After identifying the high-risk users, you can begin the investigation of high-risk users.
To investigate high-risk users:
Log into NetWitness Platform and go to INVESTIGATE > Users. Do any of the following:
- In the Overview tab, in the High Risk Users panel, select a user you want to investigate and click on either the username or the user score.
- In the USERS tab, select the user you want to investigate and click on the username.
The User Profile view is displayed.
- To investigate the alerts of the user, click the alert name in the User Risk Score panel. The following information is displayed:
- The alert name
- The timeframe of the alert (Hourly or Daily)
- The severity level icon
- The contribution to the user score value (for example, +20)
- The data sources for the alert (for example, Logon)
The middle panel is the Alert Flow panel. This panel provides a timeline of events that are related to the formation of the alert. The timeline of events can help to determine if the alert is an actual risk.
- To investigate the indicators associated with an alert of a user, in the User Risk Score panel, select an alert and then select an indicator. The following information is displayed:
Previous Topic:Identify High-Risk Users
Next Topic:Take Action on High-Risk Users
You are hereTable of Contents > Investigate High-Risk Users > Begin an Investigation of High-Risk Users