Entities Tab

The Entities tab is a proactive threat hunting console. You can use behavioral filters to build use-case driven target lists, and to continuously monitor the environment for specific risky behavior patterns.

Workflow

Investigate Top Users and Alerts workflow diagram

What do you want to do?

User Role I want to ... Documentation
UEBA Analyst

View high-risk users or network entities*.

Identify High-Risk User or Network Entity

UEBA Analyst

View user or network entity based on alert type and indicator*.

Identify High-Risk User or Network Entity

UEBA Analyst Begin an investigation of high-risk user or network entities. Begin an Investigation of High-Risk User Or Network Entity
UEBA Analyst

Take action on high-risk users or network entities*.

Take Action on High-Risk User or Network Entity
UEBA Analyst Export high-risk users or network entities*. Export a list of High-Risk User or Network Entity
UEBA Analyst Begin an investigation of critical alerts. Investigate Top Alerts
UEBA Analyst Investigate threat indicators. Investigate Events

*You can complete the tasks here.

Related Topics

Quick Look

The following figure shows the Entities tab.

Users tab with callouts for each panel

The Users tab consists of the following panels:

1 Filters panel
2 Risk Indicator Panel
3 User or Entity List panel

Filters Panel

The Filters panel lists two pre-defined filters, with the number of users associated with each in parentheses, and the list of behavioral profiles that are saved as favorites.

Filter Type Description
Saved Filter Previously saved behavioral filters.
Entity Type Entity type such as Users, JA3, and SSL.
Risky User or Network Entities All user or network entities with a risk score greater than 0.
Watchlist User or Network Entities All user or network entities that are currently flagged as Watched.
Severity Severity type, such as critical, high, medium and low.
Alerts Any of the existing alert types that describe the supported distinct use cases (Brute Force Attempt, Snooping User, Abnormal AD Change, Data Exfiltration).
Indicators Any of the existing behavioral features modeled by NetWitness UEBA. This filter can also be used to target only alerts from a specific data source or application.
Reset Reset the filter.
Save as Save the filters as favorites.

Risk Indicator panel

The Risk indicator provides a severity-based breakdown of the target user or network entities.
netwitness_112_sevind_813x50.png

The following table describes the risk indicator panel elements.

Color Severity
Red Critical
Orange High
Yellow Medium
Green Low

Entities List Panel

The Entities List panel displays the list of all the user or network entities in your environment along with the user or network entity score and number of alerts associated with the user or network entity.

The following table describes the Entities List panel elements.

User Data Description

Username or Network entity name

The name of the user or network entity.
Score The user or the network entity.
Number of alerts The total number of alerts generated for the user or network entity.
Sort by

The Sort by drop-down menu allows you to select the sorting method for the list. The options are: Risk Score, Name, Alerts, Trending last 24 hours, and Trending last 7 days.

Export

Export a list of all user or network entities and their scores in a .csv file format.

Add All to Watchlist

Adds all user or network entities in the filtered view to the watchlist.

Search Entity

Searches for a user name or a network entity that you typed, allows you to select it from the list that is displayed matching your entry.