View Modeled Behaviors

(From 11.5.1 and later) NetWitness UEBA Modeled Behavior provides analysts with visibility into all the activities of a user. These modeled behaviors are based on the log data leveraged by UEBA and are available a day after the UEBA service is configured and running. UEBA monitors abnormal user behaviors to identify risky users and this requires data to be processed for a certain period of time. However, modeled behaviors reflect all the activities of the user within a day of the service configuration.

For example, if a user fails multiple times by logging in with incorrect credentials within an hour, analysts can view these behaviors as Failed Authentications for the user.

- Modeled Behaviors are not applicable to network entities.
- By default, the sorting and data source options are disabled when there is no data available.

To view the Modeled Behaviors:

  1. Log into NetWitness Platform and click Users.
  2. Do one of the following:
    • In the Overview tab, under Top Risky Users panel, click on a username.
    • In the Entities tab, click on a username.
  3. Click the Modeled Behaviors tab, to view the Modeled Behaviors highlighted with a blue line in the left panel. The results can be sorted by the date or in alphabetical order.


  4. Select the data source from the drop-down according to your preference and filter the modeled behaviors:

    • Active Directory
    • File
    • Authentication
  5. Based on the data source you select, the following information is displayed on the right panel:
    • Data source name

    • Modeled Behavior description
    • A graph is displayed that contain details of a specific Modeled Behavior. You can view the modeled behaviors of a user for the last 30 days. The type of graph can vary, depending on the type of analysis performed by UEBA. The following figure is an example of a Modeled Behavior.

      Modeled behavior of a user

Reading an Indicator Chart

Note: In version 11.6 and later, the pie chart was replaced by the dotted chart.

An indicator chart is a pictorial illustration of the anomaly and baseline values of an entity that you want to further investigate.

The chart gives the Analyst a better insight of the indicator which in turn will help determine the next steps. The chart provides the analyst with the user’s baseline values over time to better understand the context of the anomaly.

To view an indicator chart,

  1. Log in to NetWitness Platform.
  2. Navigate to Users > Entities.
  3. Select the user you want to investigate.
    The following figure displays an alert for a user logged on to an abnormal host.
  4. In the Alert Flow section, select the Logon Attempts to Multiple Source Hosts.
  5. Click the + icon to expand and view the details.

Types of Charts

There are three main types of charts currently available.

Continuous Bar Chart

In this type of an indicator chart, the bar color differentiates the behavior by displaying a blue bar and a red bar. For example, the following figure displays in a span of 30-days the number of Active Directory changes made on a daily basis which are displayed by blue bars and indicates the baseline behavior.

The red bar indicates that the user has accessed a high number of files in a specific hour.


Another variation in the visualization of the chart is where you see an additional series of grey bars that represents the baseline values of the model. In this case, if the blue bars series is displayed, it depicts the specific entity trend that the anomaly is also a part of.

Dotted Chart

In the dotted indicator chart, the anomaly is displayed on top of the graph indicated by yellow color text and red color circle. The chart provides the analyst with the user’s baseline values over time to better understand the context of the anomaly. The additional values (apart from the anomaly value) depicted in the Y-axis, represent the baseline values and the total number of days they were observed for this specific entity.

Time Chart

The time indicator chart displays the time the user has accessed a particular information. For example, in the following figure, the user has accessed Active Directory at an abnormal time over the past 30 days. The regular working hours of the user are the baseline values and the anomaly value (the hour marked in red) indicates that this is an abnormal time for this user to make changes in AD.