UEBA: Take Action on High-Risk Users

Document created by RSA Information Design and Development on Sep 11, 2018
Version 1Show Document
  • View in full screen mode

After investigation, you can take action on the risky users to reduce or prevent further damage caused by malicious attackers in your organization. You can take any of the following actions:

    • Specify if the alert is not risky
    • Save the behavioral profile for the use case found in your environment
    • Add users to the watchlist, watch user profile, if you want to keep a track of the user activity

Specify if the alert is not risky.

To specify if the alert is not risky:

  1. Log into NetWitness Platform and go to INVESTIGATE > Users.

  2.  Take action on the users from any of the following tabs:
    1. In the Overview tab, in the High Risk Users panel, select a user and click either on the username or user score.
    2. In the Users tab, select a user and click on the username.
      The User Profile view is displayed.
  3. If the alert is not a risk, you can specify by clicking Not a Risk . User Profile View, Not a Risk button
    When an alert is marked as Not a Risk, the user score is reduced automatically.

Save Behavioral Profile

The combination of the alert types and indicators you select during the forensics investigation is a behavioral profile. You can save the behavioral profile, so you can monitor this use case in future.

For example, if your organization is attacked and the attackers penetrated by brute forcing user accounts, you can select filters using the brute force alert type. This can be saved as favorite. You can proactively monitor for future brute force attempts. To do so, you can click the favorite to see if new users were subjected to this type of attack.

To save behavioral profile:

  1. Log into NetWitness Platform and go to INVESTIGATE > Users.
    The Overview tab is displayed.
  2. Click Users tab.
  3. In the Filters panel, select the alert in the Alert Type drop-down and Indicators in the Indicators drop-down.
  4. Click Save to Favorites.
    Users tab, Save to Favorites
  5. In the Save Filter dialog, enter the name of the filter and click Ok.
    Save Filter dialog
    The behavioral profile is saved and displayed in the Favorites panel. You can click on the profile in the Favorites to monitor the users.

Add All Users to the Watchlist

If you want to keep track of users with recent activity but do not want to follow up with an immediate investigation, you can add the users to the watchlist and revisit over time to see if the risk score is elevated.

To add all users to the watchlist:

  1. Log into NetWitness Platform and go to INVESTIGATE > Users.
    The Overview tab is displayed.
  2. Select the Users tab.
  3. Select the users of specific categories using filters.
  4. Click Add All to Watchlist.
    Users tab, Add All to Watchlist button

    The list of users are added to the watchlist.

Watch User Profile

The watch user profile is a list of users that you want to monitor for potential threats. The watch user profile marks a user so that the users can be quickly referenced on the dashboard. This is essentially a bookmark to monitor the suspicious users.

To watch user profile:

  1. Log into NetWitness Platform and go to INVESTIGATE > Users. Do any of the following:
    1.  In the Overview tab, under High Risk Users panel, select a user and click on either the username or the user score.
    2.  In the Users tab, select a user and click the username.
      The User Profile view is displayed.
  2. Click Watch Profile in the upper right corner of the User Profile.
    User Profile view, Watch Profile buttonThe user is added to the watchlist.
 
You are here
Table of Contents > Investigate High-Risk Users > Take Action on High-Risk Users

Attachments

    Outcomes