Insights: Intelligent management of threats, incidents, and events

Utilize our intelligent data security to effectively handle threats, incidents, and events happening in your environment.

In this article, you will learn:

What are insights
How do insights tie things together
Reasons why an operation appears in Insights
Record aggregation
Vision: Transition to intelligent evaluation and automation

Introduction: What are insights

Safetica provides great insights on many fronts. The Insights section highlights to admins where they should put their attention and efforts first. It is one single place where interesting insights from all across Safetica console come together and are consolidated into a focused task list.

This way, Insights give admins info about what to deal with so that they don't have to click through Safetica console to find security issues.

How do insights tie things together

Safetica collects data about operations that occur in the company and runs them through the Contextual Defense engine. Contextual Defense evaluates the data and smartly selects and consolidates important threats, incidents, and events from the Data, Apps, Websites, and External device sections and displays them as insights.

The admin's attention is brought to the severity of these insights, and short explanations are provided so that admins can see at first sight what is going on.

✍️By default, only new insights are displayed, so when an admin visits Insights, they immediately see a task list of unresolved potential issues.

In cloud-hosted Safetica, insights are triggered in real time. In Safetica hosted on-premises, insights are processed and triggered periodically every 15 minutes in batches of 100 records.

Learn more about how to investigate issues via Insights here.

Learn more about insight details here.

Reasons why an operation appears in Insights

Every insight has two key attributes:

Reason: explains why the insight was triggered.
Severity: highlights the importance of the insight to the admin.

There are several reasons that cause an operation to appear in Insights. Severity is always determined by the specific reason and, in some cases, may increase over time:

❗For now, risk-related insights are only available in cloud-hosted Safetica. They are not yet available in Safetica hosted on-premises.

Reason why the insight was triggered	Explanation	Severity importance of the insight
☁️Cloud-hosted Safetica only: High or medium-risk operation	Triggers when an operation is evaluated as medium or high risk. Learn more.	Low: for medium-risk operations Medium: for high-risk operations
Data policy violation	Triggers when a data policy with Block or Block (with override) action is violated. Learn more here and here.	Medium: for Block policy action High: for Block (with override) policy action
Blocked application	Triggers when the running of an app is blocked. Learn more.	Medium
Blocked website	Triggers when access to a website is blocked. Learn more.	Medium
External device policy violation	Triggers when the connection of an external device is blocked. Learn more.	Medium
Policy with dynamic action	Triggers when a policy with dynamic action becomes stricter for a specific user. Only records that contributed to making the action stricter are linked to the insight. Learn more.	Severity increases every time policy action becomes stricter: Low: policy action changes from Not set to Log. Medium: policy action changes from Log to Notify. High: policy action changes from Notify to Block.
Privileged access granted	Triggers when an admin grants a user privileged access. Learn more.	High
Unusual sensitive data activity	Triggers when a user handles an unusually large amount of sensitive data, even if no policy is in place to protect the data. This insight warns the admin even if they haven’t fully set up policies. No remediation action is taken, but the insight highlights that a policy might need to be created to safeguard unprotected data.	High

✍️The severity of an insight might also be influenced by policy setting. Learn how to set up insight triggering in policies here.

Record aggregation

Safetica consolidates related records – such as records associated with the same user, operation, policy, destination type, etc. – into a single insight.

When an insight is open, all relevant records are automatically added to it, and its properties are updated accordingly.
Once an insight is closed by an admin, no additional records will be added. If a relevant new record appears, a separate insight is created to consolidate future occurrences.

Aggregation criteria for different insights

Insight	Records aggregated based on
☁️Cloud-hosted Safetica only: High or medium-risk operation	User, destination type, policy
Data policy violation	User, destination type, policy
Blocked application Blocked website Blocked external device	User, web domain / app display name / external device ID
Policy with dynamic action	User, data classification, date
Privileged access granted	While privileged access is granted to a user, all their records are aggregated under a single insight.
Unusual sensitive data activity	Data classification

An aggregated insight has the severity of its highest-severity operation.

For example, if an aggregated insight includes at least one high-severity operation, the entire insight will be evaluated as high severity.

Vision: Transition to intelligent evaluation and automation

Insights will be gradually transforming into a central hub where admins start and take action from here. Insights will consolidate all important insights from Safetica console and will serve as a bridge to other sections of the console. It will move towards greater automation and intelligent evaluation of these insights, becoming a crucial tool for investigation and management.

As the Insights continue to evolve, it will aim to:

Focus admins' attention to one place – in the Insights section, admins will find consolidated insights enriched with risk assessment. Instead of manually searching for and investigating incidents, the admins can now focus on the list of insights Safetica detected, selected, and highlighted for them as vital to focus on. Thanks to added smart context, the admin won't have to visit other product sections during investigation and management.
Smartly evaluate and summarize what happened – Instead of collecting and presenting raw info, Safetica will smartly pre-evaluate what happened and summarize the important characteristics of the insight and its related records. It will also suggest a solution for the situation.
Automate data protection – combined with concepts like Dynamic DLP, Safetica will personalize active security to individual users based on dynamic AI risk.

In the future, you may expect additions such as new types of insights, connecting insights to email alerts, integrating AI to provide improved context for insights, etc.

✍️We are actively conducting product discovery and looking for customer interviews where you can provide feedback and affect how we shape Insights in the upcoming months. Please contact our PM team product@safetica.com.