UEBA: Identify High-Risk Users

Document created by RSA Information Design and Development Employee on Sep 14, 2020
Version 1Show Document
  • View in full screen mode

You can identify high-risk entities in your environment in the following ways:

  • View top ten high-risk entities
  • View all the high-risk entities
  • View users of a specific group
  • View users and other entities based on forensic investigation

View Top Ten Risky User or Network Entities

In the OVERVIEW tab, you can view the top ten high-risk user or network entities in your environment along with the risk score.

To view the top risky entities:

  1. Log in to NetWitness Platform and go to Users > Overview.
    The Overview tab is displayed with the high-risk user or network entities.
  2. Click the Users tab, to view the high risk users.
  3. Click the Network tab, to view the high risk network entities.
  4. Select JA3 from the drop-down to view high-risk JA3 entities.
  5. Select SSL to view the high risk SSL entities.

Overview tab, High Risk Users panel

View all High-Risk User or Network Entities

In the Entities tab, you can view the list of all high-risk user or network entities in your environment along with the user or network entity score, and total number of alerts associated with the user or network entities.

To view all high-risk user or network entities:

  1. Log in to NetWitness Platform and go to Users > Overview.

  2. Click the Entities tab.
    The list of all high-risk user or network entities is displayed.

View User or Network Entities of a Specific Group

In the Entities tab, you can use different type of filters to identify targeted group of high-risk user or network entities.

To view users of specific group:

  1. Log in to NetWitness Platform and go toUsers > Overview.

  2. Click the Entities tab.
  3. In the Filters panel, do any of the following:
    • Risky Entities: To view all the risky user or network entities in your environment, select Risky in the left pane.
      All the risky user or network entities along with their user or network entity score are displayed.
    • Watchlist: To view the list of entities that you added to the watchlist to monitor for specific changes, select Watchlist.

Note: You can view users or network entities of one or more group by selecting one or more filters. For example, if you want to view the list of risky user or network entities, select the Risky and Watchlist filters.

View Users Based on Forensic Investigation

In the ENTITIES tab, you can use alert types and indicators that are behavioral filters to view high-risk user or network entities based on forensic investigation. For more information on forensic investigation, see Introduction .

To view users based on a specific forensic investigation:

  1. Log in to NetWitness Platform and go to Users > Overview.

  2. Click the Entities tab.
  3. To filter the result for user or network entity, select Users, JA3, or SSL in the Entity Type drop-down list.
  4. To filter the result for severity, select Severity from the  drop-down list.
  5. To create a behavioral filter using alert types, select one or more alerts from the drop-down list.

  6. To create a behavioral filter using indicators, select one or more indicators from the drop-down list.

Note: You can select a combination of one or more alert types and indicators to create a behavioral filter based on your requirement. For example, to monitor abnormal access to files and theft of sensitive data, you can create a behavioral filter with Alert Types = Abnormal File Access and Indicators = Abnormal File Access Time.

To save these behavioral filters as favorites for future investigation, click Save as....

To delete the filters, click Reset.

Similarly, you can view other entities, such as JA3 and SSL based on forensic investigation.

You are here
Table of Contents > UEBA: Identify High-Risk Users

Attachments

    Outcomes