UEBA: Investigate Indicators

Document created by RSA Information Design and Development on Sep 11, 2018Last modified by RSA Information Design and Development on Jul 9, 2019
Version 7Show Document
  • View in full screen mode

You can view all the alerts and indicator associated with a users in the User Profile view.

In the events table you can find all the events contributed to the specific indicator for the specific user. You can further investigate on events by clicking on Username that enable Pivot to Investigate > Events. In the Events view, you can see the list of events that occurred on that day for the specific user. By default the time range is set to one day. You can change the time range.

In addition you can pivot to Host Details view and can have deeper insight about that host. And, pivot to Analyze process view for detailed investigation on the process for that event for that week as the time range is set to seven days. By default the time range is set to seven day. You can change the time range.

To view the events:

  1. Log into NetWitness Platform and go to INVESTIGATE > Users > ALERTS.
  2. Under ALERT NAME, click an alert name.
    The indicators are displayed , along with the anomaly value, data source, and start time.
    User Profile view with indicators displayed
  3. Under Alert Flow, click on the graph icon.
    A graph is displayed that shows details about a specific indicator, including the timeline in which the anomaly occurred and the user associated with the indicator. The following figure shows an example of a graph. The type of graph can vary, depending on the type of analysis performed by NetWitness UEBA. For more information , see User Profile View.
    User Provile view, alert flow graph

To pivot to the Events view:

  1. Go to INVESTIGATE > Users, and select an alert or a user.
  2. Under User Risk Score, select an alert name.
    Indicators are displayed under the alert.
  3. Select an indicator of interest.
    Values that can be used to pivot are highlighted in light blue at the bottom of the panel.
    User Profile view with values to use for pivot to Investigate
  4. In the Events table, click the username highlighted in blue.
    The Events view is displayed.

For information about investigating items of interest in the Events view, see "Investigating Raw Events in the Events View" in the NetWitness Investigate User Guide.

To pivot to the Hosts Details view:

If you have NetWitness Endpoint installed, you can pivot to Hosts Details view for detailed information of the host.

  1. Go to INVESTIGATE > Users, and select an alert or a user.
  2. Under User Risk Score, select an alert name.
    Indicators are displayed under the alert.
  3. Select an indicator of interest. Details about the indicator are displayed in the right panel.
  4. In the events table, click the events related to the host.
    The Host Details view is displayed.

For information about investigating items of interest in the Hosts view, see "Investigating Hosts" topic in the NetWitness Endpoint User Guide.

To pivot to the Analyze Process view:

If you have NetWitness Endpoint installed, you can pivot to Analyze Process view for detailed information about the process.

  1. Go to INVESTIGATE > Users, and select an alert or a user.
  2. Under User Risk Score, select an alert name. Indicators are displayed under the alert.
  3. Select an indicator of interest. Details about the indicator are displayed in the right panel.
  4. In the Events table, click the events related to the process.
    The Analyze process view is displayed.

For more information, see "Investigating a Process" topic in the NetWitness Endpoint User Guide.

Previous Topic:Filter Alerts
You are here
Table of Contents > Investigate Top Alerts > Investigate  Indicators

Attachments

    Outcomes