Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

About Shadow Users

  1. Last updated
  2. Save as PDF
Limited Availability: To access the unified Risk score and Enhanced Cloud Card details, contact Skyhigh Support.

The Users page generates a report on the users accessing specific cloud services within your organization. Use the filters to select a specific service or use the Omnibar to search for a service to generate a user’s overview.

You can display Users' data in a Table view or create a Chart view. It also provides easy access to Filters, Saved Views, and allows you to display the User Cloud Card with a single click. You can also schedule a report of the view in XLS, CSV, or PDF formats.

Table View

The Users page Table view is the default view. 

Risk attributed aded On Shadow Users.png

To display User data in the Table view, you can:

  • Search. Search via the Omnibar
  • Save View. Click to create a Saved View from your search query. 
  • Date Picker. Use the Date Picker to select a preset or custom date range to display data from only this date range.
  • Filters. Select options on the Filters tab to scope down your search. 
  • Views. Select Saved Views created by you or shared with you by another user to reuse specified search parameters from a previous search on current data. 
  • Actions. Click Actions to:
    • Watchlists
      • Add to Watchlist. Add users to Watchlists, or edit the Watchlists that a user is assigned to. 
    • Create Report
      • Business Report (PDF). Create a PDF report and run it immediately, which then appears in the Report Manager
      • CSV. Create a CSV report and run it immediately, which then appears in the Report Manager
      • XLS. Create an XLS report and run it immediately, which then appears in the Report Manager
      • Schedule. Schedule a report to run later, which then appears in the Report Manager
    • Settings
  • User/IP Address. Click a User in the table to display the User Cloud Card
  • Services. Click the link in the Services column to go directly to the Services page. Sort this column by number in ascending or descending order. 
  • Upload Data. Amount of data uploaded by the user. Sort this column by number in ascending or descending order. 
  • Requests. The number of requests associated with the user. Sort this column by number in ascending or descending order. 
  • Allowed Requests. The number of allowed requests associated with the user. Sort this column by number in ascending or descending order. 
  • Denied Requests. The number of denied requests associated with the user. Sort this column by number in ascending or descending order. 
  • Last Activity. The date of the user's last activity. Sort this column by date in ascending or descending order. 
  • Add to Omnibar Filters. Right-click a cell in the table to Copy the text or Add to Omnibar. Filters are available for the following columns:
    • User/IP Address. Adds the User/IP address to the Omnibar. 
    • Watchlist. Adds the Watchlist name to the Omnibar. 
    • Custom Attributes. Available only for Custom Attributes displayed in the Filters tab. 
  • Severity. The values (Green for Low (1–3), Yellow for Medium (4–6), and Red for High (7–9)) indicate how much each user’s risk score exceeds the defined threshold.
  • Risk. Unified risk score. Skyhigh CASB calculates a default User Risk Score as an aggregate of data risk, Sanctioned SaaS risk, and Shadow SaaS risk. It uses Sanctioned and Shadow user activities, along with each user's security incidents, to rank users from 1 to 9 by risk severity.
    • Red. High.
    • Orange. Medium.
    • Yellow. Low.

User Cloud Card

Click a User in the table to display the Cloud Card. Click the user again to hide the Cloud Card, or click the X on the pane. 

clipboard_e9dad91dbde6f27a0452b19fdf571b542.png

The Cloud Card provides the following information:

  • User name. Displays the user name and associated activity and details. Click any activity link to go to the full Users modal for that activity.
  • Last Activity. The date of the user's last activity. 
  • Watchlists. Click the link to add the user to a Watchlist
  • Anomalies. Click to open the Anomalies modal. 
  • Services. Click the Services number, or High, Medium, and Low to go to the Services page with that search term pre-filled in the Omnibar. You can also click the Services heading to hide that section of the pane. 
  • Traffic. The Traffic section of the pane displays the User's metrics for Total Data, Total Requests, Upload Activities, and Total Upload Data. You can also click the Traffic heading to hide that section of the pane.
  • Upload Activities. Click to open the Upload Activities modal. Sort this column by number in ascending or descending order.

NOTE: Skyhigh no longer supports the Upload Activities modal and the hyperlink for Shadow IT users, retrieving third-party proxy logs. However, the Total Upload Data of the user continues to display. You can view the SWG Cloud granular activities data on the Activity Monitoring page.

  • Total Upload Data. The total data uploaded for the user. 
  • Chart. Select a value from the list to display a chart of the user's activity. 

Enhanced User Cloud Card (LA)

Click a User in the table to display the corresponding User Cloud Card.

Enhanced Cloud Card_RetainWEb_Remove PA.png

The User Cloud Card displays the following information for a selected user:

  • Severity. The values (Green for Low (1–3), Yellow for Medium (4–6), and Red for High (7–9)) indicate how much each user’s risk score exceeds the defined threshold.
  • Risk. Unified risk score. Skyhigh CASB calculates a default User Risk Score as an aggregate of data risk, Sanctioned SaaS risk, and Shadow SaaS risk. It uses Sanctioned and Shadow user activities, along with each user's security incidents, to rank users from 1 to 9 by risk severity.
    • Red. High.
    • Orange. Medium.
    • Yellow. Low.
  • User UID. Unique identification number of a user in your organization. Click the filter next to User UID. All the users associated with the selected User UID appear in the User table.
  • Unified User. Skyhigh CASB calculates a default User Risk Score as an aggregate of data risk, Sanctioned SaaS risk, and Shadow SaaS risk. It uses Sanctioned and Shadow user activities, along with each user's security incidents, to rank users from 1 to 9 by risk severity. Click the user link corresponding to the Unified User to view on the Users page. 
  • Sanctioned User. Click View in Sanctioned User to view the Sanctioned User risk score of the specific user on the User Details page.
  • Web User. Click View in Web User to view the web activities of the specific user.
  • Mini Cards. Mini cards appear on the first Cloud Card. Click a mini card to view detailed information about users causing a risk to your cloud services. As an example, we have selected the Services mini card. Click the Services mini card to view a detailed card showing the services accessed by the specific user. The detailed card appears next to the first Cloud card, and you can categorize the services by severity.
    • View. Select the options from the menu to categorize the services by severity.
      • All. By default, this option is selected. Displays all the services accessed by the specific user.
      • Low. Displays all low-severity services accessed by the specific user.
      • Medium. Displays all services accessed by the specific user that have medium severity.
      • High. Displays all high-severity services accessed by the specific user.

The following are the mini card categories:

  • Services. Displays the services accessed by the specific user.
  • Total Upload Data. Displays the total upload data by the specific user. Click to view the services the user used to upload the data.
  • High Risk Services. Displays the number of high-risk services used by the specific user. Click to view the high-risk services accessed by the specific user.
  • Unique Devices. Displays the number of unique devices used by the specific user to access the services. You can filter them by Mobile and Desktop.
  • Unmatched Uploads. Displays the number of unmatched uploads. Click to view the services through which the data exfiltration occurred.
  • Activities. Displays the number of activities performed on the services by the specific user.

With Mini Cloud Card selected_New.png

Chart View

To display your Services data in a chart, click the Chart icon under the Omnibar. 

clipboard_ef01063fc600ee560006554b3806b4132.png

To display User data in a chart:

  1. Show. Select an item from the Show list to determine the X axis of your chart. 
  2. By. Select an item from the By list to determine the Y axis of your chart. 
  3. And. In the and dialog, select the third parameter, if available. 
  4. In a. From the In a list, select your chart type: 
    • Trend. Line or vertical bar chart.
    • Breakdown. Donut or horizontal bar chart. 

Your data is displayed in the chart. 

Upload Activities Modal 

The count shows the number of upload activities associated with the user. This list has been filtered to expose relevant upload activities.

The following filters are used to display Upload Activities:

  • The Upload Activities modal only shows activities that use the Put, Post, and Connect methods. Other methods are not included. 
  • If the uploaded bytes, also called CSBytes, are less than 8 Kb, it is not considered Upload Activity.   
  • In the upload event, upload bytes are bigger than download bytes. Otherwise, it is not considered Upload Activity.

clipboard_e3d0fb8cf8bb42d94677514d53c4c9ac4.png

The Upload Activities modal displays a list of activities from most activities to least. 

The Upload Activities modal provides the following details:

  • Service Name. Click to go to the Service Details page. 
  • Upload Activities. Click to see the activities page of the selected service.
    clipboard_e03f990521bd6b73f85ff0bab3aa01303.png
    • Export CSV. Click to export the information in this table to an XLSX file in CSV format. 
    • Server Address. IP address. 
    • URL. The URL of the Cloud Service Provider.
    • Inbound. Inbound data amount. 
    • Outbound. Outbound data amount. 
    • Traffic. Allowed shows a green icon. Denied shows a red icon. 
    • Date. Date and time that the activity was performed. 
    • Back. Click to return to the main Upload Activities modal. 
    • Close. Click to close the modal. 
  • Upload Data. The amount of data uploaded by this user for this service. 
  • Close. Click to close the modal. 

Anomalies Modal

users_overview_anomalies_modal.png

The Anomalies modal provides the following details:

  • Anomaly Name. The name of the anomaly that occurred. 
  • Activity Name. The type of activity that occurred. 
  • Service Name. Click to go to the Service Details page. 
  • Date. The date and time that the anomaly occurred. 
  • Export CSV. Click to export the information in this table to an XLSX file in CSV format. 
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    1. Analytics
    2. anomalies modal
    3. dimension by
    4. revisit
    5. Topic ID 268
    6. upload activities