Threat Detection

Overview

StrongDM Threat Detection is an advanced security feature designed to identify and analyze deviations in user behavior during privileged access sessions. By continuously monitoring access patterns, Threat Detection establishes baselines for normal user activity and assigns anomaly scores to detect deviations that may signal potential security threats.

This system tracks and consolidates threat events into actionable findings, enabling security teams to investigate abnormal user behavior efficiently. Through advanced risk analysis and summarization, Threat Detection highlights critical events, helping organizations to prioritize responses based on severity. Feedback mechanisms are also integrated to enhance the accuracy and reliability of detections over time.

By viewing and analyzing every privileged access event, Threat Detection enables proactive threat management with minimal operational overhead. It empowers teams to detect and mitigate risks early, ensure regulatory compliance, and reduce reliance on external threat analysis tools.

This guide provides a general overview of Threat Detection, how to use it in the StrongDM Admin UI, and how it can help your organization.

Capabilities

StrongDM Threat Detection analyzes and displays every privileged access event, prioritizing and highlighting events of interest by anomaly score and risk level.

Threat Detection does the following:

• Baselines normal user behavior

• Detects deviations, increasing anomaly scores

• Tracks threat events

• Consolidates threat events into findings for threat team investigations

• Analyzes and summarizes risks associated with findings

• Uses feedback mechanisms to improve accuracy

Usage in the Admin UI

Threat Detection is available in the StrongDM Admin UI. From the main navigation, click Threat Detection to get to the three main sections: Events, Findings, and Dashboard.

Events

Threat Detection tracks user activity over a period of time in order to establish a baseline for normal user events versus anomalous events.

An event is any user activity that is captured by StrongDM and tagged with an anomaly score.

An anomalous event is an event that has a high anomaly score.

The anomaly score is a number from 1 to 100 assigned to the event that indicates whether the event is a low or high threat, where 1 is the lowest threat and 100 is the highest threat. A high anomaly score indicates an anomalous event.

Each event is logged in the Admin UI at Threat > Events. The Events page provides entries similar to StrongDM logs but adds the anomaly score. Each event entry has the following fields:

• Result: Either allow or deny; the result of the policy assessment, if any, for the user's action(s)

• Date: Date and time that the action was performed

• Account: Name of the StrongDM user who performed the action

• Resource: Name of the resource, if any, on which the user attempted the action (if there is no resource, this field is empty)

• Action: Specific action the user attempted to perform

• anomaly: Numerical anomaly score assigned to the event (from 1 to 100), where a low number represents a low threat and a high number represents a high threat

Findings

A group of events per user that hit an anomaly threshold is called a threat finding. All threat findings are shown in the Admin UI at Threat > Findings.

A risk score is assigned to every threat event. The score is a number from 1 to 100 that indicates the severity of the user's action, where a low number is a low risk and a high number is a high risk.

Admins can use the Findings page to view a timeline of all detected threat events, use the risk score to understand the risk level for each threat event, and either escalate or ignore the threat.

In addition to the status and event timeline, the Findings page displays a table of all threat findings, with the following entries:

• Start: Start date and time of the threat

• End: End date and time of the threat

• Account: Name of the user whose action triggered the anomaly

• Status: Status of the threat (for example, "Awaiting Review")

• Risk Score: Number from 1 to 100 that indicates the level of risk associated with the user's action

Status

The status area provides a brief description of threat findings that need to be reviewed by an admin (for example, "It looks like user Alice Glick has been doing something unexpected for the last 495 minutes.").

If the status is "Awaiting Review," the admin must review the entry and click either Escalate or Ignore. If the admin chooses to escalate the threat, the admin must provide a reason to escalate it. The reason helps to improve accuracy in detecting threats in order to protect the organization. If the admin ignores the threat, nothing happens.

Dashboard

The Dashboard is a dynamic dashboard that shows real-time information related to events, anomalous events, and threat findings.

The top of the dashboard presents the name of every active user and connected resource, as well as the following at-a-glance metrics:

• Active Users: Number of active users

• Anomalies/Hour: Number of anomalies per hour

• Events/Hour: Number of events per hour

• Traffic (mbps): User traffic in mbps

Anomalous Events: Last 60 Days

A bar graph presents a visual display of the anomalous events from the last 60 days.

Recent Event Logs

The Recent Event Logs section of the dashboard provides a brief list of metrics related to recent threat events:

• Account: First and last name of the user

• Anomaly: Anomaly score, which is a number from 1 to 100 assigned to the event, where a low number represents a low threat and a high number represents a high threat

• Resource: Name of the resource that the user is connected to

You may click View All to view the full list of threat events on the Events page of the Admin UI.

Top Findings

The Top Findings section of the dashboard provides a brief list of metrics related to recent threat findings:

• Account: First and last name of the user

• Risk: Risk score, which is a number from 1 to 100 that indicates the level of risk associated with the user's action

• Status: Status of the detected threat (for example, "Awaiting Review")

You may click View All to view the full list of threat findings on the Findings page of the Admin UI.