UEBA: User Profile View

Document created by RSA Information Design and Development Employee on Sep 14, 2020
Version 1Show Document
  • View in full screen mode

The User Network Entity Profile view provides detailed information about all alerts and related indicators of a user or network entity.

Workflow

Investigate Top Users and Alerts workflow diagram

What do you want to do?

                                              
User RoleI want to ...Documentation
UEBA Analyst

View high-risk user or network entities*

Identify High-Risk User or Network Entity
UEBA Analyst

Begin an investigation of high-risk user or network entities*

Begin an Investigation of High-Risk User Or Network Entity
UEBA Analyst

Take action on high-risk user or network entities.

Take Action on a High-Risk User or Network Entity
UEBA AnalystExport high-risk user or network entities.Export a List of High-Risk User or Network Entity
UEBA Analyst

Begin an investigation of critical alerts*


Investigate Top Alerts
UEBA AnalystInvestigate threat indicators.Investigate Events

*You can complete the tasks here.

Related Topics

Quick Look

The following figure shows the User or Network Entity Profile view.
User Profile view with callouts for each panel 1

User Profile view with callouts for each panel 2

The Users Profile consist of the following panels:

                 
1User Risk Score panel
2Alerts Flow panel
3

Indicator panel

User or Network Entity Risk Score Panel

The User or Network Entity Risk Score panel contains the following information:

                       
NameDescription
User ScoreThe user score of the user highlighted based on the severity.
Alerts

The following information is displayed:

  • alert names
  • severity level icon
  • start date and time for the alert
  • timeframe of the alert (Hourly)
  • risk score of the alert (+20)
  • list of alert indicator names and the number of times the indicator events occurred.

Sort by

The alerts are sorted based on Severity and Date. By default, it is sorted by severity.

Alert Flow Panel

The Alert Flow panel displays the following information:

                                   
NameDescription
Alert nameThe name of the alert.
Time frameThe timeframe of the alert (hourly).
Severity levelThe severity of the alert.
Contribution in score

The contribution to the user score value (for example, +20).

Sources

The data sources for the alert (for example, Active Directory).

Tamerlane graphThe timeline of events that are related to the formation of the alert.

Indicator Panel

Click on a graph icon in the Alert Flow panel to open the Indicator panel. The following table describes the indicator panel elements:

                           
NameDescription
Indicator The name of the indicator with timeframe of the indicator in parentheses. For example, Multiple Group Membership Changes (Hourly).
Contribution to AlertThe alert contribution percentage.
Anomaly ValueThe anomaly value.
Data sourceThe data source from where the alert is triggered.

In the Indicator panel the events table list events specific to the data sources.

Indicator panel lists the events table specific to the data sources.

  • Common events for User Entity

The following tables list events specific to all the data sources.

                               
Event NameDescription

Time

The date and time when an event is triggered.

Username

The name of user for whom an indicator is triggered.

Normalized user name

The name of user for whom an indicator is triggered.

Operation Type

The action performed by the user. For example, Member Added To Group.

Result

The status of the action performed by the user.
  • Windows File Servers

The following tables list events specific to Windows file servers.

                   
Event NameDescription

Source Folder Path

Absolute folder path of a file for which an event is triggered.

Source File Path

Absolute file path for which an event is triggered.
  • Active Directory

The following tables list event specific to Active Directory.

               
Event NameDescription

Object Name

Object name defined in the Active Directory.
  • Logon Activity

The following tables list events specific to Logon Activity.

               
Event NameDescription

Computer

Host name from where an event is triggered.
  • Process

The following tables list events specific to Process.

                       
Event NameDescription

Machine Name

Name of the host from where this event is triggered for the user.

Source Process

Process triggered by the event

Destination Process

Process triggered by source process.
  • Registry

The following tables list events specific to Registry.

                                       
Event NameDescription

Machine Name

Name of the host from where this event is triggered for the user.

Process Directory

Absolute directory path of the process for which an event is triggered.

Process File Name

Process file name for which an event is triggered.

Registry Key Group

Type of registry key.

Registry Key

Registry key path.

Registry Value Name

Registry value name that is created or modified.

Operation Type

The action performed by the user. For example, Member Added To Group.

Network Entities

The following tables list events specific to JA3 and SSL Subject.

                                                                   
Event NameDescription
Source IPThe IP address from which network data is sent.
Destination IPThe IP address to which network data is sent.
Destination CountryThe country name to which the network data is sent.
SSL The SSL Subject.
Destination OrganizationThe organization name where the network data is sent.
DomainThe domain name to which the network data is sent.
JA3The JA3 hash value.
Destination PortThe port number to which the network data is sent.

Source Netname

The name of the source netname.

Number of Bytes SentThe number of bytes sent.

Destination ASN

 

JA3SThe JA3S hash value.

Destination Netname

The name of the destination netname.

Number of Bytes ReceivedThe number of bytes received.
Previous Topic:Alerts View
You are here
Table of Contents > Reference > User Profile View

Attachments

    Outcomes