- Use the detailed user context to make informed decisions about whether to lock an account, require additional verification, or reach out to a user about suspicious activity.
- Monitor trends in risk over time to evaluate the effectiveness of your security measures and identify areas for improvement.
- Combine insights from this dashboard with the Identity Analytics dashboard to get a fuller picture of user behavior and risk.
- Use the data to inform your security policies and configuration in the Customization section of the console.
- Share insights with your team to raise awareness of emerging threats and coordinate your response efforts.
- Regularly review this dashboard to stay ahead of potential threats and ensure your platform remains secure.