UEBA: Identify High-Risk Users

Document created by RSA Information Design and Development Employee on Apr 11, 2019Last modified by RSA Information Design and Development Employee on Feb 9, 2020
Version 16Show Document
  • View in full screen mode

You can identify high-risk entities in your environment in the following ways:

  • View top ten high-risk entities
  • View all the high-risk entities
  • View users of a specific group
  • View users and other entities based on forensic investigation

View Top Ten Risky User or Network Entities

In the OVERVIEW tab, you can view the list of top ten high-risk user or network entities in your environment along with the risky score.

To view the top risky entities:

Log into NetWitness Platform and go to Investigate > ENTITIES.
The Overview tab is displayed with the high-risk user or network entities.

To view the high risk users, click the Users tab.

To view the high risk network entities, click the Network tab. Select JA3 from the drop-down to view high-risk JA3 entities. Select SSL to view the high risk SSL entities.
Overview tab, High Risk Users panel

View All High-Risk User or Network Entities

In the ENTITIES tab, you can view the list of all the high risk user or network entities in your environment along with the user or network entity score and total number of alerts associated with the user or network entities.

To view all high-risk user or network entities:

  1. Log into NetWitness Platform and go to Investigate > ENTITIES.
    The Overview tab is displayed.

  2. Click ENTITIES tab.
    The list of all high-risk user or network entities is displayed.

View User or Network Entities of a Specific Group

In the ENTITIES tab, you can use different types of filters to identify targeted group of high-risk user or network entities.

To view users of specific group:

  1. Log into NetWitness Platform and go to Investigate > ENTITIES.
    The Overview tab is displayed.

  2. Click the ENTITIES tab.
  3. In the Filters panel, do any of the following:
    • Risky Entities: To view all the risky user or network entities in your environment, select Risky in the left pane.
      All the risky user or network entities along with their user or network entity score is displayed.
    • Watchlist: To view the list of entities that you added to the watchlist to monitor for specific changes, select Watchlist.

Note: You can view users or network entities of one or more group by selecting one or more filters. For example, if you want to view the list of risky user or network entities, select the Risky and Watchlist filters.

View Users Based on Forensic Investigation

In the ENTITIES tab, you can use Alert Types and Indicators which are behavioral filters to view high-risk user or network entities based on forensic investigation. For more information on forensic investigation, see Forensic Workflow in the Introduction topic.

To view users based on specific forensic investigation:

  1. Log into NetWitness Platform and go to Investigate > ENTITIES.
    The Overview tab is displayed.

  2. Click ENTITIES tab.
  3. To filter the result for user or network entity, select Users or JA3 or SSL in the ENTITY TYPE drop-down list.
  4. To filter the result for severity, select Severity in the SEVERITY drop-down list.
  5. To create a behavioral filter using alert types, select one or more alerts in the ALERTS drop-down list.

  6. To create a behavioral filter using indicators, select one or more indicators in the INDICATORS drop-down list.

Note: You can select combination of one or more alert types and indicators to create a behavioral filter based on your requirement. For example, to monitor abnormal access to files and theft of sensitive data, you can create a behavioral filter with Alert Types = Abnormal File Access and Indicators = Abnormal File Access Time.

To save these behavioral filters as favorites for future investigation, click Save as....

To delete the filters. click Reset.

Similarly, you can view other entities such as JA3 and SSL based on forensic investigation.

You are here
Table of Contents > Investigate High-Risk Entities > Identify High-Risk Entities

Attachments

    Outcomes