UEBA: Take Action on High-Risk User or Network Entity

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on Feb 9, 2020
Version 16Show Document
  • View in full screen mode

After investigation, you can take action on the risky users or network entities to reduce or prevent further damage caused by malicious attackers in your organization. You can take any of the following actions:

    • Specify if the alert is not risky
    • Save the behavioral profile for the use case found in your environment
    • Add user or network entities to the watchlist, and the watch user or entity profile, if you want to keep a track of the user or entity activity

Specify that an alert is not risky.

If and alert is not a risk, you can mark it so that the user or network entity score for the user or network entity is automatically reduced.

To specify if the alert is not risky:

  1. Log into NetWitness Platform and go to Investigate > ENTITIES.

  2.  Take action on the user or network entity from any of the following tabs:
    1. In the OVERVIEW tab, in the Top Risky Users panel, click on the username.
      The User Profile view is displayed.
    2. In the ENTITIES tab, click on the username.
      The User Profile view is displayed.
  3. If the alert is not a risk, you can specify by clicking Not a Risk.
    User Profile View, Not a Risk button
    When an alert is marked as Not a Risk, the user score is reduced automatically.

Save Behavioral Profile

The combination of the alert types and indicators you select during the forensics investigation is a behavioral profile. You can save the behavioral profile, so you can monitor this use case in future.

For example, if your organization is attacked and the attackers penetrated by brute forcing user accounts for users , you can select filters using the brute force alert type. This can be saved as favorite. You can proactively monitor for future brute force attempts. To do so, you can click the favorite to see if new users were subjected to this type of attack.

To save a behavioral profile:

  1. Log into NetWitness Platform and go to Investigate > ENTITIES.
    The Overview tab is displayed.
  2. Click the ENTITIES tab.
  3. In the Filters panel, select the following.
    1. Entity in the ENTITY TYPE drop-down.
    2. Severity in the SEVERITY drop-down,
    3. Alert in the ALERTS drop-down.
    4. Indicators in the INDICATORS drop-down.
  4. Click Save as....
    Users tab, Save to Favorites
  5. In the Save As Favorites dialog, enter the filter name and click Save.
    Save Filter dialog
    The behavioral profile is saved and displayed in the SAVED FILTER drop-down.

Add All Users or Entities to the Watchlist

If you want to keep track of user or network entities with recent activity but do not want to follow up with an immediate investigation, you can add the user or network entities to the watchlist and revisit over time to see if the risk score is elevated.

To add all user or network entities to the watchlist:

  1. Log into NetWitness Platform and go to Investigate > ENTITIES.
    The Overview tab is displayed.
  2. Select the ENTITIES tab.
  3. In the Filters panel, Apply the filters.
    A list of users for the applied filters is displayed in right pane.
  4. Click Add All to Watchlist.
    Users tab, Add All to Watchlist button

    The list of users is added to the watchlist.

Watch Profile

The watch user or network entity profile is a list of user or network entities that you want to monitor for potential threats. The watch user or entity profile marks a user or a network entity so that the user or network entities can be quickly referenced on the dashboard. This is essentially a bookmark to monitor suspicious user or network entities.

To watch user profile:

  1. Log into NetWitness Platform and go to Investigate > ENTITIES. Do any of the following:
    1.  In the Overview tab, under Top Risky Users panel, click on the username.
      The User Profile view is displayed.
    2.  In the ENTITIES tab, click on the username.
      The User Profile view is displayed.
  2. Click Watch Profile.
    User Profile view, Watch Profile button
    The user is added to the watchlist. Similarly, you can watch profiles for network entities.
 
You are here
Table of Contents > Investigate High-Risk Entities > Take Action on High-Risk Entities

Attachments

    Outcomes