Take Action on High-Risk Users

 

After investigation, you can take action on the risky users to reduce or prevent further damage caused by malicious attackers in your organization. You can take any of the following actions:

    • Specify if the alert is not risky
    • Save the behavioral profile for the use case found in your environment
    • Add users to the watchlist, and the watch user profile, if you want to keep a track of the user activity

Specify that an alert is not risky

If and alert is not a risk, you can mark it so that the user score for the user is automatically reduced.

To specify if the alert is not risky:

  1. Log into NetWitness and go to Investigate > ENTITIES.

  2. Take action on the users from any of the following tabs:

    1. In the OVERVIEW tab, in the High Risk Users panel, select a user and click either on the username or on the user score.
    2. In the ENTITIES tab, select a user and click on the username.
      The User Profile view is displayed.
  3. If the alert is not a risk, you can specify by clicking Not a Risk.

    122_NoRis_1122.png

    When an alert is marked as Not a Risk, the user score is reduced automatically.

Save Behavioral Profile

The combination of the alert types and indicators you select during the forensics investigation is a behavioral profile. You can save the behavioral profile, so you can monitor this use case in future.

For example, if your organization is attacked and the attackers penetrated by brute forcing user accounts, you can select filters using the brute force alert type. This can be saved as favorite. You can proactively monitor for future brute force attempts. To do so, you can click the favorite to see if new users were subjected to this type of attack.

To save a behavioral profile:

  1. Log into NetWitness and go to Investigate > ENTITIES.

    The Overview tab is displayed.

  2. Click the Users tab.
  3. In the Filters panel, select the alert in the Alert Type drop-down and Indicators in the Indicators drop-down.
  4. Click Save to Favorites.

    122_SavtoFav_123.png

  5. In the Save Filter dialog, enter the name of the filter and click OK.

    netwitness_112_savfav.png

    The behavioral profile is saved and displayed in the Favorites panel. You can click on the profile in the Favorites to monitor the users.

Add All Users to the Watchlist

If you want to keep track of users with recent activity but do not want to follow up with an immediate investigation, you can add the users to the watchlist and revisit over time to see if the risk score is elevated.

To add all users to the watchlist:

  1. Log into NetWitness and go to Investigate > ENTITIES.
    The Overview tab is displayed.
  2. Select the ENTITIES tab.
  3. Select the users of specific categories using filters.
  4. Click Add All to Watchlist.

    122_AddAlltoWatLis_123.png

    The list of users are added to the watchlist.

Watch Profile

The watch user profile is a list of users that you want to monitor for potential threats. The watch user profile marks a user so that the users can be quickly referenced on the dashboard. This is essentially a bookmark to monitor suspicious users.

To watch user profile:

  1. Log into NetWitness and go to Investigate > ENTITIES. Do any of the following:
    1. In the Overview tab, under High Risk Users panel, select a user and click on either the username or the user score.
    2. In the Users tab, select a user and click the username.
      The User Profile view is displayed.
  2. Click Watch Profile in the upper right corner of the User Profile.

    122_WatProf_1122.png
    The user is added to the watchlist.