How to Investigate a High-Risk User
Overview
A high-risk user investigation should combine user risk score details, authentication logs, activity logs, session timeline, and security dashboard signals.
What this feature does
It gives administrators a step-by-step process to review user activity without relying on one signal alone.
Why it is useful
- It reduces false positives.
- It helps confirm compromised accounts faster.
- It gives teams a repeatable investigation workflow.
Who should read this?
RISE Admin, Security Officer, System Owner.
Where to find it
Rise Audit Pro → User Risk Scores, Auth Log, Activity Log, Security Dashboard, Session Timeline.
How to use it
- Open User Risk Scores.
- Select the high-risk user.
- Review the risk factors.
- Open Auth Log for login context.
- Open Activity Log for sensitive changes.
- Review Session Timeline for the sequence of actions.
- Confirm with the user or manager if needed.
- Take action according to your security policy.
Example workflow
A high-risk user shows new country login and bulk deletion activity. The security officer reviews the session timeline, confirms the user did not perform the actions, and disables the account pending investigation.
Recommended investigation checklist
- What risk factors triggered the score?
- Was the login source expected?
- Did sensitive actions happen after the login?
- Is the user able to confirm the activity?
- Do permissions need to be reduced or credentials reset?
- Should the event be documented for compliance?
Screenshot
Screenshot required
Capture from: Rise Audit Pro → User Risk Scores → High risk user details
Capture from: Rise Audit Pro → User Risk Scores → High risk user details
Common mistakes
- Taking action without reviewing supporting evidence.
- Ignoring high-risk users because they are senior staff.
- Not preserving exports or notes for serious investigations.
Related articles
- User Risk Scores
- Session Timeline
- Activity Log Overview
- Auth Log Overview
