(From 11.5.1 and later) NetWitness UEBA Modeled Behavior provides analysts with visibility into the usual activities of users monitored by UEBA. These modeled behaviors are based on the log data leveraged by UEBA and are available a day after the UEBA service is configured. UEBA monitors abnormal user behaviors to identify risky users and this requires data to be processed for a certain period of time. However, Modeled Behaviors reflect the activities of the user within a day of the service configuration.
For example, if a user fails multiple times by logging in with incorrect credentials within an hour, analysts can view these behaviors as Failed Authentications for the user.
To view the Modeled Behaviors:
- Log into NetWitness Platform and click Users.
- Do one of the following:
- In the Overview tab, under Top Risky Users panel, click on a username.
- In the Entities tab, click on a username.
Click the Modeled Behaviors tab, to view the Modeled Behaviors highlighted with a blue line in the left panel. The results can be sorted by the date or in alphabetical order.
Select the data source from the drop-down according to your preference and filter the modeled behaviors:
- Active Directory
- Based on the data source you select, the following information is displayed on the right panel:
Data source name
- Modeled Behaviors description
A graph is displayed with details of a specific Modeled Behavior of a user for the last 30 days. The type of graph can vary, depending on the type of analysis performed by UEBA. The following figure is an example of a Successful File Access Events Modeled Behavior.