To access the Risk dashboard, in the PingOne console, go to Dashboard > Risk.

Risk totals chart

The Risk dashboard shows the Risk totals chart, which summarizes all risk events analyzed in the selected time period. You can use the slider under the Risk summary chart to show data from the current day, past week, past month, or past six months. The columns in the chart rescale to show information over the selected time period. You can hover over a column to show the specific period it represents.

The columns in the chart rescale to show information over the selected time period. Each column is broken down into five sub-columns, defined at the top of the chart from left to right:

  • The number of analyzed events
  • The number of medium risk events
  • The number of high risk events
  • The number of high risk users
  • The number of high risk IP addresses

In addition to the Risk totals chart, the Risk dashboard consists of the following graphs, each of which can be expanded for greater detail:

Monitored risk data

The expanded graphs include tables of the following monitored data.

Field Format Sample Values Meaning Remarks

Time

YYYY-MM-DD HH:MM:SS

2020-12-20 14:01:36

Time of the event

Local time of the administrator

User

Text

User identification in the system

User ID

The value depends on the administrator's selection, such as UUID, email, and user name.

Risk Level

Text

Low, Medium, High

Calculated risk level for this transaction

IP

Dotted decimal IP address

185.104.184.99

The accessing device's IP address

Country

Text

United States

The country with which the accessing device’s IP is associated

Target Application

Text

  • Salesforce
  • Concur
  • Ultipro
  • And so on

The application to which the user is trying to authenticate

How the application identifies itself

User Agent

Text

  • Mozilla/5.0 (Windows NT 10.0; Win64; x64)
  • AppleWebKit/537.36 (KHTML, like Gecko)
  • Chrome/86.0.4215.0
  • Safari/537.36
  • Edge/86.0.597.0

Accessing device's user agent

How the user agent identifies itself

OS

Operating system text string

  • Windows 10
  • Linux
  • Android
  • And so on

The accessing device's OS

How the OS identifies itself

Browser

Text

  • Edge 86
  • Chrome
  • Firefox
  • And so on

The accessing device's browser

How the browser identifies itself

IP Reputation

Text

Low, Medium, High

The risk score of the IP address of the user's accessing device

Geovelocity

Text

True, False

True when the travel time between a user’s current location and their previous location is not possible in the time frame that has elapsed since the previous risk evaluation

Anonymous Network

Text

True, False

Analyzes the IP address of the user's accessing device. Set to True for attempts that originate from an anonymous network such as:

  • Unknown VPN
  • Proxy
  • Anonymous communication tool such as a TOR browser

User Risk Behavior

Text

Low, Medium, High

Severity measure of the likelihood of the authentication event to be anomalous compared to normal organization behavior

User Risk Behavior Reason

Text

  • Very Unusual: <Reason>
  • Unusual: <Reason>
  • <Reason>

The reason why User Risk Behavior was identified as anomalous

User Velocity by IP

Text

Low, Medium, High

Severity measure of the number of users originating from the same IP address compared to that user's normal behavior

Note:

If there are not enough past transactions to determine normal behavior for that user, the environment's default behavior is used instead.

IP Velocity by User

Text

Low, Medium, High

Severity measure of the number of different IP addresses that a user is using compared to that user's normal behavior

Note:

If there are not enough past transactions to determine normal behavior for that user, the environment's default behavior is used instead.

User Based Risk Behavior

Text

Low, Medium, High

Severity measure of the likelihood of the authentication event to be anomalous compared to normal behavior of the user.

If the severity is Medium or High, you can click the User Risk Behavior field to show the risk details. See Risk Details.

User Based Risk Behavior Reason

Text

  • Very Unusual: Country, Application
  • Unusual: Activity timeframe, OS, Browser properties

The reason why User Based Risk Behavior was identified as anomalous

Risk Policy

Text

My Org Policy

The policy-set associated with this risk evaluation

Resource ID

UUID

ef9d7227-8115-4692-b7f5-c38e238d264f

The Resource ID represents the risk evaluation ID as returned in the API response.

On the Reporting tab, you can filter reports by Resource ID.

Note:

Only users with the dir:read:user permission can view the drill down table and user data.

Risk details

In the monitored risk data tables, if the User Based Risk Behavior score is Medium or High, click the score to show the Risk Details window.


A screen capture of the monitored risk data table with scores of High in the User Based Risk Behavior column. The scores are highlighted blue to show that they are selectable.

The Risk Details window compares values of the anomalous transaction to typical user behavior.


A screen capture of the Risk Details window. There are four columns: Attribute, Normal, Anomaly, and Score.
Column Description

Attribute

The category of the anomalous transaction

Normal

Typical values of the transaction category, according to normal user behavior

Anomaly

The anomalous value in the transaction

Score

The risk level of the anomaly

Raw risk details

In the Risk Details window, click Raw risk details to show the details of typical user behavior.

The Raw Risk Details window shows the values that define normal user behavior and the number of times they have been recorded.


A screen capture of the Raw Risk Details window. There are three columns: Name, Value, and Seen.

Column

Description

Name

The category of the user based risk behavior standard

Value

Specific values that have been logged by the user

Seen

The number of times the value has been logged

Filtered searching

The filtered search bar appears above each table of risk data.


Screen capture of the filtered search bar with check boxes for User, IP, Country, Target Application, User Agent, OS, and Browser.
  • Click Filters ^ to toggle the list of filter options.
  • Use the check boxes to select filters.
  • If you enter free text without choosing at least one filter, the search displays all table rows containing the entered text.
  • Wild card searches using an asterisk (*) are not supported.
  • Be aware of the use of spaces in a search string. A space is a significant character. For example, Chrome<space>Mobile works. Chrome<space><space>Mobile does not work.
  • Use of quotation marks is not supported.
  • The left-hand search filters operate first. Subsequent use of the filtered search bar produces a subset of the prior left-hand filter.

    For example, in the Country list, select India. The table shows results for India only.

    In the filtered search bar, select OS and enter Andriod 10. The table is reduced to show only users from India signing on from an Android 10 device.