UEBA: Users View

Document created by RSA Information Design and Development on Sep 11, 2018
Version 1Show Document
  • View in full screen mode

The Users tab is a proactive threat hunting console. You can use behavioral filters to build use case driven target lists, and to continuously monitor the environment for specific risky behavior patterns.

Workflow

Investigate Top Users and Alerts workflow diagram

What do you want to do?

                                                   
User RoleI want to ...Documentation
UEBA Analyst

View high-risk users*.

Identify High-Risk Users

UEBA Analyst

View user based on alert type and indicator*.

Identify High-Risk Users

UEBA AnalystBegin an investigation of high-risk users.Begin an Investigation of High-Risk Users
UEBA Analyst

Take action on high-risk users*.

 

Take Action on High-Risk Users
UEBA AnalystExport high-risk users*. Export High-Risk Users
UEBA AnalystBegin an investigation of critical alerts.Investigate Top Alerts
UEBA AnalystInvestigate threat indicators.Investigate Indicators

*You can complete the tasks here.

Related Topics

Quick Look

The following figure shows the Users tab.

Users tab with callouts for each panel

To access this view:

  1. Go to INVESTIGATE > Users.

    The Overview tab is displayed.

  2. Click Users.

The Users tab consists of the following panels:

                     
1Filters panel
2Favorites panel
3

Risk Indicator panel

4User List panel

Filters Panel Filters

The Filters panel lists three pre-defined filters, with the number of users associated with each in parentheses.

The following table describes the filter types.

                       
Filter TypeDescription
Risky UsersAll users with a risk score greater than 0.
Watchlist Users

All users who are currently flagged as Watched.

Admin Users

All users who have been previously tagged as Admin.

Favorites Panel

The Favorites panel displays the list of behavioral profiles that are saved as favorites.

The following table describes the behavioral profile filters types.

                   
FiltersDescription
Alert Types

Any of the existing alert types that describe the supported distinct use cases (e.g. Brute Force Attempt, Snooping User, Abnormal AD Change, Data Exfiltration).

Indicators

Any of the existing behavioral features modeled by NetWitness UEBA. This filter can also be used to target only alerts from a specific data source or application.

Risk Indicator panel

The Risk indicator provides a severity-based breakdown of the target users.

The following table describes the risk indicator panel elements.

                           
ColorSeverity
RedCritical
OrangeHigh
YellowMedium
GreenLow

User List Panel

The User List panel displays the list of all the users in your environment along with the user score and number of alerts associated with the user.

The following table describes the User List panel elements.

                                       
User DataDescription

Username

The name of the user.
ScoreThe user score of the user.
Number of alertsThe total number of alerts generated for the user.
Sort by

The Sort by drop-down menu allows you to select the sorting method for the list. The options are: Risk Score, Name, Alerts.

Export

Export a list of all users and their scores in a .csv file format.

Add All to Watchlist

Adds all users in the filtered view to the watchlist.

Search User

Searches for a user name that you typed and select it from the list that is displayed matching your entry.

Previous Topic:Overview View
Next Topic:Alerts View
You are here
Table of Contents > Reference > Users View

Attachments

    Outcomes