Risk score
Zero Trust risk scoring detects user activity and behaviors that could introduce risk to your organization’s systems and data. Risk scores add user and entity behavior analytics (UEBA) to the Zero Trust platform.
User risk scoring
Cloudflare Zero Trust assigns a risk score of Low, Medium, or High based on detections of users’ activities, posture, and settings. A user’s score is equal to the highest-level risk behavior they trigger.
View a user’s risk score
To view a user’s risk score in Zero Trust, go to Risk score > User risk scoring. Select a user’s name to view their instances of risk behaviors, if any.
Users that have had their risk score cleared will not appear in the table unless they trigger another risk behavior.
Clear a user’s risk score
If required, you can reset risk scores for specific users. Once reset, users will not appear in the associated risk table until they trigger another risk behavior.
- In Zero Trust, go to Risk score > User risk scoring.
- Select the user you want to clear the risk score for.
- In User risk overview, select Reset user risk.
- Select Confirm.
Predefined risk behaviors
By default, all predefined behaviors are disabled. When a behavior is enabled, Zero Trust will continuously evaluate all users within the organization for the behavior. You can change the risk level for predefined behaviors if the default assignment does not suit your environment.
Risk behaviors | Requirements | Description |
---|---|---|
Impossible travel | A configured Access application | User has a successful login from two different locations that they could not have traveled between in that period of time. Matches will appear in your Access audit logs. |
High number of DLP policies triggered | A configured DLP profile | User has created a high number of DLP policy matches within a narrow frame of time. Matches will appear in your Gateway activity logs. |
Manage risk behaviors
To toggle risk behaviors, go to Risk score > Risk behaviors.
Enable risk behaviors
When a specific behavior is enabled, Zero Trust will continuously monitor all users within the organization for any instances of that behavior.
If a user engages in an enabled risk behavior, their risk level is re-evaluated. Zero Trust will update their risk score to the highest value between the current risk level and the risk level of the behavior they triggered.
Disable risk behaviors
When a risk behavior is disabled, monitoring for future activity will cease. Previously detected risk behaviors will remain in the logs and associated with a user.
Change risk behavior risk levels
You can change the risk level for a behavior at any time.
- In Zero Trust, go to Risk score > Risk behaviors.
- Select the risk behavior you want to modify.
- In the drop-down menu, choose your desired risk level.
- Select Save.