UEBA: Begin an Investigation of High-Risk Users

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on Feb 9, 2020
Version 11Show Document
  • View in full screen mode

After identifying the high-risk users, you can begin the investigation of high-risk users.

To investigate high-risk user or network entities:

  1. Log into NetWitness Platform and go to INVESTIGATE > ENTITIES. Do any of the following:

    1. In the Overview tab, in the High Risk Users panel, click a username you want to investigate.
      The User Profile view is displayed.
    2. In the ENTITIES tab, Click on the username you want to investigate.
      The User Profile view is displayed.
  2. To investigate the alerts of the user, click the alert name in the ALERTS panel. The following information is displayed:
    • The alert name
    • The timeframe of the alert (Hourly)
    • The severity level icon
    • The contribution in score (for example, +20)
    • The data sources for the alert (for example, Logon)
      The middle panel is the Alert Flow panel. This panel provides a timeline of events that are related to the formation of the alert. The timeline of events can help to determine if the alert is an actual risk.
  3. To investigate the indicators associated with an alert of a user, in the ALERTS panel, select an alert and then select an indicator. The following information is displayed:
    • The indicator name and a description of the indicator type
    • Contribution to Alert
    • The anomaly values
    • The data source of the events found in the indicator
      The central panel display changes depending on which indicator is selected.

You are here
Table of Contents > Investigate High-Risk Entities > Begin an Investigation of High-Risk Entities

Attachments

    Outcomes