Risk score
Zero Trust risk scoring detects user activity and behaviors that could introduce risk to your organization’s systems and data. Risk scores add user and entity behavior analytics (UEBA) to the Zero Trust platform.
Cloudflare Zero Trust assigns a risk score of Low, Medium, or High based on detections of users’ activities, posture, and settings. A user’s score is equal to the highest-level risk behavior they trigger.
To view a user’s risk score in Zero Trust ↗, go to Risk score > User risk scoring. Select a user’s name to view their instances of risk behaviors, if any. You can select an instance of a risk behavior to view the log associated with the detection.
Users that have had their risk score cleared will not appear in the table unless they trigger another risk behavior.
If required, you can reset risk scores for specific users. Once reset, users will not appear in the associated risk table until they trigger another risk behavior.
- In Zero Trust ↗, go to Risk score > User risk scoring.
- Select the user you want to clear the risk score for.
- In User risk overview, select Reset user risk.
- Select Confirm.
In addition to controls in Zero Trust, Okta users can send risk scores to Okta to apply SSO-level policies.
First, configure Zero Trust to send user risk scores to Okta.
- Set up the Okta SSO integration.
- In Zero Trust ↗, go to Settings > Authentication.
- In Login methods, locate your Okta integration and select Edit.
- Turn on Send risk score to Okta.
- Select Save.
- Upon saving, Zero Trust will display the well-known URL for your organization. Copy the value.
Next, configure Okta to receive your risk scores.
- On your Okta admin dashboard, go to Security > Device Integrations.
- Go to Receive shared signals, then select Create stream.
- Name your integration. In Set up integration with, choose Well-known URL.
- In Well-known URL, enter the well-known URL value provided by Zero Trust.
- Select Create.
For more information on configuring user risk score within Okta, refer to the Okta documentation ↗.
While the Okta integration is turned on, Zero Trust will send any user risk score updates to Okta, including score increases and resets. Score update events will appear in your Access audit logs.
By default, all predefined behaviors are disabled. When a behavior is enabled, Zero Trust will continuously evaluate all users within the organization for the behavior. You can change the risk level for predefined behaviors if the default assignment does not suit your environment.
Risk behaviors | Requirements | Description |
---|---|---|
Impossible travel | A configured Access application | User has a successful login from two different locations that they could not have traveled between in that period of time. Matches will appear in your Access audit logs. |
High number of DLP policies triggered | A configured DLP profile | User has created a high number of DLP policy matches within a narrow frame of time. Matches will appear in your Gateway activity logs. |
SentinelOne threat detected on machine | SentinelOne service provider integration | SentinelOne returns one or more configured device posture attributes for a user. |
To toggle risk behaviors, go to Risk score > Risk behaviors.
When a specific behavior is enabled, Zero Trust will continuously monitor all users within the organization for any instances of that behavior.
If a user engages in an enabled risk behavior, their risk level is re-evaluated. Zero Trust will update their risk score to the highest value between the current risk level and the risk level of the behavior they triggered.
When a risk behavior is disabled, monitoring for future activity will cease. Previously detected risk behaviors will remain in the logs and associated with a user.
You can change the risk level for a behavior at any time.
- In Zero Trust ↗, go to Risk score > Risk behaviors.
- Select the risk behavior you want to modify.
- In the drop-down menu, choose your desired risk level.
- Select Save.