Begin an Investigation of High-Risk Entity

After identifying the high-risk entities, you can begin the investigation of high-risk entities.

To investigate high-risk entities:

  1. Log into NetWitness and go to INVESTIGATE > ENTITIES.

    In the Overview tab, select ENTITIES tab, select an entity from the NETWORK drop-down to investigate. For example, if you select Network > JA3, all the JA3 high-risk entities will be displayed. Also, can sort the results by selecting the Sort by Trending Data checkbox. If you select this option, the data will be sorted by the Entity score (marked with +) that changed in the past 24 hours or in the past one week. By default, the result is sorted by the Entity risk score.

  2. To further investigate the alert of the entity, click an alert in the High Risk JA3 panel. The following information is displayed:

    • The alert name
    • The timeframe of the alert (Hourly or Daily)
    • The severity level icon
    • The contribution to the entity score value (for example, 20)

    • The data sources for the alert (for example, TLS)
      The middle panel is the Alert Flow panel. This panel provides a timeline of events that are related to the formation of the alert. The timeline of events can help to determine if the alert is an actual risk.

      122_JA3ScoreAlrt_1122.png

  3. To investigate the indicators associated with an alert for an entity, in the High Risk panel, select an alert and then select an indicator. The following information is displayed:

    • The indicator name and a description of the indicator type
    • Contribution to Alert
    • The anomaly values

    • The data source of the events found in the indicator
      The central panel display changes depending on which indicator is selected.

      122_JA3ScoInd_1122.png

    Note: You can investigate a high risk SSL entity using the above procedure.

    For more information on how to read the indicator charts, see Reading an Indicator Chart topic.