Investigate High-Risk Entities

An entity score is built based on the alert score and the alert severity. Using the entity score, you can identify entities that require immediate attention, perform deeper investigation, and take required action. You can identify high-risk entities from either the Overview tab or the ENTITIES tab.

The following figure is an example of top ten High-Risk entities in the Overview tab.

Ueba_123_users.png

The following figure is an example of all the risky entities in your environment in the ENTITIES tab.

risky_ja3_entity_123.png

The following is a high-level process to investigate high-risk entities in your environment.

  1. Identify high-risk entities. You can identify high-risk users using the following ways:

    • The Overview tab shows the top ten risky entities in your environment. From the listed entities identify the entities with a critical severity or entity score more than 100.
    • The ENTITIES tab shows all the risky entities in your environment, you can sort by Risk Score(default), Trending Data Last Day or Last Week (marked with +), Name, Alerts. Identify how many entities are marked Critical, High and Medium or based on the forensic investigation, identify malicious entity behavior and build use-case driven target entity lists using behavioral filters. Additionally, you can also use different types of filters (Risky or Watchlist) to identify targeted group of high-risk entities.

    Note: The investigation should mostly focus on Critical, High and Medium severities. Low scoring users are not typically worth much investigation.

    Hover over the number of alerts associated with the risky entities to quickly see what the alerts are and determine if there is a good mix.

    For more information, see the Identify High-Risk Entities topic.

  2. In the User Profile view, investigate the alerts and indicators of the user.

    1. Review the list of alerts associated with the user and the alert score for each alert, sorted by severity.
    2. Expand the alert names to identify a threat narrative. The strongest contributing indicator determines the alert’s name that suggests why this hour is flagged.
    3. Use the alert flow timeline to understand the abnormal activities.
    4. Review each indicator associated with the alert to see the details about the indicator, including the timeline in which the anomaly occurred. Also, you can further investigate the incident using external resources such as SIEM, network forensics, directly reaching out to the user or a managing director and so on.

    For more information, see the Begin an Investigation of High-Risk Entity topic.

  3. On completion of the investigation, you can record your observation as follows:

    1. Specify if an alert is not a risk.
    2. Save the behavioral profile for the use case found in your environment.
    3. If you want to keep a track of user activity, you can add users to the watchlist, and watch user profile.

    For more information, see the Take Action on High-Risk Users topic.