This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Investigate

Provides information about how Analysts uses UEBA to identify and respond to threats.

1 - Understand the UEBA Alert Types

Provides information about the different alert types for users.

An Alert is an analyst notification created from a high-scoring batch of anomalies, which contains validated indicators of compromise. It is important that you review the following use cases, represented by their alert type and description, to gain an initial understanding of the related risky behavior of each use case.

Alert Type Table

Alert Type Description
Mass Changes to Groups An abnormal number of changes have been made to groups. Investigate which elements have been changed and decide if the changes were legitimate or possibly the result of risky or malicious behavior. This activity is usually associated with the Multiple Group Membership Changes indicator.
Multiple Failed Logons In traditional password cracking attempts, the attacker tries to obtain a password through guesswork or by employing other low-tech methods to gain initial access. The attacker risks getting caught or being locked out by explicitly attempting to authenticate; but with some prior knowledge of the victim’s password history, may be able to successfully authenticate. Look for additional abnormal indications that the account owner is not the one attempting to access this account. This activity is usually associated with the Multiple Failed Authentications indicator.
User Logon to Abnormal Host Attackers often need to reacquire credentials and perform other sensitive activities, like using remote access. Tracing the access chain backwards may lead to the discovery of other computers involved in possibly risky activity. If an attacker’s presence is limited to a single compromised host or too many compromised hosts, that activity can be associated with the Abnormal Computer indicator.
Snooping User Snooping is unauthorized access to another person’s or company’s data. Snooping can be as simple as the casual observance of an e-mail on another’s computer or watching what someone else is typing. More sophisticated snooping uses software programs to remotely monitor activity on a computer or network device. This activity can be associated with the Multiple File Access Events, Multiple Failed File Access Events, Multiple File Open Events, and Multiple Folder Open Events indicators.
Multiple Logons by User All authentication activity, malicious or not, appears as normal logons. Therefore, administrators should monitor unexpected authorized activity. The key is that attackers use these stolen credentials for unauthorized access, which may provide an opportunity for detection. When an account is being used for unusual activities, for example; authenticating an unusual amount of times the account may have been compromised. This activity can be associated with the Multiple Successful Authentications indicator.
User Logon to Multiple Hosts Attackers typically need to reacquire credentials periodically. This is because their keychain of stolen credentials naturally degrades over time, due to password changes and resets. Therefore, attackers frequently maintain a foothold in the compromised organization by installing backdoors and maintaining credentials from many computers in the environment. This activity can be associated with the Logged onto Multiple Computers indicator.
Mass Permission Changes Some credential theft techniques, for example, Pass-the-Hash, use an iterative, two-stage process. First, an attacker obtains elevated read-write permission to privileged areas of volatile memory and file systems, which are typically accessible only to system-level processes on at least one computer. Second, the attacker attempts to increase access to other computers on the network. Investigate if abnormal permission changes have taken place on the file systems to ensure that they were not compromised by an attacker. This activity can be associated with the Multiple File Access Permission Changes, Multiple Failed File Access Permission Changes, and Abnormal File Access Permission Change indicators.
Abnormal Active Directory (AD) Changes If an attacker gains highly-privileged access to an Active Directory domain or domain controller, that access can be leveraged to access, control, or even destroy the entire forest. If a single domain controller is compromised and an attacker modifies the AD database, those modifications replicate to every other domain controller in the domain; and depending on the partition in which the modifications are made, the forest as well. Investigate abnormal changes conducted by admins and non-admins in AD to determine if they represent a possible true compromise to the domain. This activity can be associated with the Abnormal Active Directory Change, Multiple Account Management Changes, Multiple User Account Management Changes, and Multiple Failed Account Management Changes indicators.
Sensitive User Status Changes A domain or enterprise administrator account has the default ability to exercise control over all resources in a domain, regardless of whether it operates with malicious or benign intent. This control includes the ability to create and change accounts; read, write, or delete data; install or alter applications; and erase operating systems. Some of these activities are triggered organically as part of the account’s natural life cycle. Investigate these security sensitive user account changes, and determine if it has been compromised. This activity can be associated with the User Account Enabled, User Account Disabled, User Account Unlocked, User Account Type Changed, User Account Locked, User Password Never Expires Option Changed, User Password Changed by Non-Owner, and User Password Change indicators.
Abnormal File Access Monitor for abnormal file access to prevent improper access to confidential files and theft of sensitive data. By selectively monitoring file views, modifications and deletions, you can detect possibly unauthorized changes to sensitive files, whether caused by an attack or a change management error. This activity can be associated with the Abnormal File Access Event and Multiple File Delete Events indicators.
Non-Standard Hours All authentication activity, malicious or not, appears as normal logons. Therefore, administrators should monitor unexpected authorized activity. The key is that attackers use these stolen credentials for unauthorized access, which may provide an opportunity for detection. For example, unusual activity such as multiple authentication events in an account may indicate that the account has been compromised. You can check if the account has been taken by an external actor be determining the abnormal activity time. This activity can be associated with the Abnormal File Access Time, Abnormal Active Directory Change Time, and Abnormal Logon Time indicators.
Multiple Failed Authentications - External Access As organizations increase their reliance on external authentication infrastructures, attackers may attempt to leverage these infrastructures to their advantage. Brute force techniques as well as more traditional password cracking methods like guesswork can be utilized to gain initial access. These activities can be associated with the Multiple Failed Azure AD Authentications and Multiple Failed VPN Authentications indicators.
Abnormal Country As organizations increase their reliance on external authentication infrastructures, attackers may attempt to leverage these infrastructures to their advantage. When devices or accounts are compromised or when credentials are wrongly shared, attackers may utilize them to gain initial access from an abnormal location. These activities can be associated with the Abnormal Azure AD Logon Country and Abnormal VPN Logon Country indicators.
Snooping User - Cloud Service Account Snooping is unauthorized access to company data or data belonging to another person. Snooping can be as simple as the casual observance of an email on another person’s computer. More sophisticated snooping uses software programs to remotely monitor activity on a computer or a cloud service account. This activity can be associated with the Azure AD - Logon Attempts to Multiple Applications indicator.
Abnormal Remote Application Attackers may leverage compromised account details or devices to access remote applications that genuine end users do not frequently access to collect and even exfiltrate sensitive information. This activity can be associated with the Azure AD - Abnormal Application indicator.
Admin Password Change Shared long-term secrets, for example, privileged account passwords, are frequently used to access anything from print servers to domain controllers. To contain attackers that seek to leverage these accounts, pay close attention to password changes by admins, and ensure they have been made by trusted parties and have no additional abnormal behavior associated with them. This activity can be associated with the Admin Password Change indicator.
User Logins to Multiple AD Sites Domain controllers store credential password hashes for all accounts on the domain, so they are high-value targets for attackers. Domain controllers that are not stringently updated and secured are susceptible to attack and compromise, which could leave the domain vulnerable. User privileges on multiple domains could indicate that a parent domain has been compromised. Determine if user access to and from multiple sites is legitimate or is an indication of a potential compromise. This activity is usually associated with the Logged into Multiple Domains indicator.
Elevated Privileges Granted Elevated account privileges have been delegated to a user. Attackers often use regular user accounts, granting them elevated privileges, to exploit the network. Investigate the user that received the elevated privileges, and decide if these changes were legitimate or possibly the result of risky or malicious behavior. This activity is usually associated with the Nested Member Added to Critical Enterprise Group and Member Added to Critical Enterprise Group indicators.
Data Exfiltration Data exfiltration is the unauthorized copying, transfer, or retrieval of data from a computer or server. Data exfiltration is a malicious activity performed through various techniques, typically by cyber criminals over the Internet or other network. This activity can be associated with the Excessive Number of File Rename Events, Excessive Number of Files Moved from File System, and Excessive Number of Files Moved to File System indicators.
Credential Dumping Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Discovery & Reconnaissance Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When Attackers gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.
PowerShell & Scripting PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Attackers can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.
Registry Run Keys & Start Folder Adding an entry to the “run keys” in the Registry or startup folder will cause the program referenced to be executed when a user logs in. The program will be executed under the context of the user and will have the account’s associated permissions level. Attackers can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Attackers may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.
Process Injection Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. This activity can be associated with the Abnormal Process Created a Remote Thread in a Windows Process indicator.
Alert Type Description
Mass Changes to Groups An abnormal number of changes have been made to groups. Investigate which elements have been changed and decide if the changes were legitimate or possibly the result of risky or malicious behavior. This activity is usually associated with the Multiple Group Membership Changes indicator.
Multiple Failed Logons In traditional password cracking attempts, the attacker tries to obtain a password through guesswork or by employing other low-tech methods to gain initial access. The attacker risks getting caught or being locked out by explicitly attempting to authenticate; but with some prior knowledge of the victim’s password history, may be able to successfully authenticate. Look for additional abnormal indications that the account owner is not the one attempting to access this account. This activity is usually associated with the Multiple Failed Authentications indicator.
User Logon to Abnormal Host Attackers often need to reacquire credentials and perform other sensitive activities, like using remote access. Tracing the access chain backwards may lead to the discovery of other computers involved in possibly risky activity. If an attacker’s presence is limited to a single compromised host or too many compromised hosts, that activity can be associated with the Abnormal Computer indicator.
Snooping User Snooping is unauthorized access to another person’s or company’s data. Snooping can be as simple as the casual observance of an e-mail on another’s computer or watching what someone else is typing. More sophisticated snooping uses software programs to remotely monitor activity on a computer or network device. This activity can be associated with the Multiple File Access Events, Multiple Failed File Access Events, Multiple File Open Events, and Multiple Folder Open Events indicators.
Multiple Logons by User All authentication activity, malicious or not, appears as normal logons. Therefore, administrators should monitor unexpected authorized activity. The key is that attackers use these stolen credentials for unauthorized access, which may provide an opportunity for detection. When an account is being used for unusual activities, for example; authenticating an unusual amount of times the account may have been compromised. This activity can be associated with the Multiple Successful Authentications indicator.
User Logon to Multiple Hosts Attackers typically need to reacquire credentials periodically. This is because their keychain of stolen credentials naturally degrades over time, due to password changes and resets. Therefore, attackers frequently maintain a foothold in the compromised organization by installing backdoors and maintaining credentials from many computers in the environment. This activity can be associated with the Logged onto Multiple Computers indicator.
Mass Permission Changes Some credential theft techniques, for example, Pass-the-Hash, use an iterative, two-stage process. First, an attacker obtains elevated read-write permission to privileged areas of volatile memory and file systems, which are typically accessible only to system-level processes on at least one computer. Second, the attacker attempts to increase access to other computers on the network. Investigate if abnormal permission changes have taken place on the file systems to ensure that they were not compromised by an attacker. This activity can be associated with the Multiple File Access Permission Changes, Multiple Failed File Access Permission Changes, and Abnormal File Access Permission Change indicators.
Abnormal Active Directory (AD) Changes If an attacker gains highly-privileged access to an Active Directory domain or domain controller, that access can be leveraged to access, control, or even destroy the entire forest. If a single domain controller is compromised and an attacker modifies the AD database, those modifications replicate to every other domain controller in the domain; and depending on the partition in which the modifications are made, the forest as well. Investigate abnormal changes conducted by admins and non-admins in AD to determine if they represent a possible true compromise to the domain. This activity can be associated with the Abnormal Active Directory Change, Multiple Account Management Changes, Multiple User Account Management Changes, and Multiple Failed Account Management Changes indicators.
Sensitive User Status Changes A domain or enterprise administrator account has the default ability to exercise control over all resources in a domain, regardless of whether it operates with malicious or benign intent. This control includes the ability to create and change accounts; read, write, or delete data; install or alter applications; and erase operating systems. Some of these activities are triggered organically as part of the account’s natural life cycle. Investigate these security sensitive user account changes, and determine if it has been compromised. This activity can be associated with the User Account Enabled, User Account Disabled, User Account Unlocked, User Account Type Changed, User Account Locked, User Password Never Expires Option Changed, User Password Changed by Non-Owner, and User Password Change indicators.
Abnormal File Access Monitor for abnormal file access to prevent improper access to confidential files and theft of sensitive data. By selectively monitoring file views, modifications and deletions, you can detect possibly unauthorized changes to sensitive files, whether caused by an attack or a change management error. This activity can be associated with the Abnormal File Access Event and Multiple File Delete Events indicators.
Non-Standard Hours All authentication activity, malicious or not, appears as normal logons. Therefore, administrators should monitor unexpected authorized activity. The key is that attackers use these stolen credentials for unauthorized access, which may provide an opportunity for detection. For example, unusual activity such as multiple authentication events in an account may indicate that the account has been compromised. You can check if the account has been taken by an external actor be determining the abnormal activity time. This activity can be associated with the Abnormal File Access Time, Abnormal Active Directory Change Time, and Abnormal Logon Time indicators.
Multiple Failed Authentications - External Access As organizations increase their reliance on external authentication infrastructures, attackers may attempt to leverage these infrastructures to their advantage. Brute force techniques as well as more traditional password cracking methods like guesswork can be utilized to gain initial access. These activities can be associated with the Multiple Failed Azure AD Authentications and Multiple Failed VPN Authentications indicators.
Abnormal Country As organizations increase their reliance on external authentication infrastructures, attackers may attempt to leverage these infrastructures to their advantage. When devices or accounts are compromised or when credentials are wrongly shared, attackers may utilize them to gain initial access from an abnormal location. These activities can be associated with the Abnormal Azure AD Logon Country and Abnormal VPN Logon Country indicators.
Snooping User - Cloud Service Account Snooping is unauthorized access to company data or data belonging to another person. Snooping can be as simple as the casual observance of an email on another person’s computer. More sophisticated snooping uses software programs to remotely monitor activity on a computer or a cloud service account. This activity can be associated with the Azure AD - Logon Attempts to Multiple Applications indicator.
Abnormal Remote Application Attackers may leverage compromised account details or devices to access remote applications that genuine end users do not frequently access to collect and even exfiltrate sensitive information. This activity can be associated with the Azure AD - Abnormal Application indicator.
Admin Password Change Shared long-term secrets, for example, privileged account passwords, are frequently used to access anything from print servers to domain controllers. To contain attackers that seek to leverage these accounts, pay close attention to password changes by admins, and ensure they have been made by trusted parties and have no additional abnormal behavior associated with them. This activity can be associated with the Admin Password Change indicator.
User Logins to Multiple AD Sites Domain controllers store credential password hashes for all accounts on the domain, so they are high-value targets for attackers. Domain controllers that are not stringently updated and secured are susceptible to attack and compromise, which could leave the domain vulnerable. User privileges on multiple domains could indicate that a parent domain has been compromised. Determine if user access to and from multiple sites is legitimate or is an indication of a potential compromise. This activity is usually associated with the Logged into Multiple Domains indicator.
Elevated Privileges Granted Elevated account privileges have been delegated to a user. Attackers often use regular user accounts, granting them elevated privileges, to exploit the network. Investigate the user that received the elevated privileges, and decide if these changes were legitimate or possibly the result of risky or malicious behavior. This activity is usually associated with the Nested Member Added to Critical Enterprise Group and Member Added to Critical Enterprise Group indicators.
Data Exfiltration Data exfiltration is the unauthorized copying, transfer, or retrieval of data from a computer or server. Data exfiltration is a malicious activity performed through various techniques, typically by cyber criminals over the Internet or other network. This activity can be associated with the Excessive Number of File Rename Events, Excessive Number of Files Moved from File System, and Excessive Number of Files Moved to File System indicators.
Credential Dumping Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Discovery & Reconnaissance Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When Attackers gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.
PowerShell & Scripting PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Attackers can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.
Registry Run Keys & Start Folder Adding an entry to the “run keys” in the Registry or startup folder will cause the program referenced to be executed when a user logs in. The program will be executed under the context of the user and will have the account’s associated permissions level. Attackers can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Attackers may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.
Process Injection Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. This activity can be associated with the Abnormal Process Created a Remote Thread in a Windows Process indicator.

See also

2 - Understand the UEBA Indicator Types

Provides information about the different indicators that are generated for UEBA.

An Indicator is a validated anomaly, which is different from the typical or baseline behavior of the user. The following tables list indicators that display in the user interface when a potentially malicious activity is detected for users.

Indicator Alert Type Description
Abnormal File Access Non-Standard Hours A user has accessed a file at an abnormal time.
Abnormal File Access Permission Change Mass Permission Changes A user changed multiple share permissions.
Abnormal File Access Event Abnormal File Access A user has accessed a file abnormally.
Multiple File Access Permission Changes Mass Permission Changes A user changed multiple file share permissions.
Multiple File Access Events Snooping User A user accessed multiple files.
Multiple Failed File Access Events Snooping User A user failed multiple times to access a file.
Multiple File Open Events Snooping User A user opened multiple files.
Multiple Folder Open Events Snooping User A user opened multiple folders.
Multiple File Delete Events Abnormal File Access A user deleted multiple files.
Multiple Failed File Access Permission Changes Mass Permission Changes A user failed multiple attempts to change file access permissions.
Indicator Alert Type Description
Abnormal Active Directory Change Time Non-Standard Hours A user made Active Directory changes at an abnormal time.
Abnormal Active Directory Object Change Abnormal AD Changes A user made Active Directory attribute changes abnormally.
Multiple Group Membership Changes Mass Changes to Groups A user made multiple changes to groups successfully.
Multiple Active Directory Object Changes Abnormal AD Changes A user made multiple Active Directory changes successfully.
Multiple User Account Changes Abnormal AD Changes A user made multiple sensitive Active Directory changes successfully.
Multiple Failed Account Changes Abnormal AD Changes A user failed to make multiple Active Directory changes.
Admin Password Changed Admin Password Change The password of an admin was changed.
User Account Enabled Sensitive User Status Changes An account of a user was enabled.
User Account Disabled Sensitive User Status Changes An account of a user was disabled.
User Account Unlocked Sensitive User Status Changes An account of a user was unlocked.
User Account Type Changed Sensitive User Status Changes The type of user was changed.
User Account Locked Sensitive User Status Changes An account of a user was locked.
User Password Reset Sensitive User Status Changes The password of a user was reset.
User Password Never Expires Option Changed Sensitive User Status Changes The password policy of a user was changed.
Indicator Alert Type Description
Abnormal Remote Host Logon to Abnormal Remote Host A user attempted to access a remote computer abnormally.
Abnormal Logon Time Non-Standard Hours A user logged on at an abnormal time.
Abnormal Host User Logon to Abnormal Host A user attempted to access a host abnormally.
Multiple Successful Authentications Multiple Logons by User A user logged on multiple times.
Multiple Failed Authentications Multiple Failed Logons A user failed multiple authentication attempts.
Logon Attempts to Multiple Source Hosts User Logged into Multiple Hosts A user attempted to log on from multiple computers.
Abnormal VPN Logon Time Non-Standard Hours A user has logged on at an abnormal time.
Abnormal VPN Logon Country* Abnormal Logon Country A user attempted to establish VPN access from an abnormal country.
Multiple Failed VPN Authentications Multiple Failed VPN Logons A user failed multiple times to authenticate for VPN access.
Abnormal Azure AD Logon Time Non-Standard Hours A user has logged on at an abnormal time.
Abnormal Azure AD Logon Country* Abnormal Logon Country A user attempted to access Azure AD from an abnormal country.
Multiple Failed Azure AD Authentications Multiple Failed Logons A user failed multiple times to authenticate into Azure AD.
Azure AD - Abnormal Application Abnormal Remote Application A user attempted to log on to abnormal number of applications through Azure AD.
Azure AD - Logon Attempts to Multiple Applications Snooping User - Cloud Service Account A user attempted to log on to multiple applications through Azure AD.

Note

*For Abnormal Azure AD Logon Country, it is recommended to dynamically update the GeoIP repository to obtain optimal results.

Indicator Alert Type Description
Abnormal Process Created a Remote Thread in LSASS Credential Dumping An abnormal process was created into the LSASS process.
Abnormal Reconnaissance Tool Executed Discovery and Reconnaissance An abnormal process was executed.
Abnormal Process Executed a Scripting Tool PowerShell and Scripting An abnormal process executed a scripting tool.
Abnormal Process Executed a Scripting Tool PowerShell and Scripting An abnormal process was triggered by a scripting tool.
Scripting Tool Triggered an Abnormal Application PowerShell and Scripting An abnormal process was opened by a scripting tool.
Abnormal Process Created a Remote Thread in a Windows PowerShell and Scripting An abnormal process was injected into a known windows process.
Multiple Distinct Reconnaissance Tools Executed Discovery and Reconnaissance Multiple reconnaissance tools were executed in an hour.
Multiple Reconnaissance Tool Activities Executed Discovery and Reconnaissance Multiple reconnaissance tool activities were executed in an hour.
User Ran an Abnormal Process to Execute a Scripting Tool PowerShell / Scripting An abnormal process executed a scripting tool.
User Ran a Scripting Tool that Triggered an Abnormal Application PowerShell / Scripting A scripting tool was executed that triggered an abnormal application.
User Ran a Scripting Tool to Open an Abnormal Process PowerShell / Scripting A scripting tool was executed to open an abnormal process.
Indicator Alert Type Description
Abnormal Process Modified a Registry Key Group Registry Run Keys An abnormal process modified a service key registry.

See also

3 - What is Happening now in your Organization

Provides information about What is happening now in your organization.

Workflow Overview

The Users Overview view shows what is happening in your environment at a glance. NetWitness UEBA enables you to quickly determine potential malicious activity, investigate it further, detect anomalies, and take action.

overview of potential malicious activity

Top Risky Users

In this view you can look at the top ten users listed, which are the top ten users with the highest user risk scores. The circled user indicates high score and severity. Compare and see if any user scores have increased since the previous day. Also, investigate users with critical alerts.

the list of the top risky users

Use Case Scenario

In the above example, Levi Thomas has a user score of 132, which is over 100, and 3 critical alerts. Charlie Martin has a user score of 80, which is not over 100, but Charlie has 4 critical alerts. (All of the top ten users listed show +0 next to their score, so the scores did not increase since yesterday.) In the Top Alerts panel, look at the top alerts for Users in the last 24 hours or a later time period if you do not see any alerts.

  1. Check the alerts by severity level, starting with the critical alerts. What type of alerts are they? Which users are associated with the alerts?
  2. Check for alerts with a high number of indicators (anomalies).
  3. To view the specific indicators associated with an alert, hover over the number of indicators listed.

Alerts View

In this example, the Top Alerts panel shows four Snooping User critical alerts shown for user Charlie Martin in the last 3 months. Hovering over “3 indicators” for one of the alerts shows the names of the indicators of compromise in the alert: Multiple File Access Events, Multiple File Delete Events, and Abnormal File Access Event.

In the above example, user Charlie Martin has one critical Snooping User alert containing 3 indicators in the last 3 months.

alert panel shows the critical alerts

Severity View

In the Alerts Severity panel, look at when the critical alerts happened in the last three months. In this example, the majority of the alerts in the last three months occurred on the same day.

to know more about the critical alerts

All Alerts View

If you click on this day, it opens the Alerts view, where you can drill down into the alerts from the selected day.

know more about the alerts from a selected day

Snooping Alerts

If you go back to the Top Risky Users panel (Users > Overview), you can drill further into the alerts listed for each of the top risky users. For example, Charlie’s user profile shows Snooping User alerts and provides details of multiple files accessed and deleted.

know more about the top risky alerts

Data Retention

NetWitness retains any inactive users with no incoming data for six months. NetWitness removes the user’s data and any associated alerts from the system after six months.

See also

4 - Read an Indicator Chart

Provides information about how to read an Indicator Chart.

Note

To view the dotted chart and display the data in an optimal way the on-premise version must be upgraded to 11.6 version or later.

An indicator chart is a pictorial illustration of the anomaly and baseline values of an entity that you want to further investigate. The chart gives the analyst a better insight of the indicator which in turn will help determine the next steps. The chart provides the analyst with the user’s baseline values over time to better understand the context of the anomaly.

To view an indicator chart

  1. Log in to NetWitness Platform.

  2. Go to Users > Entities.

  3. Select the user you want to investigate. The following figure displays an alert for a user logged on to an abnormal host.

    how to view an indicator chart

  4. In the Alert Flow section, select the Multiple Logon by User..

  5. Click the + icon to expand and view the details.

    how to view the chart details

Type of Charts

There are three main types of charts currently available.

Continuous Bar Chart

In this type of an indicator chart, the bar color differentiates the behavior by displaying a blue bar and a red bar. For example, the following figure displays in a span of 30-days the number of files a Snooping User has attempted to access in an hour which are displayed by blue bars and indicates the baseline behavior. The red bar indicates that the user has accessed a high number of files in a specific hour.

Another variation in the visualization of the chart is where you see an additional series of grey bars that represents the baseline values of the model. In this case, if the blue bars series is displayed, it depicts the specific entity trend that the anomaly is also a part of.

Dotted Chart

In the dotted indicator chart, the anomaly is displayed on top of the graph indicated by yellow color text and red color circle. The chart provides the analyst with the user’s baseline values over time to better understand the context of the anomaly. The additional values (apart from the anomaly value) depicted in the Y-axis, represent the baseline values and the total number of days they were observed for this specific entity.

Time Chart

The time indicator chart displays the time the user has accessed a particular information. For example, in the following figure, the user has accessed the Active Directory at an abnormal time over the past 30 days. It displays the aggregate time spent on each day between 8.00 to 16.00. The baseline values are displayed with the regular working hours of the user and the anomaly value (the hour marked in red) to indicate that this is an abnormal time for this user to make changes in AD.

See also

5 - Identify all Risky Users

Provides information about how to identify all risky users.

  1. Go to Users > Entities.

    The users list in the Entities view shows all the users monitored by SIEM Analytics. Risky Users are users with a risk score (risk score greater than 0). Risky users display abnormal behavior and can potentially compromise your organization.

  2. For each user of interest, click the user in the list to open the user’s profile. To investigate a user and drill further into the user behavior detail, see Identify the Top Risky Users.

See also

6 - Reduce User Risk Score

Provides information about how to reduce the risk score.

If an alert is not a risk, you can mark it so that the user score is automatically reduced.

  1. Log in to NetWitness Platform and click Users.

  2. In the Overview tab, under Top Risky Users panel, click on a username.

    The User Profile view is displayed.

  3. Select the alert, click Not a Risk.

    hpw to reduce the User Risk Score

See also

7 - Identify Top Risky Users

Provides information about how to identify top risky users.

All users in your organization can be analyzed for abnormal user activities and assigned a user risk score. Users with high scores either have multiple alerts associated with them or they have high-level severity alerts associated with them. These scores and alerts enable you to quickly identify high-risk users so that you can investigate their abnormal activities in your environment.

The top risky users are users with the highest risk scores. A lot of alerts and high-severity alerts contribute to the score.

  1. Go to Users > Overview and in the Users tab, look at the Top Risky Users panel on the left.

    How to find top risky users panel

  2. Look at the Top Risky Users, which are the top ten users with the highest risk scores.

    a. Look for high user scores marked with critical or high severity.

    b. Check if any user scores increased since yesterday. If you see +0, there was no increase since yesterday.

    c. Look for users with critical (red band) alerts.

    find out the users with critical alerts

In this example, Levi has a high user score of 112, and 2 critical alerts. Levi also has 2 high, 3 medium, and 12 low severity alerts. Charlie has a user score of 80 lower than Levi, but there are also 4 critical alerts. Looking at this information, it would be a good idea to further investigate the activities of both of these risky users.

  1. Hover over the number of alerts associated with the risky users to quickly see the severity levels of the alerts associated with the users. In this example, you can see that Levi has 2 critical, 2 high, 3 medium, and 12 low severity alerts.

    find out the severity levels of the alerts associated with the users

  2. You can click a risky user of interest in the list to open the user’s profile.

    click risky user to open the user profile

    The user profile enables you to access detailed information on the anomalous behavior of the user, including the alerts associated with them and the indicators that generated those alerts.

    how to get access to find out the detailed information of an anomalous behavior

  3. See Investigate a Risky User to investigate the user and drill further into the user behavior details.

    check investigate a risky user to know more about the user behaviour details

See also

8 - View Contextual Information for Users

Provides information about viewing Contextual information for users.

Analysts can view contextual information about users on the NetWitness Users page. This will enable analysts to make better decisions and take appropriate action during their analysis. A single page containing Users and contextual information helps analysts to prioritize and identify areas of interest. The Context Lookup panel displays contextual information for the selected users. The data available depends on the configured sources in the Context Hub.

Note

Contextual Information is not applicable to network entities.

Note

The contexthub-server.contextlookup.read permission is enabled only for Administrators, Analysts, Malware Analysts, SOC Managers and Respond Administrators. Administrators can enable this permission for other roles in the Users view to view context lookup for users and perform the Add/Remove from List actions. For more information, see the “Role Permissions” topic in the System Security and User Management Guide.

Prerequisities

  • Ensure that the NetWitness Platform version is in 12.3 or later.
  • Ensure that the Context Hub service is configured.

To view contextual information for users

  1. Log in to NetWitness Platform.

  2. Go to Users > Overview.

  3. Do one of the following:

    • In the Overview tab, under the Top Risky Users panel, click on a username.
    • In the Entities tab, click on a username. The User Profile view is displayed.
      how to view the contextual information for users

  4. Click admin icon after the username to open the user context panel.

    A Context Highlights dialog appears with a quick summary of the type of context data that is available for the selected user.

    how to view the contextual information for users

    The information in the Context Highlights section helps you to determine the actions that you would like to take. It can show related data for Incidents, Alerts, Lists, and Threat Intelligence (TI). Depending on your data, you may be able to click these items for more information. The above example shows that the user Akiko Sakamoto has 1 related Respond Incident, 28 Respond Alerts, 2 Lists, and 0 incident for TI. For more information, see the Context Hub Configuration Guide.

    The other available actions the analysts can perform are Context Lookup, Add/Remove from List, and Pivot to Investigate:

    • Context Lookup: The Context Lookup panel opens from the right side of the browser window, and the Context Lookup panel for Active Directory displays all the related information, incidents, and alerts for a user. For more information on configuring the Active Directory as the data source, see Configure Active Directory as a Data Source topic in the Context Hub Configuration Guide.

    • Pivot to Investigate: For a more thorough investigation of user activities and related events, click Pivot to Investigate, and the Events view opens, which enables you to perform a deeper dive investigation.

    • Add/Remove from List: You can create custom lists and add users, which could be used to track users who have been identified as threats or to highlight accounts of particular interest. You can also remove users from the list. This ensures analyst focuses on real threats and reduce false positives that do not need further investigation.

See also

9 - Investigate Events

Provides information about how to investigate events.

You can view all alerts and indicators associated with a user in the User Profile view. In the events table, you can find the events that contributed to a specific indicator for a specific user. You can further investigate on events by clicking on a username that pivots to Investigate > Events. In the Events view, you can see the list of events that occurred on that day for the specific user. By default, the time range is set to one hour. You can change the time range.

To Investigate Events

  1. Go to Users > Alerts.

  2. Under Filters, select the Entity Type as Users. The Alerts are displayed, along with the anomaly value, data source, and start time.

    how to investigate events in the user profile view

  3. Click an alert name, and under Alert Flow, click the + icon.

    A graph is displayed that shows details about a specific indicator, including the timeline in which the anomaly occurred and the user associated with the indicator. The following figure shows an example of a graph. The type of graph can vary, depending on the type of analysis performed by NetWitness.

    to know more about a specific indicator

See also

Understand the UEBA Alert Types

10 - Save a Behavioral Profile

Provides information about how to monitor user behavior and use advanced analytics to detect anomalies and risky behaviors in your environment.

The combination of the alert types and indicators you select during the forensics investigation is a behavioral profile. You can save the behavioral profile, so you can monitor this use case in future. For example, if in your organization a user attempted to login and failed multiple times, you can select filters using the multiple failed authentications alert type. This can be saved as favorite. You can proactively monitor for future brute force attempts. To do so, you can click the favorite to see if new users were subjected to this type of attack.

To save a behavioral profile

  1. Log in to the NetWitness Platform and click Users.

    The Overview tab is displayed.

  2. Click Entities tab.

  3. In the Filters panel, select the alert in the Alerts drop-down and Indicators in the Indicators drop-down.

    how to save a behavioural profile

See also

Watch a Profile

11 - Watch a Profile

Provides information about how to watch a profile.

The watch user profile is a list of users that you want to monitor for potential threats. The watch user profile marks a user so that the users can be quickly referenced on the dashboard. This is essentially a bookmark to monitor suspicious users.

To watch a user profile

  1. Log in to the NetWitness Platform and click Users.

  2. In the Overview tab, under Top Risky Users panel, click username.

  3. Click Watch Profile.

    The user is added to the watchlist.

    how to watch a user profile

See also

Save a Behavioral Profile

12 - Export a List of High-risk Users

Provides information about how to export a list of high-risk users.

You can export a list of all users and their scores in a .csv file format. You can use this information to compare with other data analysis tools like tableau, powerbi, and zeppelin.

  1. Log in to NetWitness Platform and click Users.

    The Overview tab is displayed.

  2. Click Entities tab.

  3. Click Export.

    how to export the list of high-risk users

See also

13 - View the Usual Behavior of a User

Provides information about how to view the usual behavior of a user.

NetWitness UEBA Modeled Behavior provides analysts with visibility into the usual activities of users monitored by UEBA. These modeled behaviors are based on the log data leveraged by UEBA and are available a day after the UEBA service is configured. UEBA monitors abnormal user behaviors to identify risky users and this requires data to be processed for a certain period of time. However, Modeled Behaviors reflect the activities of the user within a day of the service configuration. For example, if a user fails multiple times by logging in with incorrect credentials within an hour, analysts can view these behaviors as Failed Authentications for the user.

To view the Modeled Behaviors

  1. Log in to NetWitness Platform and click Users.
  2. In the Overview tab, under Top Risky Users panel, click a username.
  3. Click Modeled Behaviors, to view the Modeled Behaviors highlighted with a blue line in the left panel. The results can be sorted by the date or in alphabetical order.
    how to view the modeled behaviors

See also

14 - Check the Activity of a Specific User

Provides information about checking the activity of a specific user.

You can view all alerts and indicators associated with a user in the User Profile view. In the events table, you can find the events that contributed to a specific indicator for a specific user. You can further investigate on events by clicking on a username that pivots to Investigate > Events. In the Events view, you can see the list of events that occurred on that day for the specific user. By default, the time range is set to one hour. You can change the time range.

To check the activities of a specific user

  1. Log in to NetWitness Platform Go to Users > Alerts.
  2. Under Filters, click Users.
  3. Select a specific user.
    how to view the modeled behaviours for users

See also

15 - Filter Users for Investigation

Provides information about how to filter users for investigation.

In the Entities tab, you can use Alert Types and Indicators which are behavioral filters to view high-risk users. The behavioral profile is saved and displayed in the Favorites panel. You can click on the profile in the Favorites to monitor the users.

To view users for investigation

  1. Log in to NetWitness Platform.

  2. Go to Users > Entities.

    The Overview tab is displayed.

  3. Click Entities tab.

  4. To create a behavioral filter using alert types, select one or more alerts in the Alerts drop-down list 4.

  5. To create a behavioral filter using indicators, select one or more indicators in the Indicators drop-down list 5.

    Apply filter to view users for investigation

See also

16 - Identify Critical Alerts

Provides information about identifying the critical alerts.

Anomalies that are found as incoming events are compared to the baseline and compiled into hourly alerts. Relatively strong deviations from the baseline, together with a unique composition of anomalies, are more likely to get a higher alert score. You can quickly view the most critical alerts in your environment, and start investigating them from either the Overview tab or the Alerts tab. The following figure is an example of top alerts in the Overview tab. The alerts are listed in order of severity and the number of indicators who generate the alerts.

how to identify critical alerts

Here you can quickly view all the critical alerts, filter them based on date range and criticality in your environment, and start investigation.

To identify such alerts

  1. Log in to NetWitness Platform.

  2. Go to Users > Alerts.

    The Alerts tab is displays all the critical alerts.

  3. In the filters panel, do the following:

    • In the Severity drop-down, select Critical.
    • In the Date Range drop-down, select the date range. The options are Last 24 Hours, Last 7 Days, Last 1 Month, and Last 3 Months. By default, last 3 Months alerts are displayed.
    • If you want to set a unique date range, select the Custom Date under Date Range and specify the Start Date and End Date that you want the investigate. The alerts are displayed in the right panel according to the filter you selected.

See also

17 - Investigate Alerts

Provides information about how to investigate alerts.

  1. Log in to NetWitness Platform and go to Users.

    The overview tab is displayed.

  2. In the Overview tab, look at Alert Severity panel. Is there an even distribution of alerts or are there a few days when there was a noticeable spike? A spike could indicate something suspicious like malware. Make a note of those days so you can inspect the alerts (the bar from the chart links directly to the alerts for that specific day).

  3. Click Critical Alerts date range.

    How to access NetWitness UEBA

    The Alerts tab is displayed.

    check the alert tabs to view alerts data range

  4. In the Alerts tab, you can view the indicator count to identify users with the highest number of alerts, more indicators help illustrate more insights and provide a more rigid timeline that you can follow:

    • Expand the top alerts in the list.
    • Look for alerts that have varied data sources. These show a broader pattern of behavior.
    • Look for a variety of different indicators.
    • Look for indicators with high numeric values, specifically for high values that are not indicative of a manual activity (for example, a user accessed 8,000 files).
    • Look for unique Windows event types that users do not typically change as these can indicate suspicious administrative activity.

  5. Search by indicators. The list shows the number of alerts raised that contain each indicator.

    • Look for the top volume indicators; filter by an indicator and review by user to find users who experienced the highest number of these indicators.
    • In general, as they are common time-based alerts (for example, Abnormal Logon Time), they can provide good context when combined with higher interest indicators.

  6. Drill into more detail:

    identify users with highest number of alerts

    • Leverage alert names to begin establishing a threat narrative. Use the strongest contributing indicator that usually determines the alert’s name to begin explaining why this user is flagged.
    • Use the timeline to layout the activities found and try to understand the observed behaviors.
    • Follow up by reviewing each indicator and demonstrating the supporting information, in the form of graphs and events, that can help you verify an incident. Suggest possible next stages of investigation using external resources (for example, SIEM, network forensics, and directly reaching out to the user, or a managing director).

See also

18 - Save a Behavioral Filter

Provides information about saving a filter.

You can save a behavioral filter for future investigations and avoid entering the details every time. The behavioral profile is saved and displayed in the Favorites panel. You can click on the profile in the Favorites to monitor the users.

To save a filter

  1. Log in to the NetWitness Platform.

  2. Go to Users > Entities.

    The Overview tab is displayed.

  3. Click Entities tab.

  4. Enter the required details in the Filter panel on the left-side panel.

  5. Click Save as.

  6. Enter a Filter Name in the Save as Favorites pop-up window.

  7. Click Save.

See also

19 - Filter an Alert for Investigation

Provides information about how to filter an alert.

You can filter alerts to retrieve alert details using specific parameters to help further investigation. They are displayed in the Alerts tab by severity, feedback, indicators, and date range.

  1. Go to Users > Alerts. The Alerts tab is displayed.

    filter alerts by using specific parameters for further investigation

  2. To filter by severity, click the down arrow under Severity in the Alerts Filters panel, and select any one option. The options are Critical, High, Medium, and Low.

  3. To filter by feedback marked as Not a Risk, click the down arrow under Feedback, and select the Rejected option.

  4. To filter by entity, click the down arrow under Entity Type, and select Users option.

  5. To filter by date range, click the down arrow under Date Range and select an option. The Options are Last 24 Hours, Last 7 Days, Last 1 Month, and Last 3 Months. The alerts are displayed in the right panel according to the selected filter. To reset filters, click Reset, in the bottom of left panel.

See also

20 - Take Action on Risky Users

Provides information about how to take action on users.

After investigation, you can take action on the risky users to reduce or prevent further damage caused by malicious attackers in your organization. You can take any of the following actions:

  • Specify if the alert is not risky.
  • Save the behavioral profile for the use case found in your environment.
  • Add user profiles to the watchlist, if you want to keep a track of the user activity.

See also

21 - Export User Data

Provides information about how to export user data.

You can export a list of all users and their scores in a .csv file format. You can use this information to compare with other data analysis tools like tableau, powerbi, and zeppelin.

To export alert data

  1. Log in to NetWitness Platform.

  2. Go to Users > Alerts.

    The Alerts tab is displayed with the alert data.

  3. Click Export.

    how to export alert data

See also

Investigate Alerts