UEBA: Investigate High-Risk Users

Document created by RSA Information Design and Development Employee on Sep 14, 2020
Version 1Show Document
  • View in full screen mode

A user or entity score is built based on the alert score and the alert severity. Using the user or network entity score, you can identify the users and network entities that require immediate attention, perform deeper investigation, and take required action. The user interface is divided into three tabs: Overview tab, Entities tab, and Alerts tab. You can identify high-risk users or network entities from either the Overview tab, or the Entities tab and view the top risky alerts in the Alerts tab.

In the Overview tab select Users to investigate on the top risky users, or select Network to investigate on the top risky network entities. The Overview tab is further divided into the following panels:

  • Top Risky Users or Network Entities - Displays the number of risky user or network entities, number of watched user or network entities, total number of user or network entities. The results in this panel can be sorted by the user or network entity score, or trending data score.
  • Top Alerts - Displays a list of top alerts in the last 24 hours, last seven days, last one month, or last three months. Each item provides further details such as name of the user or network entity and number of associated indicators.
  • Alert Severity - Displays the alert severity for the last three months in a bar diagram, which can be filtered by clicking on Critical, High, Medium, or Low check boxes.

The following figure is an example of top ten high-risk users displayed in the Overview tab.

Users view, Overview tab

The following figure is an example of all the risky users in your environment displayed in the Entities tab.

High-risk users view

The following figure is an example of the risky user alerts in your environment displayed in the Alerts tab.


The following is a high-level process to investigate high-risk users or entities in your environment.

  1. Identify high-risk users. You can identify high-risk users using the following methods:
    • The Overview tab shows the top ten risky users in your environment. From the listed users, you can identify the users with critical severity or with score more than 100.
    • The Entities tab shows all the risky users in your environment. You can sort by Risk Score (default), Name, Alerts, Sort by Trending Data for Last 24 Hours or Last 7 Days. Identify how many users are marked Critical, High, and Medium or based on the forensic investigation, identify malicious user behavior, and build use-case driven target user lists using behavioral filters. Additionally, you can also use different types of filters (Risky or Watchlist) to identify targeted group of high-risk users.
    • The Alerts shows all the risky users alerts in your environment. You can sort by Critical, High, Medium, or Low. Click Export to download the alert report.

    Hover over the number of alerts associated with the risky users to see the alert type and determine if there is a good mix.

    For more information, see Identify High-Risk User or Network Entity.

  2. In the User Profile view, investigate the alerts and indicators of the user.
    1. Review the list of alerts associated with the user and the alert score for each alert, sorted by severity.
    2. Expand the alert names to identify a threat narrative. The strongest contributing indicator determines the name of the alert that suggests why this hour is flagged.
    3. Use the alert flow timeline to understand the abnormal activities.
    4. Review each indicator associated with the alert to see details about the indicator, including the timeline in which the anomaly occurred. Also, you can further investigate the incident using external resources, such as SIEM, network forensics, directly reaching out to the user or a managing director, and so on.

    For more information, see Begin an Investigation of High-Risk User Or Network Entity.

  3. After the investigation, you can record your observation as follows:

    1. Specify if an alert is not a risk.

    2. Save the behavioral profile for the use case found in your environment.

    3. If you want to keep a track of user activity, add users to the watchlist, and watch user profile.

    For more information, see Take Action on a High-Risk User or Network Entity .

You are here
Table of Contents > UEBA: Investigate High-Risk Users

Attachments

    Outcomes