To help you investigate incidents and alerts for specific users, you can view summaries of alerts for specific users.
To view summaries of the top alerts in your environment:
- Log into NetWitness Platform and click Investigate > Users. The Overview tab is displayed.
- In the center pane, the top alerts are displayed with the following information:
Severity level icons
Number of indicators
Start date for each alert
Timeframe for each alert (hourly, daily, etc)
To view summaries of alerts for users:
- In the Overview tab, in the left pane under High Risk Users, select a user.
- In the left pane under User Risk Score, select an alert. The following information is displayed:
The alert name
The timeframe of the alert (Hourly or Daily)
The severity level icon
The contribution to the user score value (for example, +20)
The data sources for the alert (for example, Logon)
- The middle frame of the Alert Overview pane is called the Alert Flow. This view provides a timeline of events that are related to the formation of the alert. The timeline of events can help to determine if the alert is an actual risk or not.
For more information, see Investigate High Risk User.