🆕Insights: Investigate issues via Insights

Save your time and investigate issues with the help of Insights.

❗For now, the Insights are only available in cloud-hosted Safetica. It is not yet available in Safetica hosted on-premises.

In this article, you will learn:

 

Introduction: What are insights

Insights are key elements for boosting security efficiency. They are smart, actionable tasks created from issues detected by Safetica that admins should give their attention to. Their key value is to save admins' time. That's why Insights are:
    • Centralized and prioritized from security perspective (centralized in the Insights section, prioritized by Severity).
    • Aggregated - Safetica consolidates operations for the same user, operation, policy, and destination type into a single insight until the insight is closed.
    • Insight workflow - after the admin finishes investigating an issue, they can close the related insight.

✍️You can learn more about Insights in general here.


 

Investigate via Related records

One way to investigate an incident and see exactly what happened is to click the Related records button (or the quick action in the insight detail). A new tab opens with the specific records of what occurred so that you can check the risk, the classification, the classification detail, etc.

Record aggregation: Safetica consolidates operations for the same user, operation, policy, and destination type into a single insight. It is continuously updated with Related records and Last activity time (shows when the insight was last detected in the environment). Once an insight is closed, a new one will start consolidating future occurrences.

Example: Eva Baily tried to visit a banned website, which violated the a policy. Investigate what happened.

In the video, you can see that Eva Baily tried to visit the website www.illegal.com 4 times. You can see the times of individual attempts, with the last attempt made on 6th November at 12:38:56, and that the Recommended basic security policy blocked all of them.

In Insights, all the attempts are consolidated into a single insight that occurred with a single user.

 

 

Investigate via AI summary

Another way of investigating an incident is to see the AI summary of what happened.

For data policy violations, there is a special Summarize button and once you click it, metadata about the incident are sent to our Contextual Defense engine, which then generates the AI summary of the incident containing all interesting info about it from across the Safetica console (for example, a general description of the incident, when it happened, which user, destination type, and policy were involved, all matched data classifications, etc).

Understand large operations: When a user copies 10,000 files, instead of investigating 100 pages in the Data table for 30 minutes (trying to find out what file types there were, what classifications the files matched, were there any risky files, etc.), the admin can just click the Summarize button and in 30 seconds read the AI summary in natural language.

Share the AI summary: You can also share the natural-language summary of what happened with your colleagues. Just click the Copy to clipboard button and then paste it where needed.

Example: Eva Baily violated a data policy because she sent files via instant messaging.

In the video, you can see how the AI summary of the insight is generated, what information it contains, and how you can share it with other admins. 

 

 

Share an insight with other admins for further investigation

You can share an insight with another Safetica admin so that they can investigate it on their own. To share a specific insight:

  1. Click the insight to open its detail.
  2. Click the ID to copy its link into the clipboard.
  3. Send the link to another Safetica admin (has to have access to Safetica console).
  4. When the admin opens the link, they will see the specific insight.

 

Close an insight

After you finish investigating the issue, close the insight. Once you do that, it disappears from the insight list (only new insights are listed there by default).

To see all insights (even closed ones), cancel the Status filter.

To close an insight:

  1. Click the insight to open its detail.
  2. Enter a comment about the resolution of the issue.
  3. Click Close insight.
  4. All admins (with access to the specific user) can then see who closed the insight, when, and the comment they wrote.
  5. Insights related to Privileged access cannot be closed while Privileged access is granted to the user. To close such an insight, revoke the Privileged access first - just go to the Quick actions in the insight detail and click Revoke privileged access to given user.

✍️When you close an insight, but the issue is repeated, a new insight will appear and consolidate future related operations.

❗For now, it is not possible to change the comment or reopen the insight.

 

 

Filter insights

You can filter insights by:

  • Reason: The reason that caused an operation to appear in Insights (i.e., the type of the insight). For example, if you want to see only blocked applications, you can filter them here.

  • Status: You can filter out either new or closed insights. By default, only new insights are displayed. 
  • Severity: You can filter insights by severity.


Sorting only works for Severity, Status, and Last activity.

 

Read next

Insights: Intelligent management of threats, incidents, and events

Insight detail: A bridge between the insight and other parts of Safetica console