UEBA: User Profile View

Document created by RSA Information Design and Development on Sep 11, 2018
Version 1Show Document
  • View in full screen mode

The User Profile view provides detailed information about all the alerts and related indicators of a user.

Workflow

Investigate Top Users and Alerts workflow diagram

What do you want to do?

                                              
User RoleI want to ...Documentation
UEBA Analyst

View high-risk users*

Identify High-Risk Users
UEBA Analyst

Begin an investigation of high-risk users*

Begin an Investigation of High-Risk Users
UEBA Analyst

Take action on high-risk users.

Take Action on High-Risk Users
UEBA AnalystExport high-risk users.Export High-Risk Users
UEBA Analyst

Begin an investigation of critical alerts*


Investigate Top Alerts
UEBA AnalystInvestigate threat indicators.Investigate Indicators

*You can complete the tasks here.

Related Topics

Quick Look

The following figure shows the User Profile view.
User Profile view with callouts for each panel 1

User Profile view with callouts for each panel 2

To access this view:

  1. Go to INVESTIGATE > Users. Do any of the following:

    1.  In the OVERVIEW tab, under High Risk Users panel, select a user and click on either the username or the user score.
    2.  In the USERS tab, select a user and click on the username.
    3. In the ALERTS tab, select an alert name or an entity name.

The Users Profile consist of the following panels:

                 
1User Risk Score Panel
2Alerts Flow Panel
3

Indicator Panel

User Risk Score Panel

The User Risk Score panel contains the following information:

                       
NameDescription
User ScoreThe user score of the user highlighted based on the severity.
Alerts

The following information is displayed:

  • The alert names
  • The severity level icon
  • The start date and time for the alert
  • The timeframe of the alert (Hourly or Daily)
  • The risk score of the alert (+20)
  • A list of alert indicator names and the number of times the indicator events occurred.

Sort by

The alerts are sorted based on Severity and Date. By default, it is sorted by severity.

Alert Flow Panel

The Alert Flow panel displays the following information:

                                   
NameDescription
Alert nameThe name of the alert.
TimeframeThe timeframe of the alert (Hourly or Daily).
Severity levelThe severity of the alert.
Contribution to the user score

The contribution to the user score value (e.g. +20).

Sources

The data sources for the alert (e.g. Active Directory).

Timeline graphThe timeline of events that are related to the formation of the alert.

Indicator Panel

Click on a graph icon in the Alert Flow panel to open the Indicator panel. The following table describes the indicator panel elements:

                                                   
NameDescription
Indicator The name of the indicator with timeframe of the indicator in parentheses. For example, Multiple Group Membership Changes (Hourly).
Contribution to AlertThe alert contribution percentage.
Anomaly ValueThe Anomaly value.
DatasourceThe datasource from where the alert is triggered.

Time Detected

The date and time when an indicator is triggered.

UsernameThe name of user for whom an indicator is triggered.

User ID

The user id of the user for whom an indicator is triggered.

Operation TypeThe action performed by the user. For example, Member Added To Group.

Operation Type Category

The type of operation category. For example, GROUP_MEMBERSHIP.

ResultThe status of the action performed by the user.

 

Previous Topic:Alerts View
You are here
Table of Contents > Reference > User Profile View

Attachments

    Outcomes