User Risk Scoring
User Risk Scoring provides a composite risk score for every user in your organization, calculated from behavioral signals, security events, and access patterns. Scores range from 0 (lowest risk) to 100 (highest risk) and update continuously as new events occur. When a user’s score crosses a configurable threshold, Breeze can automatically assign security training, send notifications, and flag the user for access review.
This feature combines three related capabilities:
- Risk scoring — numeric scores with factor breakdowns and trend tracking
- Risk events — a timeline of security-relevant user activities
- Access reviews — periodic certification of user permissions with automated revocation
Key Concepts
Section titled “Key Concepts”Risk Score Ranges
Section titled “Risk Score Ranges”| Score Range | Level | Description | |-------------|-------|-------------| | 0 - 39 | Low | Normal user behavior, no action needed | | 40 - 69 | Medium | Some risk indicators present, monitor closely | | 70 - 84 | High | Elevated risk, consider intervention | | 85 - 100 | Critical | Immediate attention required |
Trend Directions
Section titled “Trend Directions”Each risk score includes a trend indicator showing how the score has changed over time.
| Trend | Meaning |
|-------|---------|
| up | Score is increasing (risk is growing) |
| down | Score is decreasing (risk is declining) |
| stable | Score has remained steady |
Risk Event Severities
Section titled “Risk Event Severities”| Severity | Description |
|----------|-------------|
| low | Minor event with minimal risk impact |
| medium | Moderate event that contributes to risk |
| high | Significant event that notably increases risk |
| critical | Severe event requiring immediate investigation |
Factor Breakdown
Section titled “Factor Breakdown”Each risk score includes a factors object that breaks down the score by contributing category. The total score is a weighted sum of all factor scores. Both the individual factor scores and the weights are visible in the risk detail view.
What Drives a Risk Score
Section titled “What Drives a Risk Score”Breeze evaluates eight distinct risk factors for every user. Each factor produces a score from 0 to 100, and the final composite score is a weighted average of all eight. The table below describes each factor, what data feeds it, and its default weight.
| Factor | What increases it | Default weight | |--------|-------------------|----------------| | MFA risk | User does not have MFA enabled (score jumps to 90 if MFA is off, 10 if on) | 14% | | Auth failure risk | Failed logins or denied access attempts in the last 30 days. Each failure adds 18 points | 20% | | Session anomaly risk | Logins from many distinct IP addresses, or an unusually high number of sessions in 30 days | 10% | | Threat exposure risk | Active security threats on devices the user is associated with. Critical threats contribute 35 points each, high 22, medium 12, low 5 | 20% | | Software violation risk | Devices with software compliance violations (e.g., unapproved or outdated software) | 15% | | Device security risk | Low security posture scores on the user’s associated devices (calculated from the latest security posture snapshot) | 10% | | Stale access risk | Time since the user last logged in. Less than 7 days = low risk; over 90 days = high risk | 6% | | Recent impact risk | Cumulative score impact from risk events recorded in the last 14 days | 5% |
How users are linked to devices
Section titled “How users are linked to devices”Breeze matches users to devices using the last logged-in user reported by each device. The matching is case-insensitive and supports several identity formats: email address, username, DOMAIN\user notation, and name variants. A single user can be associated with multiple devices.
Threshold configuration
Section titled “Threshold configuration”The score boundaries between risk levels are configurable:
| Threshold | Default | Description | |-----------|---------|-------------| | Medium | 50 | Score at or above this level is considered medium risk | | High | 70 | Score at or above this level triggers high-risk notifications | | Critical | 85 | Score at or above this level requires immediate attention | | Spike delta | 15 | A score increase of this many points in one calculation cycle triggers a spike notification | | Auto-assign training | 80 | Score at or above this level triggers automatic training assignment (if enabled) |
To change these thresholds, navigate to Settings > User Risk > Policy and adjust the values under the Thresholds tab.
Risk Scores
Section titled “Risk Scores”Viewing Risk Scores
Section titled “Viewing Risk Scores”Navigate to the User Risk section in the Breeze dashboard to see a paginated list of all users ranked by their current risk score.
The scores list includes summary statistics:
| Metric | Description |
|--------|-------------|
| averageScore | Mean score across the current result set |
| highRiskUsers | Count of users with a score of 70 or above |
| criticalRiskUsers | Count of users with a score of 85 or above |
Filtering Scores
Section titled “Filtering Scores”| Filter | Type | Description |
|--------|------|-------------|
| orgId | UUID | Filter by organization |
| siteId | UUID | Filter by site |
| minScore | Number (0-100) | Minimum score threshold |
| maxScore | Number (0-100) | Maximum score threshold |
| trendDirection | up, down, stable | Filter by score trend |
| search | String | Search by user name or email |
| page | Number | Page number (default: 1) |
| limit | Number | Results per page (1-200, default: 25) |
User Risk Detail
Section titled “User Risk Detail”Click on any user to view their full risk profile, including:
- Current score with factor breakdown
- Score history and trend
- Recent risk events
- Organization membership details
Risk Events
Section titled “Risk Events”Risk events are individual security-relevant activities associated with a user. Each event has a severity level and a scoreImpact value indicating how much it affects the user’s risk score.
Event Fields
Section titled “Event Fields”| Field | Type | Description |
|-------|------|-------------|
| eventType | String | Category of the event (max 60 chars) |
| severity | Enum | low, medium, high, or critical |
| scoreImpact | Integer | Point value added to the user’s risk score |
| description | Text | Human-readable description of the event |
| details | JSON | Structured data about the event |
| occurredAt | Timestamp | When the event occurred |
Filtering Events
Section titled “Filtering Events”| Filter | Type | Description |
|--------|------|-------------|
| orgId | UUID | Filter by organization |
| userId | UUID | Filter by specific user |
| eventType | String | Filter by event type |
| severity | Enum | Filter by severity level |
| from | ISO datetime | Events on or after this time |
| to | ISO datetime | Events on or before this time |
| page | Number | Page number (default: 1) |
| limit | Number | Results per page (1-500, default: 50) |
Risk Policy
Section titled “Risk Policy”Each organization has a configurable risk policy that controls how scores are calculated, what thresholds trigger interventions, and what automated actions are taken.
Policy Components
Section titled “Policy Components”Weights determine how much each risk factor contributes to the total score. They are expressed as a key-value map where keys are factor names and values are numeric multipliers.
{ "failedLogins": 2.5, "unusualLocation": 3.0, "privilegeEscalation": 5.0, "policyViolation": 4.0, "overdueTraining": 1.5, "staleCredentials": 2.0}Higher weights mean that factor has a greater impact on the overall score.
Thresholds define the score boundaries for each risk level and configure spike detection.
| Threshold | Type | Description |
|-----------|------|-------------|
| medium | Number | Score at which a user enters medium risk |
| high | Number | Score at which a user enters high risk |
| critical | Number | Score at which a user enters critical risk |
| spikeDelta | Number | Score increase that constitutes a “spike” (triggers notifications) |
| autoAssignTrainingAtOrAbove | Number | Score threshold for automatic training assignment |
Interventions are automated actions triggered by risk conditions.
| Setting | Type | Description |
|---------|------|-------------|
| autoAssignTraining | Boolean | Automatically assign security training when score exceeds threshold |
| trainingModuleId | String | ID of the training module to assign |
| notifyOnHighRisk | Boolean | Send a notification when a user enters high risk |
| notifyOnRiskSpike | Boolean | Send a notification when a score spike is detected |
Updating the Policy
Section titled “Updating the Policy”- Navigate to Settings > User Risk > Policy.
- Adjust weights, thresholds, or intervention settings.
- Click Save. Changes take effect immediately for future score calculations.
Security Training Assignment
Section titled “Security Training Assignment”When a user’s risk score exceeds the configured threshold, Breeze can automatically assign security training. You can also manually assign training to any user.
Assigning Training
Section titled “Assigning Training”- Navigate to the user’s risk detail page.
- Click Assign Training.
- Optionally select a specific training module and provide a reason.
- Click Assign. The assignment is recorded as a risk event.
Assignment Fields
Section titled “Assignment Fields”| Field | Required | Description |
|-------|----------|-------------|
| userId | Yes | Target user ID |
| orgId | No | Organization ID (resolved from auth context if omitted) |
| moduleId | No | Specific training module to assign |
| reason | No | Reason for the assignment (max 500 chars) |
Deduplication
Section titled “Deduplication”If the same training module is already assigned to a user and has not been completed, the assignment is deduplicated. The API response includes a deduplicated: true flag to indicate this.
Access Reviews
Section titled “Access Reviews”Access reviews provide a structured process for periodically certifying that users have the correct permissions. A reviewer examines each user’s role and permissions, then makes a decision to approve or revoke access. When the review is completed, revocations are automatically applied.
Review Statuses
Section titled “Review Statuses”| Status | Description |
|--------|-------------|
| pending | Review created, no decisions made yet |
| in_progress | At least one item has been reviewed |
| completed | All items decided and revocations applied |
Item Decisions
Section titled “Item Decisions”| Decision | Description |
|----------|-------------|
| pending | Not yet reviewed |
| approved | Access confirmed as appropriate |
| revoked | Access flagged for removal |
Creating an Access Review
Section titled “Creating an Access Review”- Navigate to Settings > Access Reviews.
- Click New Access Review.
- Provide a name, optional description, and due date.
- Optionally assign a reviewer (defaults to the current user).
- Click Create. Breeze automatically generates review items for every user in the current scope (partner or organization) with their current role assignments.
Reviewing Items
Section titled “Reviewing Items”- Open the access review from the list.
- For each user, review their role, permissions, last login date, and email.
- Set the decision to Approved or Revoked. Optionally add notes.
- Repeat for all users.
Each review item shows:
- User name and email
- Assigned role name
- Detailed permissions list (e.g.,
devices:read,scripts:execute) - Last active date
- Current decision status
Completing a Review
Section titled “Completing a Review”- Ensure all items have a decision (no pending items remain).
- Click Complete Review.
- Breeze automatically removes access for all revoked users:
- Partner reviews: Revoked users are removed from
partner_users - Organization reviews: Revoked users are removed from
organization_users
- Partner reviews: Revoked users are removed from
- The review is marked as completed with a timestamp.
API Reference
Section titled “API Reference”User Risk Scoring
Section titled “User Risk Scoring”All endpoints require authentication with organization, partner, or system scope. Mounted at /api/v1/user-risk.
| Method | Path | Permission | Description |
|--------|------|------------|-------------|
| GET | /scores | users:read | List risk scores with filters and summary stats |
| GET | /users/:userId | users:read | Get detailed risk profile for a specific user |
| GET | /events | users:read | List risk events with filters |
| GET | /policy | users:read | Get the current risk policy for the organization |
| PUT | /policy | users:write | Update the risk policy (weights, thresholds, interventions) |
| POST | /assign-training | users:write | Assign security training to a user |
Access Reviews
Section titled “Access Reviews”All endpoints require authentication. Mounted at /api/v1/access-reviews.
| Method | Path | Permission | Description |
|--------|------|------------|-------------|
| GET | / | users:read | List all access reviews for the current scope |
| POST | / | users:write | Create a new access review with auto-generated items |
| GET | /:id | users:read | Get review details with all items, roles, and permissions |
| PATCH | /:id/items/:itemId | users:write | Update the decision on a review item |
| POST | /:id/complete | users:write | Complete the review and apply revocations |
Troubleshooting
Section titled “Troubleshooting””Organization context required” errors
Section titled “”Organization context required” errors”Risk scoring endpoints require an organization context. If you are using a partner or system scope, include the orgId query parameter to specify which organization to query.
”User not found in accessible organizations” (404)
Section titled “”User not found in accessible organizations” (404)”When viewing a user’s risk detail, the user must exist in at least one organization that your account has access to. If the user exists in multiple organizations, include the orgId parameter to specify which one.
Training assignment returns deduplicated: true
Section titled “Training assignment returns deduplicated: true”This means the same training module was already assigned to the user and has not been completed. No duplicate assignment was created. This is expected behavior, not an error.
”Cannot complete review with pending items” (400)
Section titled “”Cannot complete review with pending items” (400)”All review items must have a decision (approved or revoked) before the review can be completed. Review the items list and make decisions on any remaining pending entries.
”Cannot modify completed review” (400)
Section titled “”Cannot modify completed review” (400)”Once a review is completed, its items cannot be changed. Create a new access review if additional changes are needed.
Risk scores not updating
Section titled “Risk scores not updating”Risk scores are recalculated when new events occur. If scores appear stale, check that risk events are being generated correctly and that the risk policy has weights configured for the relevant factor types.
Access review missing users
Section titled “Access review missing users”Access reviews generate items based on the users in the current scope at the time of creation. Users added after the review was created will not appear. Create a new review to include recently added users.