UEBA: Begin an Investigation of High-Risk Users

Document created by RSA Information Design and Development Employee on Sep 14, 2020
Version 1Show Document
  • View in full screen mode

After identifying the high-risk users, you can begin the investigation of high-risk users.

To investigate high-risk users or network entities:

  1. Go to Users > Overview. Do any of the following:

    1. In the Overview tab, in the High Risk Users panel, click a username you want to investigate.
      The User Profile view is displayed.
    2. In the Entities tab, click on the username you want to investigate.
      The User Profile view is displayed.
  2. To investigate the alerts of the user, click the alert name in the Alerts panel. The following information is displayed:
    • Alert name
    • Timeframe of the alert (hourly)
    • Severity level icon
    • Contribution in score (for example, +20)
    • Data sources for the alert (for example, Logon)
      The middle panel is the Alert Flow panel, which provides a timeline of events that are related to the formation of the alert. The timeline of events determine if the alert is an actual risk.
  3. To investigate the indicators associated with an alert of a user, in the Alerts panel, select an alert, and then select an indicator. The following information is displayed:
    • Indicator name and a description of the indicator type
    • Contribution to alert
    • Anomaly values
    • Data source of the events found in the indicator
      The central panel display changes depending on which indicator is selected.

You are here
Table of Contents > UEBA: Begin an Investigation of High-Risk Users

Attachments

    Outcomes