UEBA: Alerts View

Document created by RSA Information Design and Development on Sep 11, 2018
Version 1Show Document
  • View in full screen mode

The Alerts tab displays details about all the alerts in your environment. You can view forensic information about suspicious activity in your environment that is based on a specific timeframe.

Workflow

Investigate Top Users and Alerts workflow diagram

What do you want to do?

                                      
User RoleI want to ...Documentation
UEBA AnalystInvestigate alerts in my environment*. Investigate Top Alerts
UEBA Analyst

Sort alerts to focus my investigation*.

Filter Alerts
UEBA Analyst

Investigate incidents based on threat indicators*.

Investigate Indicators
UEBA AnalystShare alert data in spreadsheet format.Manage Top Alerts
UEBA AnalystQuickly see a summary of user alerts.View User Alert Summaries

*You can complete the tasks here.

Related Topics

Quick Look

Alerts tab with callouts for each panel

To access this view:

  1. Go to INVESTIGATE > Users.

    The Overview tab is displayed.

  2. Click Alerts.

The Alerts tab consists of the following panels:

             
1Filters panel
2Alerts panel

Filters Panel

Use the filters panel to refine your investigation of alerts. The filters are automatically applied as you make your selections. You can clear all currently set filters by clicking Clear.

The following table describes the filters types.

                                      
Filter NameDescriptionOptions
Severity

Filters the list of alerts to include alerts for one or more severity levels.

Critical, High, Medium, or Low.
FeedbackFilters the list of alerts to include alerts for one or more feedback types.Select All, No Feedback, or Not a Risk.
EntityFilters the list of alerts to include only alerts for a specific user name.NA.
IndicatorsFilters the list of alerts to include alerts for one or more indicators.

Examples of indicators are:

  • Active Directory - Abnormal Logon Time
  • Authentication - Logged onto Multiple Computers
  • Multiple File Access Failures

Date Range

Filters the list of alerts to include alerts created during a specific time range.

Last Week, Last Month, or a specified range

Alerts Panel

The Alerts panel displays the following information for each alert:

  • Severity Icon: An icon next to the alert name that indicates the severity level of the alert
  • Alert Name: The name of the alert and the alert timeframe
  • Entity Name: The name of the entity (user account) that generated the alert
  • Start Time: The date and time when this alert was first detected
  • # Indicators: The number of unique behavior anomalies (indicators) associated with the alert
  • Status: Indicates if the alert has been marked as Unreviewed or Not A Risk
  • Feedback: Indicates if a feedback value has been assigned for the alert

At the beginning of each alert line is an icon that expands the alert to display additional details. Once expanded, the following fields are displayed:

  • Indicator Name – The name of each unique indicator that is associated with the alert
  • Anomaly Value – The indicator’s value, representing the deviation amount or value as it differs from the user’s normal behavior
  • Data Source – The type of data where the indicator was found
  • Start Time – The date and time when this indicator was first detected
  • # Events – The number of events in the indicator

The data that is currently displayed in the central pane can be exported to a .csv file by clicking Export at the top right of the pane.

Previous Topic:Users View
You are here
Table of Contents > Reference > Alerts View

Attachments

    Outcomes