UEBA: Take Action on High-Risk User or Network Entity

Document created by RSA Information Design and Development Employee on Sep 14, 2020
Version 1Show Document
  • View in full screen mode

After investigation, you can take action on the risky users or network entities to reduce or prevent further damage caused by malicious attackers in your organization. You can take any of the following actions:

Specify That an Alert is Not Risky

If an alert is not a risk, you can mark it as not risky so that the user or network entity score is automatically reduced.

To specify if the alert is not risky:

  1. Go to Users > OVERVIEW.

  2.  Take action on the user or network entity from any of the following tabs:
    1. In the OVERVIEW tab, in the Top Risky Users panel, click on the username.
      The User Profile view is displayed.
    2. In the ENTITIES tab, click on the username.
      The User Profile view is displayed.
  3. If the alert is not a risk, you can specify by clicking Not a Risk.
    User Profile View, Not a Risk button
    When an alert is marked as Not a Risk, the user score is reduced automatically.

Save Behavioral Profile

The combination of the alert types and indicators you select during the forensics investigation is a behavioral profile. You can save the behavioral profile, so you can monitor this use case in future.

For example, if your organization is attacked and the attackers penetrated by brute forcing user accounts for users, you can select filters using the brute force alert type. This can be saved as favorite. You can proactively monitor for future brute force attempts. To do so, you can click the favorite to see if new users were subjected to this type of attack.

To save a behavioral profile:

  1. Go to Users > OVERVIEW.
  2. Click the ENTITIES tab.
  3. In the Filters panel, select the following.
    • Entity in the ENTITY TYPE drop-down.
    • Severity in the SEVERITY drop-down,
    • Alert in the ALERTS drop-down.
    • Indicators in the INDICATORS drop-down.
  4. Click Save as....
    Users tab, Save to Favorites
  5. In the Save As Favorites dialog, enter the filter name and click Save.
    The behavioral profile is saved and displayed in the Saved Filter drop-down.

Add All Users or Entities to the Watchlist

If you want to keep track of user or network entities with recent activity but do not want to follow up with an immediate investigation, you can add the user or network entities to the watchlist, and revisit over time to see if the risk score is elevated.

To add all user or network entities to the watchlist:

  1. Go to Users > Overview.
  2. Select the Entities tab.
  3. In the Filters panel, apply the filters.
    A list of users for the applied filters is displayed in right panel.
  4. Click Add All to Watchlist.
    Users tab, Add All to Watchlist button

    The list of users is added to the watchlist.

Watch Profile

The watch user or network entity profile is a list of user or network entities that you want to monitor for potential threats. It marks a user or a network entity so that the user or network entities to quickly reference, bookmark, and monitor suspicious user or network entities on the dashboard.

To watch user profile:

  1. Go to Users > Overview. Do any of the following:
    1.  In the Overview tab, under Top Risky Users panel, click on the username.
      The User Profile view is displayed.
    2.  In the Entities tab, click on the username.
      The User Profile view is displayed.
  2. Click Watch Profile.
    User Profile view, Watch Profile button
    The user is added to the watchlist. Similarly, you can watch profiles for network entities.
 
You are here
Table of Contents > UEBA: Take Action on High-Risk User or Network Entity

Attachments

    Outcomes