UEBA: Investigate Indicators

Document created by RSA Information Design and Development on Sep 11, 2018
Version 1Show Document
  • View in full screen mode

You can view all the indicators that form an alert in the ALERTS tab. Each indicator also displays its anomaly value in parentheses. You can find the indicator name and a description of the indicator type, the anomaly values, and the data source of the events found in the indicator. You can also view a chart that shows details about a specific indicator. You can investigate an indicator to look for related activity across a time range by pivoting to the INVESTIGATE > Events view. In the Users view, values that enable pivot are highlighted in light blue, and you can click on a value to open the Event view. Once in the Event view, the selected value is set in all meta keys, and the time range is set to one day. You can change the time range.

To see all the threat indicators that comprise an alert:

  1. Log into NetWitness Platform and go to INVESTIGATE > Users > ALERTS.
  2. Under ALERT NAME, click an alert name.
    The indicators are displayed , along with the anomaly value, data source, and start time.
    User Profile view with indicators displayed
  3. Under Alert Flow, click on the graph icon.
    A graph is displayed that shows details about a specific indicator, including the timeline in which the anomaly occurred and the user associated with the indicator. The following figure shows an example of a graph. The type of graph can vary, depending on the type of analysis performed by NetWitness UEBA. For more information , see User Profile View.
    User Provile view, alert flow graph

To pivot to Events view:

  1. Go to INVESTIGATE > Users, and select an alert or a user.
  2. Under User Risk Score, select an alert name.
    Indicators are displayed under the alert.
    User Risk Score with Alert and Indicators
  3. Select an indicator of interest.
    Values that can be used to pivot are highlighted in light blue at the bottom of the panel.
    User Profile view with values to use for pivot to Investigate
  4. Click on an indicator element highlighted in blue.
    The Events view opens and details about the indicator element are displayed.
    The date in the Events view is the day the alert occurred. The text in the search field is the value that you selected. The events that are displayed are all the events related to the selected value.

For information about investigating items of interest in the Events view, see "Investigating Raw Events in the Events View" in the NetWitness Investigate User Guide.

For more information about threat indicators, see the Threat Indicators section in Introduction

Previous Topic:Filter Alerts
You are here
Table of Contents > Investigate Top Alerts > Investigate Indicators