Create Behavioral Hunting Profile

Document created by RSA Information Design and Development on Sep 11, 2018
Version 1Show Document
  • View in full screen mode

Behavioral hunting profile is a process of detecting any anomalous behavior or if there is any deviation from a normal behavior of a user which may result in potential threat. For example, if a user regularly downloads 10 MB of files every day but suddenly downloads gigabytes of files, the system would be able to detect this anomaly and alert them immediately.


Behavioral filter is a model to filter the specific behavior of the user activity in your environment. An analyst can monitor the environment by creating a behavioral hunting profile and save the queries as favorites, and reuse them for future analysis. Analysts can create combinations of indicators by selecting a set of indicators and alerts and define a use case driven set of filters and save them as favorite.

To create a behavioral hunting profile, perform the following:

  1. Log into NetWitness Platform and click Investigate > Users.
    The Overview tab is displayed.
  2. Select Users.
  3. In the Filters pane, perform the following:

    1. In the Alert Types drop-down, select the alert type, for example, Multiple Logons by User.

    2. In the Indicators drop-down, select the indicator, for example, Abnormal File Access Time.
  4. You can use this filter to target alerts from a specific data source or application.
  5. Click Save to Favorites.

  6. In the Save Filter, enter the name of the filter and click Ok.
    The filter is save for future analysis.


Investigate Users

You can investigate the alerts and incidents of a specific user. An analysts can view all the detailed information related to the indicators that were found to be connected to a single alert, as it is related to a specific user. Each alert has a risk score associated with it, and the scores for all alerts for a user contribute to the overall User Risk Score.

To view summaries of alerts and indicators of a specific user:

  1. Log into NetWitness Platform and click Investigate.

  2. In the Overview tab, in the left pane under High Risk Users, select a user you want to investigate.
    The User profile view is displayed
  3. Perform the following:
    1. To investigate the alerts of a user, in the User Risk Score pane, select an alert. The following information is displayed:
      The alert name
      The timeframe of the alert (Hourly or Daily)
      The severity level icon
      The contribution to the user score value (for example, +20)
      The data sources for the alert (for example, Logon)
    2. To investigate the indicators of a user, in the User Risk Score pane, select an alert and then select an indicator. The following information is displayed:

    The indicator name and a description of the indicator type

    The anomaly values
    The data source of the events found in the indicator



You are here
Table of Contents > Create Behavioral Hunting Profile