User or Network Entity Profile View

The User Network Entity Profile view provides detailed information about all alerts and related indicators of a user or network entity.

Workflow

netwitness_112_invusralrworkflow.png

What do you want to do?

User Role I want to ... Documentation
UEBA Analyst

View high-risk user or network entities*

Identify High-Risk User or Network Entity
UEBA Analyst

Begin an investigation of high-risk user or network entities*

Begin an Investigation of High-Risk User Or Network Entity
UEBA Analyst

Take action on high-risk user or network entities.

Take Action on High-Risk User or Network Entity
UEBA Analyst Export high-risk user or network entities. Export a list of High-Risk User or Network Entity
UEBA Analyst

Begin an investigation of critical alerts*

Investigate Top Alerts
UEBA Analyst Investigate threat indicators. Investigate Events
UEBA Analyst

View Modeled Behaviors for users

Note: From 11.5.1 version and later, Modeled Behaviors for users can be viewed.

View Modeled Behaviors

*You can complete the tasks here.

Related Topics

Quick Look

122_UsrProViewHig_1122.png

122_HigRisUsrPanHig1_1122.png

The following figure shows the User Modeled Behaviors view.

122_Modeledbehvaviors_1115_1122.png

The Users Profile consist of the following panels:

1 User Risk Score panel
2 Alerts Flow panel
3

Indicator panel

4 Modeled Behaviors panel

User or Network Entity Risk Score Panel

The User or Network Entity Risk Score panel contains the following information:

Name Description
User Score The user score of the user highlighted based on the severity.
Alerts The total number of alerts generated for the user in the last 90 days.

Trending Data (Hours)

The trending data for last 24 hours shows the increase in the user's score in the last 24 hours.

Trending Data (Days) The trending data for last 7 days shows the increase in the user's score in the last 7 days.
Alerts

The following information is displayed:

  • alert names
  • severity level icon
  • start date and time for the alert
  • timeframe of the alert (Hourly)
  • risk score of the alert (+20)
  • list of alert indicator names and the number of times the indicator events occurred.

Sort by

The alerts are sorted based on Severity and Date. By default, it is sorted by severity.

Alert Flow Panel

The Alert Flow panel displays the following information:

Name Description
Alert name The name of the alert.
Time frame The timeframe of the alert (hourly).
Severity level The severity of the alert.
Contribution in score

The contribution to the user score value (for example, +20).

Sources

The data sources for the alert (for example, Active Directory).

Tamerlane graph The timeline of events that are related to the formation of the alert.

Indicator Panel

Click on a graph icon in the Alert Flow panel to open the Indicator panel. The following table describes the indicator panel elements:

Name Description
Indicator The name of the indicator with timeframe of the indicator in parentheses. For example, Multiple Group Membership Changes (Hourly).
Contribution to Alert The alert contribution percentage.
Anomaly Value The anomaly value.
Data source The data source from where the alert is triggered.

In the Indicator panel the events table list events specific to the data sources.

122_EveTab_1122.png

  • Common events for User Entity

The following tables list events specific to all the data sources.

Event Name Description

Time

The date and time when an event is triggered.

Username

The name of user for whom an indicator is triggered.

Normalized user name

The name of user for whom an indicator is triggered.

Operation Type

The action performed by the user. For example, Member Added To Group.

Result

The status of the action performed by the user.
  • Windows File Servers

The following tables list events specific to Windows file servers.

Event Name Description

Source Folder Path

Absolute folder path of a file for which an event is triggered.

Source File Path

Absolute file path for which an event is triggered.
  • Active Directory

The following tables list event specific to Active Directory.

Event Name Description

Object Name

Object name defined in the Active Directory.
  • Logon Activity

The following tables list events specific to Logon Activity.

Event Name Description

Computer

Host name from where an event is triggered.

Result Code

 
  • Process

The following tables list events specific to Process.

Event Name Description

Machine Name

Name of the host from where this event is triggered for the user.

Source Process

Process triggered by the event

Destination Process

Process triggered by source process.
  • Registry

The following tables list events specific to Registry.

Event Name Description

Machine Name

Name of the host from where this event is triggered for the user.

Process Directory

Absolute directory path of the process for which an event is triggered.

Process File Name

Process file name for which an event is triggered.

Registry Key Group

Type of registry key.

Registry Key

Registry key path.

Registry Value Name

Registry value name that is created or modified.

Operation Type

The action performed by the user. For example, Member Added To Group.

Network Entities

The following tables list events specific to JA3 and SSL Subject.

Event Name Description
Source IP The IP address from which network data is sent.
Destination IP The IP address to which network data is sent.
Destination Country The country name to which the network data is sent.
SSL The SSL Subject.
Destination Organization The organization name where the network data is sent.
Domain The domain name to which the network data is sent.
JA3 The JA3 hash value.
Destination Port The port number to which the network data is sent.

Source Netname

The name of the source netname.

Number of Bytes Sent The number of bytes sent.

Destination ASN

 

JA3S The JA3S hash value.

Destination Netname

The name of the destination netname.

Number of Bytes Received The number of bytes received.

Modeled Behaviors Panel

The Modeled Behaviors panel displays the following information:

Name Description
Modeled Behaviors

The following information is displayed:

  • The data source names

  • The date of the user's last activity
  • Description of the Modeled Behaviors.

Data Source The data source can be selected from the drop-down.
Sort by The Modeled Behaviors are sorted based on date and alphabetical order. By default, it is sorted by alphabetical order.