Using Behavioral Analytics
This feature is currently in private preview. At this time, we are no longer accepting new customers into the private preview. Stay tuned for updates on future availability.
To navigate the main Behavioral Analytics page, click Insights from the left navigation menu, then click Behavioral Analytics. This page serves as a dashboard for overseeing the analytics functions. It provides breadcrumb navigation, search capabilities with filters, interactive risk maps and charts, and drill-down capabilities into behavior details.
Alerts Page
The main Behavioral Analytics page opens by default to the Alerts tab, where you can view the analytics by alerts. To view the analytics by Users, Secrets, or IP Addresses, click the respective tabs.
Searching for Alerts
To search for alerts, enter text into the Search box. To filter your search results by severity, status, or activity timeline, select filter options from the dropdown boxes to the right of the Search box.
Choosing Your Display
To select the way alerts are graphically displayed, select Map, Bar, Line, or Heat Map from the dropdown box to the right of the search options.
To review additional details about each alert, click to interact with the data presented on the map, bar chart, line chart, or heat map.
Map View
The Map view reveals the locations where alerts originated. If two or more alerts exist close to each other geographically, a purple circle appears on the map to represent the cluster, with the number of alerts in the cluster displayed in the center.
Map View Legend
Line Chart View
Bar Chart View
Heatmap View
Alerts Table
At the bottom of the Alerts page is a table listing each alert in a row, configured with thresholds to trigger a Warning or Critical alert. Four data items in each row are in bold purple text, indicating that you can click them to see additional details. They are Alert ID, User Name, Secrets, and IP Address.
The following table describes the content in each column.
| Column | Description |
|---|---|
| Alert ID | Unique alert ID |
| Severity | Critical or Warning severity level of the event |
| Status | Alert status: Active, Dismissed or Archived |
| User Name | The Secret Server user who caused the alert; click the name to open the User Details page |
| Secrets | List of secrets from the events that are part of the alert |
| IP Addresses | The IP addresses used during the alert period with links to each IP Details page |
| Location | Count of distinct IP addresses from those events |
| Activity Timeline | The time span within which the Alert occurred |
Alert Details View
To see more details of a specific alert, click the alert in the Alert ID column. The Alert details view appears. The details are further explored in the next few sections.
Alerts Actions
At the top of the Alert details page, the Alert ID and its action are displayed.
The actions are described in the following table.
| Action Name | Description |
|---|---|
| Activate | Reactivating this alert will change its status on the main alerts table. You can re-archive or dismiss this alert later. |
| Dismiss | Dismissing this alert will normalize this pattern of secret access for the user. If the user takes similar action in the future, you will not be alerted. This action cannot be undone. |
| Archive | Archiving this alert will deactivate the alert. Archived alerts can still be reviewed from the main alerts table. The system will continue to see this type of behavior as anomalous for this user and alert. |
Overview Section
Below the Alerts Actions is an Overview section providing details described in the following table.
| Overview Field | Description |
|---|---|
| Severity | Critical or Warning severity level of the event |
| Last Updated By | Who last updated the status of the alert |
| Last Updated On | Date the alert was last updated |
| Activity Range | Earliest to latest dates of the alert events |
| Duration | The time span on the activity range |
| Username | Username for the account on the activity |
| Distinct Admin Actions | Count of distinct admin actions in the events actions |
| Distinct Secrets with Anomalous Access | Count of distinct secrets that had anomalous activity anomalous access |
| Temporal Anomalies | A time entry is listed here if the Alert occurred at a time the User does not normally access the Secrets involved in the Alert; clicking the time entry displays the User's Temporal Data. |
Events Section
In the middle of the Alert details page is the Events section, providing the following details:
| Event Column | Description |
|---|---|
| Classification | For secret access, the following classifications are possible: "Anomalous" or "Normal". For administrative actions done on a secret, the following classifications are possible: "Admin - ", Low, Normal, High or Critical Impact |
| Category | Categorization of the event: a secret access, or the action in case of an administrative action |
| Action | The action taken in case of a secret access, or in the case of an administrative event, the administrative action taken |
| Time | The date and time of the event |
| User Name | User name for the user performing the action |
| Location | The geographic location looked up for the IP address above |
| Target | The name of the secret from Secret Server |
| Info | Additional information about the action; for example, what field from the secret was examined |
Notes Section
At the bottom of the Alerts details page is the Notes section, where users can create notes pertaining to the alert.
| Notes Column | Description |
|---|---|
| Author | User who added a note to the alert |
| Created | When the user wrote the note |
| Note | Content of the note |
Users Page
The Users page lists all User IDs, their Display Names, Account Type, total number of times they have accessed or modified Secrets, number of unique Secrets they have accessed, total number of administrative actions they have performed, when they were first seen in Behavioral Analytics, and when they were last active.
To display the Users page:
-
Click Insights from the left navigation, then select Behavioral Analytics.
-
Click the Users tab.
The next few sections describe how to use this page.
User Details View
Click an entry under the User ID column to open the user details view, where you can dive deeper into a specific user's behavior from the perspective of many types of data collected on them.
Overview
The user details view opens by default to the Overview tab, which displays information about the user including their Display Name, Email, User Name, User ID, total secret events, activity range, last secret event, and groups.
Activity Timeline
Click the Activity Timeline tab to view interactive graphical and tabular displays of information on the user's actions, including when they took them, where they were when they took them, and what secret they used.
Secrets
The Secrets tab lists rows of secrets that have been used, with columns of basic information about each secret.
Secret Details View
To view additional details about a secret and how it is being accessed, click a secret in the Secret ID column. The secret details page can be used to investigate how a secret is being accessed from the perspective of many types of data collected on it.
Secret Overview
The secret details view opens by default to the Overview tab, which lists key information including Secret ID, Secret Name, Secret Template, Folder, the total number of events (Secret accesses plus modifications), number of different users that have accessed the secret, the Activity Range, and the Last Event Action.
Activity Timeline
The Activity Timeline tab provides interactive graphical and tabular displays of information on a specific secret, including when it was used, where it was used, who used it, and what secret was used with it. It also displays alerts, warnings, accesses, and modifications, as well as timestamps, IP address, and event details.
IP Addresses
The IP Addresses tab lists all IP address used on the platform, with each IP address in a row and basic information listed in columns, including its type (public or private), status, city, region, country, the number of secret accesses plus modifications, the number of unique secrets accessed, the number of unique users accessing secrets, the number of administrator actions performed (including log-ins), and the first and last time Behavioral Analytics observed the IP address in data.
IP Address Details View
To see more details about a specific IP address, click a numeric address under the IP Address column. The next few sections describe the details you can see.
Overview
The IP Address details view opens by default to the Overview tab which displays additional information about the IP address, including the Most Active User and Activity Range.
Activity Timeline
The Activity Timeline tab provides interactive graphical and tabular displays of information on a specific IP address, including when it was used, who used it, and what secret they used with it.
