Risk analysis detects and surfaces risky logon behaviors, sensitive data operations, high-risk service activities, and database anomalies across your provisioned assets. Use this feature to investigate incidents directly from the risk list and drill into payload-level details. The feature also provides visual analysis of all logon behaviors.
Prerequisites
Before you begin, ensure that your asset traffic is provisioned. For more information, see Provisioning.
Logon behavior risk types
Risk analysis monitors four categories of logon risk in your network traffic:
| Risk type | What the system detects | When to investigate |
|---|---|---|
| Privileged account abuse | Logons from unknown geographic locations, access outside business hours, and unusually high logon frequencies for privileged accounts | Investigate any logon that deviates from the account's established time-of-day or location patterns. Privileged accounts have highly permissive access—a compromised account can cause serious damage before manual review catches it. |
| Weak password logon | Successful logons using weak passwords for web services, MySQL, and FTP | Investigate any successful weak password logon. Simple, easily guessed passwords are a leading cause of account compromise and brute-force attack success. Check whether the source IP is expected and whether the logon time is normal. |
| Plaintext password transmission | Passwords transmitted without an encryption algorithm or encoding method (such as base64, SHA, or AES) | Investigate any plaintext credential appearing from an external or untrusted source IP. Internal traffic may be legitimate but still requires remediation to prevent interception. |
| Leaked AccessKey/SecretKey (AK/SK) logon | Successful logons using a leaked AK/SK pair | Investigate all occurrences. A leaked AK/SK pair lets attackers access cloud resources through legitimate API calls—with no malicious files or processes involved. This fileless attack method evades traditional endpoint detection tools. |
Logon behavior visual analysis
Log on to the Agentic NDR console.
In the left-side navigation pane, choose Risks.
On the Overview tab, view logon behavior risks and database behavior risks. Click View Details to go to the corresponding tab.
Investigate logon behaviors
Privileged account logons
On the Logon Activity > Privileged Accounts tab:
View logs: Click View Logs in the Actions column. The Investigate feature opens with logs pre-filtered by Source IP and Destination Port from the logon event.
View risk details:
Click Details in the Actions column to open the Details panel. Review Basic Information and Privileged Account Login Details for the target asset.
Click View Payload to see the detailed payload for the record. Click the
icon to export all privileged account logon details.
Weak password logons
On the Logon Activity > Weak Passwords tab:
View asset details:
Click an address in the Destination IP Address column to open the Asset Information dialog.
At the bottom of the dialog, click Threat Analysis, Protocol Log, or Packet Query to analyze the IP address in depth. For more information, see Threat Analysis, Log Analysis, and Retrospective Analysis.
View logs: Click View Logs in the Actions column. Logs are pre-filtered by Source IP and Destination Port.
View risk details:
Click Details in the Actions column to open the Details panel. Review Basic Information and Weak Password Login Details for the target asset.
Click View Payload to see the detailed payload. Click the
icon to export all weak password logon details.
Plaintext password logons
On the Logon Activity > Plaintext Credential tab:
View asset details:
Click an address in the Destination IP Address column to open the Asset Information dialog.
At the bottom of the dialog, click Threat Analysis, Protocol Log, or Packet Query to analyze the IP address. For more information, see Threat Analysis, Log Analysis, and Retrospective Analysis.
View logs: Click View Logs in the Actions column. Logs are pre-filtered by Source IP and Destination Port.
View risk details:
Click Details in the Actions column to open the Details panel. Review Basic Information and Plaintext Credential Login Details for the target asset.
Click View Payload to see the detailed payload. Click the
icon to export all plaintext password logon details.
Leaked AK/SK logons
On the Logon Activity > Leaked AK/SK tab:
View asset details:
Click an address in the Destination IP Address column to open the Asset Information dialog.
At the bottom of the dialog, click Threat Analysis, Protocol Log, or Packet Query to analyze the IP address. For more information, see Threat Analysis, Log Analysis, and Retrospective Analysis.
View logs: Click View Logs in the Actions column. Logs are pre-filtered by Destination IP Address and destination port.
View risk details:
Click Details in the Actions column to open the Details panel. Review Basic Information and Leaked AKSK Login Details for the target asset.
Click View Payload to see the detailed payload. Click the
icon to export all leaked AK/SK logon details.
Common operations for all logon activity tabs
The following operations apply to all Logon Activity tabs:
Export data:
Click the
icon in the upper-right corner of the list to create a download task.Click Download Tasks in the upper-right corner. In the Tasks panel, view download tasks for all risk types.
For a task with a Completed status, click Download or Delete.
View sensitive data: Click Sensitive Information to see the sensitive data included in the logon behavior.
Customize columns: Click the
icon to select which columns to display.
Sensitive data behaviors
In the left-side navigation pane, choose Risks.
On the Sensitive Data tab, view sensitive data and sensitive file transmission behaviors detected on your provisioned assets.
Risk analysis classifies sensitive data into four levels:
| Sensitivity level | Description |
|---|---|
| S1 | Non-sensitive data. Disclosing this type of data generally causes no harm. Examples: provinces, cities, and product names. |
| S2 | Generally sensitive data. Not suitable for public disclosure; the harm from a breach is low. Examples: names and addresses. |
| S3 | Critically sensitive data. Highly sensitive—even a small leak can cause serious harm. Examples: ID numbers, account passwords, and database information. |
| S4 | Core confidential data. Must not be disclosed under any circumstances. Examples: genetic data, fingerprints, and irises. |
From the Sensitive Data tab, you can:
View asset details:
Click an IP address in the IP Address column to open the Asset Information dialog.
At the bottom of the dialog, click Intelligence Profile, Protocol Log, or Packet Query to analyze the IP address. For more information, see Threat Analysis, Log Analysis, and Retrospective Analysis.
View logs: Click View Logs in the Actions column to open the Investigate feature, with logs pre-filtered based on the event criteria.
View sensitive data details:
Sensitive data
Click Details in the Actions column to open the Details panel. Review Basic Information and Sensitive Information for the target asset.
Click the number in the Sensitive Information Items column to view the sensitive data in the record.
Click View Payload to see the detailed payload.
Sensitive files
View sensitive file details:
Click Details in the Actions column to open the Details panel. Review Basic Information and Sensitive File Risk Details for the target asset.
Click File Details to view the sensitive file information in the record.
Click View Payload to see the detailed payload.
High-risk service behaviors
In the left-side navigation pane, choose Risks.
On the High-Risk Service tab, view detailed information about detected high-risk service behaviors.
Click View Logs in the Actions column to open the Investigate tab, with logs pre-filtered based on the specified criteria.
Database behavior analysis
In the left-side navigation pane, choose Risks.
On the Database Activity tab, view database risk behaviors on both public and private networks.
Risk analysis detects four categories of database risk:
| Risk type | What triggers it | When to investigate |
|---|---|---|
| Data and information anomalies | Queries that read sensitive information beyond normal scope, such as system metadata, user permission structures, or environment parameters. Examples: SELECT * FROM information_schema.tables; / SELECT * FROM pg_settings; / SELECT * FROM mysql.user; | This can be a legitimate database administrator (DBA) activity or a reconnaissance step before data theft. Investigate if the query originates from an unexpected account, an unusual time of day, or an application that has no business reason to read system tables. |
| File system modification risk | Commands that change critical files or core configurations at runtime, such as log paths, security policy settings, or preloaded libraries. Examples: SET GLOBAL slow_query_log_file = '/tmp/slow_query.log'; / ALTER SYSTEM SET shared_preload_libraries = 'pg_stat_statements,auto_explain'; / SET GLOBAL local_infile = 1; | This is often triggered by operational errors or planned maintenance. Investigate if the change was not planned, originated from an unexpected session, or deviates from your change management process. |
| Permission configuration risk | Operations that grant excessive permissions, downgrade security mechanisms, or enable sensitive features. Examples: GRANT ALL PRIVILEGES ON *.* TO 'dev_user'@'%'; / CREATE USER admin IDENTIFIED BY 'admin'; / GRANT ALL ON customer_data TO public; | Even routine permission grants can violate least privilege if scoped too broadly. Investigate any grant that deviates from your security baseline, enables privilege escalation, or was not initiated by an authorized administrator. |
| Data deletion risk | High-risk DDL operations (DROP, TRUNCATE) or DML DELETE statements without precise filter conditions. Examples: DELETE FROM user_credentials; / TRUNCATE TABLE financial_transactions; / DROP DATABASE sales_system; / DROP TRIGGER trg_after_insert; | Unscoped deletions can cause irreversible data loss. Investigate if the operation lacks a WHERE clause, was not part of a scheduled maintenance task, or targeted a production table without prior approval. |
Click Details in the Actions column to view risk behavior details, AI-powered analysis, and remediation suggestions.
Click View Logs in the Actions column to open the Investigate tab, with data pre-filtered based on the specified criteria. For more information, see Protocol Session.
What's next
To ensure data security, you can configure Agentic NDR policies to deny viewing sensitive data and exporting data.