UEBA: Investigate Indicators

Document created by RSA Information Design and Development Employee on Sep 14, 2020
Version 1Show Document
  • View in full screen mode

You can view all alerts and indicator associated with a user or network entity in the User Profile view.

In the events table, you can find all events contributed to the specific indicator for the specific user or network entity.

For example, you can further investigate on events by clicking on a username or a network entity that pivots to Investigate > Events. In the Events view, you can see the list of events that occurred on that day for the specific user or network entity. By default, the time range is set to one hour. You can change the time range.

In case of Endpoint Indicators, you can pivot to Host Details view and can have deeper insight about that host. And, pivot to Analyze Process view for detailed investigation on the process for that event for that week as the time range is set to seven days. By default, the time range is set to seven days however, it can be customized.

To view the events:

  1. Go to Users > Alerts.
  2. Under Filters, select the Entity Type.
    The indicators are displayed, along with the anomaly value, data source, and start time.
    User Profile view with indicators displayed
  3. Click an alert name, and under Alert Flow, click the icon.
    A graph is displayed that shows details about a specific indicator, including the timeline in which the anomaly occurred and the user associated with the indicator. The following figure shows an example of a graph. The type of graph can vary, depending on the type of analysis performed by NetWitness UEBA. For more information, see User or Network Entity Profile View.

To pivot to the Events view:

  1. Go to Users > Alerts, and select an alert or user or network entity.
    Indicators are displayed under the alert.
  2. Select an indicator of interest.
    Values that can be used to pivot are highlighted in light blue at the bottom of the panel.
    User Profile view with values to use for pivot to Investigate
  3. In the Events table, click the link highlighted in blue and pivot to the alert in the Events view.
    The Events view is displayed.
    For User events the username is a clickable pivot link. For JA3 and SSL Subject network entities events source IP, destination IP, destination country, destination organization, destination port, JA3 or SSL subject and source netname are the clickable pivot links.

For information about investigating items of interest in the Events view, see "Reconstructing and Analyzing Events" topic in the NetWitness Investigate User Guide.

To pivot to the Hosts Details view:

If you have NetWitness Endpoint installed, you can pivot to Hosts Details view for detailed information of the host.

  1. Go to Users > Alerts, and select an alert or user or network entity.
    Indicators are displayed under the alert.
  2. Select an indicator of interest.
    Details about the indicator are displayed in the right panel.
  3. In the events table, click the events related to the host.
    The Host Details view is displayed.

For information about investigating items of interest in the Hosts view, see "Investigating Hosts" topic in the NetWitness Endpoint User Guide.

To pivot to the Analyze Process view:

If you have NetWitness Endpoint installed, you can pivot to Analyze Process view for detailed information about the process.

  1. Go to Users > Alerts, and select an alert or user or network entity.
  2. Select an alert name. Indicators are displayed under the alert.
  3. Select an indicator of interest.
    Details about the indicator are displayed in the right panel.
  4. In the Events table, click the events related to the process.
    The Analyze process view is displayed.

For more information, see "Investigating a Process" topic in the NetWitness Endpoint User Guide.

Previous Topic:Filter Alerts
You are here
Table of Contents > Investigate Top Alerts > Investigate Indicators

Attachments

    Outcomes