UEBA: Entities View

Document created by RSA Information Design and Development on Feb 5, 2020Last modified by Shree Kulkarni on Feb 14, 2020
Version 4Show Document
  • View in full screen mode

The ENTITIES tab is a proactive threat hunting console. You can use behavioral filters to build use case driven target lists, and to continuously monitor the environment for specific risky behavior patterns.

 

Workflow

 

Investigate Top Users and Alerts workflow diagram

 

What do you want to do?

 

User RoleI want to ...Documentation
UEBA Analyst

View high-risk users or network entities*.

Identify High-Risk User or Network Entity

UEBA Analyst

View user or network entity based on alert type and indicator*.

Identify High-Risk User or Network Entity

UEBA AnalystBegin an investigation of high-risk user or network entities.Begin an Investigation of High-Risk User Or Network Entity
UEBA Analyst

Take action on high-risk users or network entities*.

Take Action on High-Risk User or Network Entity
UEBA AnalystExport high-risk users or network entities*.Export a list of High-Risk User or Network Entity
UEBA AnalystBegin an investigation of critical alerts.Investigate Top Alerts
UEBA AnalystInvestigate threat indicators.Investigate Events

 

*You can complete the tasks here.

 

Related Topics

 

 

Quick Look

 

The following figure shows the Entities tab.

 

Users tab with callouts for each panel

 

To access this view:

 

  1. Go to Investigate >ENTITIES.

    The Overview tab is displayed.

  2. Click ENTITIES.

 

The Users tab consists of the following panels:

 

1Filters panel
2Risk Indicator Panel
3User or Entity List panel

 

Filters Panel

 

The Filters panel lists two pre-defined filters, with the number of users associated with each in parentheses and the list of behavioral profiles that are saved as favorites.

 

Filter TypeDescription
Saved FilterPreviously saved behavioral filters.
Entity TypeEntity type such as Users, JA3, and SSL.
Risky User or Network EntitiesAll user or network entities with a risk score greater than 0.
Watchlist User or Network EntitiesAll user or network entities that are currently flagged as Watched.
SeveritySeverity type such as critical, high, medium and low.
AlertsAny of the existing alert types that describe the supported distinct use cases ( Brute Force Attempt, Snooping User, Abnormal AD Change, Data Exfiltration).
IndicatorsAny of the existing behavioral features modeled by NetWitness UEBA. This filter can also be used to target only alerts from a specific data source or application.
ResetReset the filter.
Save asSave the filters as favorites.

 

Risk Indicator panel

 

The Risk indicator provides a severity-based breakdown of the target user or network entities.

 

The following table describes the risk indicator panel elements.

 

ColorSeverity
RedCritical
OrangeHigh
YellowMedium
GreenLow

 

Entities List Panel

 

The Entities List panel displays the list of all the user or network entities in your environment along with the user or network entity score and number of alerts associated with the user or network entity.

 

The following table describes the Entities List panel elements.

 

User DataDescription

Username or Network entity name

The name of the user or network entity.
ScoreThe user or the network entity.
Number of alertsThe total number of alerts generated for the user or network entity.
Sort by

The Sort by drop-down menu allows you to select the sorting method for the list. The options are: Risk Score, Name, Alerts, Trending last 24 hours, and Trending last 7 days.

Export

Export a list of all user or network entities and their scores in a .csv file format.

Add All to Watchlist

Adds all user or network entities in the filtered view to the watchlist.

Search Entity

Searches for a user name or a network entity that you typed, allows you to select it from the list that is displayed matching your entry.

 

Previous Topic:Overview View
Next Topic:Alerts View
You are here

Table of Contents > Reference > Entities View

Attachments

    Outcomes