UEBA: Investigate High-Risk Users

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on May 15, 2019
Version 4Show Document
  • View in full screen mode

A user score is built based on the alert score and the alert severity. Using the user score, you can identify users that require immediate attention, perform deeper investigation, and take required action. You can identify high-risk users from either the Overview tab or the Users tab.

The following figure is an example of top five high-risk users in the Overview tab.

Users view, Overview tab

The following figure is an example of all the risky users in your environment in the Users tab.

High-risk users view

The following is a high-level process to investigate high-risk users in your environment.

  1. Identify high-risk users. You can identify high-risk users using the following ways:
    • The Overview tab shows the top five risky users in your environment. From the listed users identify the users with a critical severity or user score more than 100.
    • The User tab shows all the risky users in your environment, sorted by risk score. Identify how many users are marked Critical, High and Medium or based on the forensic investigation, identify malicious user behavior and build use-case driven target user lists using behavioral filters. Additionally, you can also use different types of filters (Risky, Admin, or Watchlist) to identify targeted group of high-risk users.

    Note: The investigation should mostly focus on Critical, High and Medium severities. Low scoring users are not typically worth much investigation.

    Hover over the number of alerts associated with the risky users to quickly see what the alerts are and determine if there is a good mix.

    For more information, see the Identify High-Risk Users topic.

  2. In the User Profile view, investigate the alerts and indicators of the user.
    1. Review the list of alerts associated with the user and the alert score for each alert, sorted by severity.
    2. Expand the alert names to identify a threat narrative. The strongest contributing indicator determines the alert’s name that suggests why this hour is flagged.
    3. Use the alert flow timeline to understand the abnormal activities.
    4. Review each indicator associated with the alert to see the details about the indicator, including the timeline in which the anomaly occurred. Also, you can further investigate the incident using external resources such as SIEM, network forensics, directly reaching out to the user or a managing director and so on.

    For more information, see the Begin an Investigation of High-Risk Users topic.

  3. On completion of the investigation, you can record your observation as follows:

    1. Specify if an alert is not a risk.

    2. Save the behavioral profile for the use case found in your environment.

    3. If you want to keep a track of user activity, you can add users to the watchlist, and watch user profile.

    For more information, see the Take Action on High-Risk Users topic.

You are here
Table of Contents > Investigate High-Risk Users