Anomalies that are found as incoming events are compared to the baseline are compiled into hourly alerts. Relatively strong deviations from the baseline, together with a unique a composition of anomalies, are more likely to get a higher alert score.
You can quickly view the top most critical alerts in your environment, and start investigating them from either the OVERVIEW tab or the ALERTS tab. The following figure is an example of Top Alerts in the OVERVIEW tab. The alerts are listed in order of severity and the number of users who generate the alerts.
To investigate an alert on this page, click an alert in the Top Alerts section to see details about the alert.
The following figure shows details about the event that caused the alert, and the timeframe in which it occurred.
From the OVERVIEW tab, in the Alerts Severity panel, you can click on a bar in the graph to review top alerts in the ALERTS tab, as shown in the following figure.
Investigating alerts is particularly useful when you want to focus on a timeframe in which you believe your systems were compromised. You can view forensic information based on a timeframe and gather detailed information about events that occurred during that time in the Alerts tab.
Begin an Investigation of Critical Alerts
You can begin your investigation of critical alerts in the following ways:
- On the Overview tab, look at the Alerts Severity.
Is there an even distribution of alerts or are there a few days when there was a noticeable spike? A spike could indicate something suspicious like malware. Make a note of those days so you can inspect the alerts (the bar from the chart links directly to the alerts for that specific day).
- In the Alerts tab, sort by the number of indicators:
Ensure that the alerts that aggregated the most number of indicators show at the top of the list. Similar to identifying the users with the highest number of alerts, more indicators help illustrate a more interesting story and provide you with a more solid timeline that you can follow.
Expand the top alerts in the list:
- Look for alerts that have varied data sources. These show a broader pattern of behavior.
- Look for a variety of different indicators.
- Look for indicators with high numeric values, specifically for high values that are not indicative of activity that a human can perform manually (for example, a user accessed 8,000 files).
- Look for unique Windows event types that users do not typically change as these can indicate suspicious administrative activity.
- Search by indicators:
The list shows the number of alerts raised that contain each indicator.
- Look for the top volume indicators; filter by one and review by user to find users who experienced the highest number of these indicators.
- In general, you can ignore time-based alerts (for example, Abnormal Logon Time) as these are very common. However, they provide good context when combined with higher interest indicators.
- Drill into more detail:
- Leverage alert names to begin establishing a threat narrative. Use the fact that the strongest contributing indicator usually determines the alert’s name to begin explaining why this user is flagged.
- Use the timeline to layout the activities found and try to understand what could explain the observed behaviors.
- Follow up by reviewing each indicator anddemonstrating how supporting information, in the form of graphs and events, can help analysts verify an incident. Suggest possible next stages of investigation using external resources (for example, SIEM, network forensics, and directly reaching out to the user or a managing director).
- Conclude the investigation by prompting for feedback and leaving a comment.
- Take action to address threats determined by your investigation of alerts. For more information, see Take Action on High-Risk Users.
The following topics explain various ways to investigate alerts.
- Filter Alerts
- Investigate Indicators
- Manage Top Alerts
- View NetWitness UEBA Metrics in Health and Wellness