UEBA: User Profile View

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on Apr 11, 2019
Version 3Show Document
  • View in full screen mode

The User Profile view provides detailed information about all the alerts and related indicators of a user.

Workflow

Investigate Top Users and Alerts workflow diagram

What do you want to do?

                                              
User RoleI want to ...Documentation
UEBA Analyst

View high-risk users*

Identify High-Risk Users
UEBA Analyst

Begin an investigation of high-risk users*

Begin an Investigation of High-Risk Users
UEBA Analyst

Take action on high-risk users.

Take Action on High-Risk Users
UEBA AnalystExport high-risk users.Export a list of High-Risk Users
UEBA Analyst

Begin an investigation of critical alerts*


Investigate Top Alerts
UEBA AnalystInvestigate threat indicators.Investigate Events

*You can complete the tasks here.

Related Topics

Quick Look

The following figure shows the User Profile view.
User Profile view with callouts for each panel 1

User Profile view with callouts for each panel 2

To access this view:

  1. Go to INVESTIGATE > Users. Do any of the following:

    1.  In the OVERVIEW tab, under High Risk Users panel, select a user and click on either the username or the user score.
    2.  In the USERS tab, select a user and click on the username.
    3. In the ALERTS tab, select an alert name or an entity name.

The Users Profile consist of the following panels:

                 
1User Risk Score panel
2Alerts Flow panel
3

Indicator panel

User Risk Score Panel

The User Risk Score panel contains the following information:

                       
NameDescription
User ScoreThe user score of the user highlighted based on the severity.
Alerts

The following information is displayed:

  • The alert names
  • The severity level icon
  • The start date and time for the alert
  • The timeframe of the alert (Hourly or Daily)
  • The risk score of the alert (+20)
  • A list of alert indicator names and the number of times the indicator events occurred.

Sort by

The alerts are sorted based on Severity and Date. By default, it is sorted by severity.

Alert Flow Panel

The Alert Flow panel displays the following information:

                                   
NameDescription
Alert nameThe name of the alert.
TimeframeThe timeframe of the alert (Hourly or Daily).
Severity levelThe severity of the alert.
Contribution to the user score

The contribution to the user score value. (For example, +20)

Sources

The data sources for the alert. (For example, Active Directory)

Timeline graphThe timeline of events that are related to the formation of the alert.

Indicator Panel

Click on a graph icon in the Alert Flow panel to open the Indicator panel. The following table describes the indicator panel elements:

                           
NameDescription
Indicator The name of the indicator with timeframe of the indicator in parentheses. For example, Multiple Group Membership Changes (Hourly).
Contribution to AlertThe alert contribution percentage.
Anomaly ValueThe anomaly value.
DatasourceThe datasource from where the alert is triggered.

In the Indicator panel the events table list events specific to the data sources.

  • Common

The following tables list events specific to all the data sources.

                               
Event NameDescription

Username

The name of user for whom an indicator is triggered.

Normalized user name

The name of user for whom an indicator is triggered.

Time

The date and time when an event is triggered.

Result

The status of the action performed by the user.

Operation Type

The action performed by the user. For example, Member Added To Group.
  • Windows File Servers

The following tables list events specific to Windows file servers.

                   
Event NameDescription

Source Folder Path

Absolute folder path of a file for which an event is triggered.

Source File Path

Absolute file path for which an event is triggered.
  • Active Directory

The following tables list event specific to Active Directory.

               
Event NameDescription

Object Name

Object name defined in the Active Directory.
  • Logon Activity

The following tables list events specific to Logon Activity.

               
Event NameDescription

Computer

Host name from where an event is triggered.
  • Process

The following tables list events specific to Process.

                       
Event NameDescription

Machine Name

Name of the host from where this event is triggered for the user.

Source Process

Process triggered by the event

Destination Process

Process triggered by source process.
  • Registry

The following tables list events specific to Registry.

                                       
Event NameDescription

Machine Name

Name of the host from where this event is triggered for the user.

Process Directory

Absolute directory path of the process for which an event is triggered.

Process File Name

Process file name for which an event is triggered.

Registry Key Group

Type of registry key.

Registry Key

Registry key path.

Registry Value Name

Registry value name that is created or modified.

Operation Type

The action performed by the user. For example, Member Added To Group.
Previous Topic:Alerts View
Next Topic:Troubleshooting
You are here
Table of Contents > Reference > User Profile View

Attachments

    Outcomes