Entities TabEntities Tab
The Entities tab is a proactive threat hunting console. You can use behavioral filters to build use-case driven target lists, and to continuously monitor the environment for specific risky behavior patterns.
What do you want to do?
|User Role||I want to ...||Documentation|
View high-risk users or network entities*.
|Identify High-Risk User or Network Entity|
View user or network entity based on alert type and indicator*.
|UEBA Analyst||Begin an investigation of high-risk user or network entities.||Begin an Investigation of High-Risk User Or Network Entity|
Take action on high-risk users or network entities*.
|Take Action on High-Risk User or Network Entity|
|UEBA Analyst||Export high-risk users or network entities*.||Export a list of High-Risk User or Network Entity|
|UEBA Analyst||Begin an investigation of critical alerts.||Investigate Top Alerts|
|UEBA Analyst||Investigate threat indicators.||Investigate Events|
*You can complete the tasks here.
- Begin an Investigation of High-Risk User Or Network Entity
- Investigate Top Alerts
- Filter Alerts
- Investigate Events
- Export a list of High-Risk User or Network Entity
The following figure shows the Entities tab.
The Users tab consists of the following panels:
|2||Risk Indicator Panel|
|3||User or Entity List panel|
Filters Panel Filters Panel
The Filters panel lists two pre-defined filters, with the number of users associated with each in parentheses, and the list of behavioral profiles that are saved as favorites.
|Saved Filter||Previously saved behavioral filters.|
|Entity Type||Entity type such as Users, JA3, and SSL.|
|Risky User or Network Entities||All user or network entities with a risk score greater than 0.|
|Watchlist User or Network Entities||All user or network entities that are currently flagged as Watched.|
|Severity||Severity type, such as critical, high, medium and low.|
|Alerts||Any of the existing alert types that describe the supported distinct use cases (Brute Force Attempt, Snooping User, Abnormal AD Change, Data Exfiltration).|
|Indicators||Any of the existing behavioral features modeled by NetWitness UEBA. This filter can also be used to target only alerts from a specific data source or application.|
|Reset||Reset the filter.|
|Save as||Save the filters as favorites.|
Risk Indicator panelRisk Indicator panel
The Risk indicator provides a severity-based breakdown of the target user or network entities.
The following table describes the risk indicator panel elements.
Entities List PanelEntities List Panel
The Entities List panel displays the list of all the user or network entities in your environment along with the user or network entity score and number of alerts associated with the user or network entity.
The following table describes the Entities List panel elements.
Username or Network entity name
|The name of the user or network entity.|
|Score||The user or the network entity.|
|Number of alerts||The total number of alerts generated for the user or network entity.|
The Sort by drop-down menu allows you to select the sorting method for the list. The options are: Risk Score, Name, Alerts, Trending last 24 hours, and Trending last 7 days.
Export a list of all user or network entities and their scores in a .csv file format.
Add All to Watchlist
Adds all user or network entities in the filtered view to the watchlist.
Searches for a user name or a network entity that you typed, allows you to select it from the list that is displayed matching your entry.