UEBA: Begin an Investigation of High-Risk Users

Document created by RSA Information Design and Development on Sep 11, 2018
Version 1Show Document
  • View in full screen mode

After identifying the high-risk users, you can begin the investigation of high-risk users.

To investigate high-risk users:

  1. Log into NetWitness Platform and go to INVESTIGATE > Users. Do any of the following:

    1. In the Overview tab, in the High Risk Users panel, select a user you want to investigate and click on either the username or the user score.
    2. In the USERS tab, select the user you want to investigate and click on the username.
      The User Profile view is displayed.
  2. To investigate the alerts of the user, click the alert name in the User Risk Score panel. The following information is displayed:
    • The alert name
    • The timeframe of the alert (Hourly or Daily)
    • The severity level icon
    • The contribution to the user score value (for example, +20)
    • The data sources for the alert (for example, Logon)
      The middle panel is the Alert Flow panel. This panel provides a timeline of events that are related to the formation of the alert. The timeline of events can help to determine if the alert is an actual risk.
  3. To investigate the indicators associated with an alert of a user, in the User Risk Score panel, select an alert and then select an indicator. The following information is displayed:
    • The indicator name and a description of the indicator type
    • Contribution to Alert
    • The anomaly values
    • The data source of the events found in the indicator
      The central panel display changes depending on which indicator is selected.

You are here
Table of Contents > Investigate High-Risk Users > Begin an Investigation of High-Risk Users

Attachments

    Outcomes