UEBA: Overview View

Document created by RSA Information Design and Development on Sep 11, 2018
Version 1Show Document
  • View in full screen mode

The Overview tab provides an initial view into the recent and most important user activities in the environment. Each panel shows either prioritized incidents for investigation or consolidated metrics reflecting potential risks to the enterprise.

Workflow

Investigate Top Users and Alerts workflow diagram

What do you want to do?

                                                     
User RoleI want to ...Documentation
UEBA Analyst

View top five high-risk users*.

Identify High-Risk Users
UEBA Analyst

View risky users, watchlist users and admin users*.

Identify High-Risk Users

UEBA Analyst

View user based on alert type and indicator.

Identify High-Risk Users

UEBA AnalystInvestigate alerts in my environment.Investigate Top Alerts
UEBA AnalystBegin an investigation of critical alerts.Investigate Top Alerts
UEBA AnalystSort alerts to focus my investigation.Filter Alerts
UEBA AnalystInvestigate threat indicators.Investigate Indicators
UEBA AnalystExport alert data Manage Top Alerts

*You can complete the tasks here.

Related Topics

Quick Look

The following figure shows the Overview tab.
Overview tab with callouts for each panel

To access this view, go to INVESTIGATE > Users.

The Overview tab consists of the following panels:

                     
1High Risk Users panel
2Top Alerts panel
3

All Users panel

4Alerts Severity panel

High Risk Users Panel

The High Risk Users panel lists the top five high-risk user along with the user score.

The following table describes the high risk users panel elements.

                   
NameDescription
UsernameThe name of the user.
User Score

The user score of the user, with the color indicating the severity of the score. Red indicates Critical, orange represents a High risk, yellow indicates a Medium risk, and green represents a Low risk.

Top Alerts Panel

The Top Alerts panel displays a list of alerts for the associated user, severity, alert creation date, and number of indicators. The list consists of the top ten alerts in the last 7 days.

The following table describes the top alerts panel elements.

                           
NameDescription
Severity IconThe alert severity icon. The options are Critical, High, Medium, or Low.
Alert NameThe name of the alert.

Alert Creation Date

The date when an alert is generated.

Number of Indicators

The number of indicators associated with the alert.

All Users Panel

The All Users panel displays the number of users in each of the NetWitness UEBA predefined groups.

The following table describes all users panel elements.

                       
GroupDescription
RiskyAll users with a risk score greater than 0.
WatchedAll users who are currently flagged as Watched.
AdminAll users who have been previously tagged as Admin.

Alerts Severity Panel

The Alert Severity panel graphically displays the number of alerts, by severity level generated during the last year.

The following table describes alert severity panel elements.

                   
NameDescription
Last yearThe number of alerts generated during last year.
Severity level

The severity is color coded, where red indicates a Critical alert, orange represents a High risk alert, yellow indicates a Medium risk alert, and green represents a Low risk alert. For example:
Severity levels displayed with each color

Previous Topic:Reference
Next Topic:Users View
You are here
Table of Contents > Reference > Overview View

Attachments

    Outcomes