UEBA: Investigate High-Risk Users

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on Feb 9, 2020
Version 11Show Document
  • View in full screen mode

A user or entity score is built based on the alert score and the alert severity. Using the user or network entity score, you can identify the users and network entities that require immediate attention, perform deeper investigation, and take required action. The UI is divided into three tabs namely OVERVIEW tab, ENTITIES tab and ALERTS tab. You can identify high-risk users or network entities from either the OVERVIEW tab or the ENTITIES tab and view the top risky alerts in the ALERTS tab.

In the OVERVIEW tab select USERS to investigate on the top risky users or select NETWORK to investigate on the top risky network entities. The OVERVIEW tab is further divided into three different panels as follows:

  • Top Risky Users or Network Entities - This panel displays the number of risky user or network entities, number of watched user or network entities, total number of user or network entities. The results in this panel can be sorted by the user or network entity score, trending data score or alert severity.
  • Top Alerts - This panel displays a list of top alerts of last 24 hours, last seven days, last one month ore last three months. Each item provides further details such as name of the user or network entity and number of associated indicators.
  • Alert Severity - This panel displays the alert severity for the last three months in a bar diagram which can be filtered by clicking on Critical, High, Medium or Low check boxes.

For example, the following figure displays the top ten high-risk users in the OVERVIEW tab.

Users view, Overview tab

The following figure is an example of all the risky users in your environment in the ENTITIES tab.

High-risk users view

The following figure is an example of the risky user alerts in your environment in the ALERTS tab.


The following is a high-level process to investigate high-risk users or entities in your environment.

  1. Identify high-risk users. You can identify high-risk users using the following ways:
    • The OVERVIEW tab shows the top ten risky users in your environment. From the listed users identify the users with a critical severity or user score more than 100.
    • The ENTITIES tab shows all the risky users in your environment, you can sort by Risk Score(default), Name, Alerts, Trending LastDay, Trending LastWeek. Identify how many users are marked Critical, High and Medium or based on the forensic investigation, identify malicious user behavior and build use-case driven target user lists using behavioral filters. Additionally, you can also use different types of filters (Risky or Watchlist) to identify targeted group of high-risk users.
    • The ALERTS shows all the risky users alerts in your environment. You can sort by Critical, High, Medium or Low. Click the Export button to download the alert report in .

    Hover over the number of alerts associated with the risky users to quickly see what the alerts are and determine if there is a good mix.

    For more information, see the Identify High-Risk User or Network Entity topic.

  2. In the User Profile view, investigate the alerts and indicators of the user.
    1. Review the list of alerts associated with the user and the alert score for each alert, sorted by severity.
    2. Expand the alert names to identify a threat narrative. The strongest contributing indicator determines the alert’s name that suggests why this hour is flagged.
    3. Use the alert flow timeline to understand the abnormal activities.
    4. Review each indicator associated with the alert to see the details about the indicator, including the timeline in which the anomaly occurred. Also, you can further investigate the incident using external resources such as SIEM, network forensics, directly reaching out to the user or a managing director and so on.

    For more information, see the Begin an Investigation of High-Risk User Or Network Entity topic.

  3. On completion of the investigation, you can record your observation as follows:

    1. Specify if an alert is not a risk.

    2. Save the behavioral profile for the use case found in your environment.

    3. If you want to keep a track of user activity, you can add users to the watchlist, and watch user profile.

    For more information, see the Take Action on High-Risk User or Network Entity topic.

You are here
Table of Contents > Investigate High-Risk Entities

Attachments

    Outcomes