What is Happening now in your Organization

Workflow Overview

The Users Overview view shows what is happening in your environment at a glance. NetWitness UEBA enables you to quickly determine potential malicious activity, investigate it further, detect anomalies, and take action.

overview of potential malicious activity

Top Risky Users

In this view you can look at the top ten users listed, which are the top ten users with the highest user risk scores. The circled user indicates high score and severity. Compare and see if any user scores have increased since the previous day. Also, investigate users with critical alerts.

the list of the top risky users

Use Case Scenario

In the above example, Levi Thomas has a user score of 132, which is over 100, and 3 critical alerts. Charlie Martin has a user score of 80, which is not over 100, but Charlie has 4 critical alerts. (All of the top ten users listed show +0 next to their score, so the scores did not increase since yesterday.) In the Top Alerts panel, look at the top alerts for Users in the last 24 hours or a later time period if you do not see any alerts.

  1. Check the alerts by severity level, starting with the critical alerts. What type of alerts are they? Which users are associated with the alerts?
  2. Check for alerts with a high number of indicators (anomalies).
  3. To view the specific indicators associated with an alert, hover over the number of indicators listed.

Alerts View

In this example, the Top Alerts panel shows four Snooping User critical alerts shown for user Charlie Martin in the last 3 months. Hovering over “3 indicators” for one of the alerts shows the names of the indicators of compromise in the alert: Multiple File Access Events, Multiple File Delete Events, and Abnormal File Access Event.

In the above example, user Charlie Martin has one critical Snooping User alert containing 3 indicators in the last 3 months.

alert panel shows the critical alerts

Severity View

In the Alerts Severity panel, look at when the critical alerts happened in the last three months. In this example, the majority of the alerts in the last three months occurred on the same day.

to know more about the critical alerts

All Alerts View

If you click on this day, it opens the Alerts view, where you can drill down into the alerts from the selected day.

know more about the alerts from a selected day

Snooping Alerts

If you go back to the Top Risky Users panel (Users > Overview), you can drill further into the alerts listed for each of the top risky users. For example, Charlie’s user profile shows Snooping User alerts and provides details of multiple files accessed and deleted.

know more about the top risky alerts

Data Retention

NetWitness retains any inactive users with no incoming data for six months. NetWitness removes the user’s data and any associated alerts from the system after six months.

See also