UEBA: Identify High-Risk Users

Document created by RSA Information Design and Development on Sep 11, 2018
Version 1Show Document
  • View in full screen mode

You can identify high-risk user in your environment in the following ways:

  • View top five high-risk users
  • View all the high-risk users
  • View users of specific group
  • View users based on forensic investigation

View Top Five Risky Users

In the Overview tab, you can view the list of top five high-risk users in your environment along with the user score.

To view the top five risky users:

Log into NetWitness Platform and go to Investigate > Users.
The Overview tab is displayed with the high-risk users displayed in the High Risk Users panel.
Overview tab, High Risk Users panel

View All High-Risk Users

In the Users tab, you can view the list of all the high risk users in your environment along with the user score and total number of alerts associated with the users.

To view all high-risk users:

  1. Log into NetWitness Platform and go to Investigate > Users.
    The Overview tab is displayed.

  2. Click Users tab.
    The list of all high-risk users is displayed.

View Users of Specific Group

In the Users tab, you can use different types of filters to identify targeted group of high-risk users.

To view users of specific group:

  1. Log into NetWitness Platform and go to Investigate > Users.
    The Overview tab is displayed.

  2. Click Users tab.
  3. In the Filters panel, do any of the following:
    • Risky Users: To view all the risky users in your environment, select Risky Users. By default, risky users along with their user score are displayed.

    • Watchlist Users: To view the list of users that you added to the watchlist to monitor for specific changes, select Watchlist Users.

    • Admin Users: To view all users who are marked as admin in the events, select Admin Users.

Note: You can view users of one or more group by selecting one or more filters. For example, if you want to view the list of admin users who are risky users, select the Admin Users and Risky Users filters.

View Users Based on Forensic Investigation

In the Users tab, you can use Alert Types and Indicators which are behavioral filters to view high-risk users based on forensic investigation. For more information on forensic investigation, see Forensic Workflow in the Introduction topic.

To view users based on specific forensic investigation:

  1. Log into NetWitness Platform and go to Investigate > Users.
    The Overview tab is displayed.

  2. Click Users tab.
  3. To create a behavioral filter using alert types, select one or more alerts in the Alert Types drop-down list.

  4. To create a behavioral filter using indicators, select one or more indicators in the Indicators drop-down list.

Note: You can select combination of one or more alert types and indicators to create a behavioral filter based on your requirement. For example, to monitor abnormal access to confidential files and theft of sensitive data, you can create a behavioral filter with Alert Types = Abnormal File Access and Indicators = Abnormal File Action Operation Type.

You save these behavioral filters as favorites for future investigation.

You are here
Table of Contents > Investigate High-Risk Users > Identify High-Risk Users

Attachments

    Outcomes