User Risk Attributes
A user's risk score is calculated in part by comparing it against a series of Risk Attributes. Each attribute is weighted individually. The aggregate score is used to determine the User Risk Score. User risk is evaluated in terms of the following categories, attributes, and values defined by Skyhigh CASB.
Sanctioned User Risk Attributes
The tables below list the risk attributes for each Sanctioned user risk category, which are used to calculate the corresponding category risk score.
Download Risk Attributes
The Download Risk score is calculated based on the following categories, attributes, and values defined by Skyhigh CASB. This score considers the file download activities performed by a user in the last 100 days.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| Download Patterns | Percentage of files downloaded to unmanaged devices | Percentage of files downloaded to unmanaged devices. | 0-100 |
| Download Patterns | Percentage of files downloaded from untrusted IPs | Percentage of files downloaded from non trusted IP's. | 0-100 |
| Download Patterns | Percentage of files downloaded from Blacklisted entities | Percentage of files downloaded from blacklisted entities. | 0-100 |
| Download Patterns | Increase in files downloaded | Increase in the number of files downloaded by the user compared to the user's file download history in the last 100 days. | 0-100 |
| Download Patterns | Increase in files downloaded compared to other users | Increase in the number of files downloaded by the user compared to other users in the tenant in the last 100 days. | 0-100 |
Cloud Usage Risk Attributes
The Cloud Usage Risk score is calculated based on the following categories, attributes, and values defined by Skyhigh CASB. This score considers all the cloud usage activities performed by a user.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| Cloud Usage Patterns | Managed SaaS apps used by the user | Number of managed SaaS applications used by the user. | 0-100 |
| Cloud Usage Patterns | SaaS apps used by the user compared to other users | Number of SaaS applications used by the user compared to other users in the tenant. | 0-100 |
| Cloud Usage Patterns | Number of devices (OS:UserAgent) | Number of devices (OS:UserAgent) used by the user compared to the user's device history in the last 100 days. | 0-100 |
| Cloud Usage Patterns | Number of devices (OS:UserAgent) compared to other users | Number of devices (OS:UserAgent) used by the user compared to other users in the tenant in the last 100 days. | 0-100 |
| Cloud Usage Patterns | Number of networks (Org names) | Number of networks (Org Names) used by the user compared to the user's network history in the last 100 days. | 0-100 |
| Cloud Usage Patterns | Number of networks (Org names) compared to other users | Number of networks (Org Names) used by the user compared to others users in the tenant in the last 100 days. | 0-100 |
| Cloud Usage Patterns | Number of users' activities in a day | Number of user's activities in a day compared to the user's activities in the last 100 days. | 0-100 |
| Cloud Usage Patterns | Number of users' activities in a day compared to other users | Number of user's activities in a day compared to other users in the tenant in the last 100 days. | 0-100 |
Threat Risk Attributes
The Threat Risk score is calculated based on the following categories, attributes and values defined by Skyhigh CASB. This score considers all the threats associated with a user in the last 100 days.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| Threat Patterns | Increase in the number of user threats | Increase in the number of user threats compared to the user's threat history in the last 100 days. | 0-100 |
| Threat Patterns | Increase in the number of user threats compared to other users | Increase in the number of user threats compared to other users in the tenant in the last 100 days. | 0-100 |
| Threat Patterns | Increase in the number of user anomalies | Increase in the number of user anomalies compared to the user's anomaly history in the last 100 days. | 0-100 |
| Threat Patterns | Increase in the number of user anomalies compared to other users | Increase in the number of user anomalies compared to other users in the tenant in the last 100 days. | 0-100 |
| Threat Patterns | Increase in the number of high risk user anomalies | Increase in the number of high-risk user anomalies compared to the user's high-risk anomaly history in the last 100 days. | 0-100 |
Incident Risk Attributes
The Incident Risk score is calculated based on the following categories, attributes and values defined by Skyhigh CASB. This score considers all the incidents associated with a user in the last 100 days.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| Incident Patterns | Increase in the number of malware incidents | Increase in the number of malware incidents by the user compared to the user's malware incident history in the last 100 days. | 0-100 |
| Incident Patterns | Increase in the number of malware incidents compared to other users | Increase in the number of malware incidents by the user compared to other users in the tenant in the last 100 days. | 0-100 |
| Incident Patterns | Increase in the number of DLP incidents | Increase in the number of DLP incidents by the user compared to the user's DLP incident history in the last 100 days. | 0-100 |
| Incident Patterns | Increase in the number of DLP incidents compared to other users | Increase in the number of DLP incidents by the user compared to other users in the tenant in the last 100 days. | 0-100 |
| Incident Patterns | Increase in the number of access control incidents | Increase in the number of access control violations by the user compared to the user’s access control violation history in the last 100 days. | 0-100 |
| Incident Patterns | Increase in the number of access control incidents compared to other users | Increase in the number of access control violations by the user compared to other users in the tenant in the last 100 days. | 0-100 |
Privilege Risk Attributes
The Privilege Risk score is calculated based on the following categories, attributes and values defined by Skyhigh CASB. This score considers only the activities performed by a privileged user in the last 100 days.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| Privilege Patterns | Increase in the number of administrator activities | Increase in the number of administrator activities by the user compared to the user's administrator activity history in the last 100 days. | 0-100 |
| Privilege Patterns | Increase in the number of administrator activities compared to other admins | Increase in the number of administrator activities by the user compared to other administrators in the tenant in the last 100 days. | 0-100 |
| Privilege Patterns | Increase in the number of data access activities | Increase in the number of data access activities by the user compared to the user's data access activity history in the last 100 days. | 0-100 |
| Privilege Patterns | Increase in the percentage of untrusted admin activities | Increase in the percentage of non-trusted administrator activities by the user compared to the user's non-trusted administrator activity history in the last 100 days. | 0-100 |
| Privilege Patterns | Increase in the number of admin anomalies | Increase in the number of administrator anomalies by the user compared to the user's administrator anomaly history in the last 100 days. | 0-100 |
Collaboration Risk Attributes
The Collaboration Risk score is calculated based on the following categories, attributes, and values defined by Skyhigh CASB. This score considers all the collaboration activities performed by the user.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| Collaboration Patterns | Increase in the number of files shared with internal and external users | Increase in the number of files shared (internally, externally) by the user compared to the user's file share history in the last 100 days. | 0-100 |
| Collaboration Patterns | Increase in the number of files shared compared to other users | Increase in the number of files shared by the user compared to other users in the tenant in the last 100 days. | 0-100 |
| Collaboration Patterns | New cloud service used to share data for the first time | New CSP (Cloud Service Provider) used to share data for the first time. | 0-100 |
Access Risk Attributes
The Access Risk score is calculated based on the following categories, attributes, and values defined by Skyhigh CASB. This score considers all the access activities performed by the user in the last 100 days, with location as the main factor.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| Access Patterns | Increase in the number of users' new locations | Increase in the number of new locations (City, Country, Region) used by the user compared to the user's location history in the last 100 days. | 0-100 |
| Access Patterns | Increase in the number of new locations compared to other users | Increase in the number of new locations used by the user compared to other users in the tenant in the last 100 days. | 0-100 |
| Access Patterns | Increase in the number of known bad locations | Increase in the number of known bad locations used by the user, such as Blacklisted/TOR/anonymous proxies, compared to the user's bad location history in the last 100 days. | 0-100 |
| Access Patterns | Increase in the number of known bad locations compared to other users | Increase in the number of known bad locations used by the user compared to other users in the tenant in the last 100 days. | 0-100 |
Login Risk Attributes
The Login Risk score is calculated based on the following categories, attributes, and values defined by Skyhigh CASB. This score considers only the login activities performed by the user.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| Login Patterns | Login success as a percentage of total activities | Percentage of successful logins compared to the total number of activities. | 0-100 |
| Login Patterns | Days with successful logins (last 100 days) | Percentage of days with successful logins in the last 100 days. | 0-100 |
| Login Patterns | Increase in the number of failed logins | Increase in the number of failed logins by the user compared to the user's failed login history in the last 100 days. | 0-100 |
| Login Patterns | Increase in the number of failed logins compared to other users | Increase in the number of failed logins by the user compared to other users in the tenant in the last 100 days. | 0-100 |
Upload Risk Attributes
The Upload Risk score is calculated based on the following categories, attributes, and values defined by Skyhigh CASB. This score considers only the file upload activities performed by the user.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| Upload Patterns | Increase in files uploaded from trusted IPs | Increase in the number of files uploaded by the user compared to the user's file upload history (from trusted IP's) in the last 100 days. | 0-100 |
| Upload Patterns | Increase in files uploaded from untrusted IPs | Increase in the number of files uploaded by the user compared to the user's file upload history (from non trusted IP's) in the last 100 days. | 0-100 |
| Upload Patterns | Increase in files uploaded from blacklisted IPs | Increase in the number of files uploaded by the user compared to the user's file upload history (from blacklisted IP's) in the last 100 days. | 0-100 |
| Upload Patterns | Increase in files uploaded compared to other users | Increase in the number of files uploaded by the user compared to other users in the tenant. | 0-100 |
Shadow User Risk Attributes
The tables below list the risk attributes for each Shadow user risk category, which are used to calculate the corresponding category risk score.
Upload Risk Attributes
The Upload Risk score is calculated based on the following categories, attributes, and values defined by Skyhigh CASB. This score considers only the data upload activities performed by the user.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| Upload Patterns | Increase in data uploaded to Low Risk CSP | More data uploaded compared to the user's own behavior from the last 100 days to the Low Risk CSP | 0-100 |
| Upload Patterns | Increase in data uploaded to High Risk CSP | More data uploaded compared to the user's own behavior from the last 100 days to High Risk CSP | 0-100 |
| Upload Patterns | Increase in data uploaded compared to other users | More data uploaded compared to other users in the tenant | 0-100 |
| Upload Patterns | Increase in the number of data upload activities compared to other users | More number of data upload activities compared to other users in the tenant | 0-100 |
| Upload Patterns | Unmatched: Increase in data uploaded to the Low Risk Domain and Unverified | Unmatched: More data uploaded compared to the user's own behavior from the last 100 days to the Low Risk domain | 0-100 |
| Upload Patterns | Unmatched: Increase in data uploaded to High Risk Domain | Unmatched: More data uploaded compared to the user's own behavior from the last 100 days to the High Risk domain | 0-100 |
| Upload Patterns | Unmatched: Increase in data uploaded compared to other users | Unmatched: More data uploaded compared to other users in the tenant | 0-100 |
| Upload Patterns | Unmatched: Increase in the number of data upload activities compared to other users | Unmatched: More number of data upload activities compared to other users in the tenant | 0-100 |
| Upload Patterns | Increase in data uploaded to Medium Risk CSP | More data uploaded compared to the user's own behaviour from the last 100 days to Medium Risk CSP | 0-100 |
| Upload Patterns | Unmatched: Increase in data uploaded to Medium Risk Domain | Unmatched: More data uploaded compared to the user's own behavior from the last 100 days to the Medium Risk domain | 0-100 |
Download Risk Attributes
The Download Risk score is calculated based on the following categories, attributes, and values defined by Skyhigh CASB. This score considers the download activities performed by a user in the last 100 days.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| Download Patterns | Increase in data downloaded from Low Risk CSP | More data downloaded compared to the user's own behaviour from the last 100 days from Low Risk CSP | 0-100 |
| Download Patterns | Increase in data downloaded from High Risk CSP | More data downloaded compared to the user's own behaviour from the last 100 days from High Risk CSP | 0-100 |
| Download Patterns | Increase in data downloaded compared to other users | More data downloaded compared to other users in the tenant | 0-100 |
| Download Patterns | Increase in the number of data upload activities compared to other users | More number of data download activities compared to other users in the tenant | 0-100 |
| Download Patterns | Increase in data downloaded from Medium Risk CSP | More data downloaded compared to the user's own behaviour from the last 100 days from Low Risk CSP | 0-100 |
Network Risk attributes
The Network Risk score is calculated based on the following categories, attributes, and values defined by Skyhigh CASB. This score considers user activities involving network components over the last 100 days.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| Network Patterns | Number of insecure protocol activities as a percentage of total activities | Percentage of insecure protocol activities compared to the total number of activities | 0-100 |
| Network Patterns | Increase in the number of activities using insecure protocols and ports | More number of activities using insecure protocol / port (FTP, Telnet, POP3, IMAP, SMBv1, LLMNR, NTLM, and HTTP) compared to user own behavior from the last 100 days | 0-100 |
| Network Patterns | Increase in the number of activities using insecure protocols and ports compared to other users | More number of activities using insecure protocol / port (FTP, Telnet, POP3, IMAP, SMBv1, LLMNR, NTLM, and HTTP) compared to other users in the tenant | 0-100 |
| Network Patterns | DENIED ProxyAction as a percentage of total activities | Percentage of DENIED service action compared to the total number of activities. | 0-100 |
| Network Patterns | Increase in percentage of DENIED ProxyAction | More percentage of DENIED service action compared to user own behavior from the last 100 days | 0-100 |
| Network Patterns | Increase in percentage of DENIED ProxyAction compared to other users | More percentage of DENIED service action compared to other users in the tenant | 0-100 |
Device Risk Attributes
The Device Risk score is calculated based on the following categories, attributes, and values defined by Skyhigh CASB. This score considers all the device-related activities performed by a user in the last 100 days.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| Device Patterns | Number of unique OS:UserAgent | Number of unique userAgent | 0-100 |
| Device Patterns | Number of unique OS:UserAgent compared to other users | Number of unique userAgent compared to other users in the same tenant | 0-100 |
| Device Patterns | Number of unique devices | Number of unique devices | 0-100 |
| Device Patterns | Number of unique devices compared to other users | Number of unique devices compared to other users in the same tenant | 0-100 |
Anomaly Risk Attribute
The Anomaly Risk score is calculated based on the following categories, attributes, and values defined by Skyhigh CASB. This score considers all the anomalous activities performed by a user in the last 100 days.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| Anomaly Patterns | DP: Increase in the number of Data Anomalies | More number of Data Anomalies compared to the user's own behavior from the last 100 days | 0-100 |
| Anomaly Patterns | DP: Increase in the number of Data Anomalies compared to other users | More number of Data Anomalies compared to other users in the tenant | 0-100 |
| Anomaly Patterns | DP: Increase in the number of MIME Type Anomalies | More number of MIME Type Anomalies compared to the user's own behavior from the last 100 days | 0-100 |
| Anomaly Patterns | DP: Increase in the number of MIME Type Anomalies compared to other users | More number of MIME Type Anomalies compared to other users in the tenant | 0-100 |
| Anomaly Patterns | DP: Increase in the number of Daily Service Access Anomalies | More number of Daily Service Access Anomalies compared to the user's own behavior from the last 100 days | 0-100 |
| Anomaly Patterns | DP: Increase in the number of Daily Service Access Anomalies compared to other users | More number of Daily Service Access Anomalies compared to other users in the tenant | 0-100 |
| Anomaly Patterns | DP: Increase in the number of Weekly Repeated Offender Anomalies | More number of Weekly Repeated Offender Anomaly compared to the user's own behavior from the last 100 days | 0-100 |
| Anomaly Patterns | DP: Increase in the number of Weekly Repeated Offender Anomalies compared to other users | More number of Weekly Repeated Offender Anomalies compared to other users in the tenant | 0-100 |
| Anomaly Patterns | TP: Increase in the number of SHA Anomalies (web activity) | More number of SHA Anomalies compared to the user's own behavior from the last 100 days | 0-100 |
| Anomaly Patterns | TP: Increase in the number of SHA Anomalies compared to other users (web activity) | More number of SHA Anomalies compared to other users in the tenant | 0-100 |
| Anomaly Patterns | TP: Increase in the number of AAL Anomaly (web activity) | More number of AAL Anomalies compared to the user's own behavior from the last 100 days | 0-100 |
| Anomaly Patterns | TP: Increase in the number of AAL Anomalies compared to other users (web activity) | More number of AAL Anomalies compared to other users in the tenant | 0-100 |
| Anomaly Patterns | TP: Increase in the number of Data Anomalies (web activity) | More number of Data Anomalies compared to the user's own behavior from the last 100 days | 0-100 |
| Anomaly Patterns | TP: Increase in the number of Data Anomalies compared to other users (web activity) | More number of Data Anomalies compared to other users in the tenant | 0-100 |
Cloud Service Provider (CSP) Risk Attributes
The CSP Risk score is calculated based on the following categories, attributes, and values defined by Skyhigh CASB. This score considers all the CSP-related activities performed by a user in the last 100 days.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| CSP Patterns | High Risk CSP as a percentage of total activities | Percentage of High Risk CSP activities compared to the total number of activities. | 0-100 |
| CSP Patterns | Increase in the percentage of High Risk CSP activities | More percentage of High Risk CSP activities compared to user's own behavior from the last 100 days | 0-100 |
| CSP Patterns | Increase in the percentage of High Risk CSP activities compared to other users | More percentage of High Risk CSP activities compared to other users in the tenant | 0-100 |
| CSP Patterns | Unmatched: High Risk domain as a percentage of total activities | Percentage of High Risk domain activities compared to the total number of activities. | 0-100 |
| CSP Patterns | Unmatched: Increase in the percentage of High Risk domain activities | More percentage of High Risk domain activities compared to user's own behavior from the last 100 days | 0-100 |
| CSP Patterns | Unmatched: Increase in the percentage of High Risk domain activities compared to other users | More percentage of High Risk domain activities compared to other users in the tenant | 0-100 |
Incident Risk Attributes
The Incident Risk score is calculated based on the following categories, attributes, and values defined by Skyhigh CASB. This score considers all the incidents associated with a user in the last 100 days.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| Incident Patterns | Increase in the number of epo_violation incidents | More number of epo_violation incidents compared to the user's own behavior from the last 100 days | 0-100 |
| Incident Patterns | Increase in the number of epo_violation incidents compared to other users | More number of epo_violation incidents compared to other users in the tenant | 0-100 |