User or Network Entity Profile View
The User Network Entity Profile view provides detailed information about all alerts and related indicators of a user or network entity.
Workflow
What do you want to do?
| User Role | I want to ... | Documentation |
|---|---|---|
| UEBA Analyst |
View high-risk user or network entities* |
Identify High-Risk User or Network Entity |
| UEBA Analyst |
Begin an investigation of high-risk user or network entities* |
Begin an Investigation of High-Risk User Or Network Entity |
| UEBA Analyst |
Take action on high-risk user or network entities. |
Take Action on High-Risk User or Network Entity |
| UEBA Analyst | Export high-risk user or network entities. | Export a list of High-Risk User or Network Entity |
| UEBA Analyst |
Begin an investigation of critical alerts* |
Investigate Top Alerts |
| UEBA Analyst | Investigate threat indicators. | Investigate Events |
| UEBA Analyst |
View Modeled Behaviors for users |
View Modeled Behaviors |
*You can complete the tasks here.
Related Topics
- Begin an Investigation of High-Risk User Or Network Entity
- Investigate Top Alerts
- Filter Alerts
- Investigate Events
- Export a list of High-Risk User or Network Entity
- View Modeled Behaviors
Quick Look
The following figure shows the User Modeled Behaviors view.
The Users Profile consist of the following panels:
| 1 | User Risk Score panel |
| 2 | Alerts Flow panel |
| 3 |
Indicator panel |
| 4 | Modeled Behaviors panel |
User or Network Entity Risk Score Panel
The User or Network Entity Risk Score panel contains the following information:
| Name | Description |
|---|---|
| User Score | The user score of the user highlighted based on the severity. |
| Alerts | The total number of alerts generated for the user in the last 90 days. |
|
Trending Data (Hours) |
The trending data for last 24 hours shows the increase in the user's score in the last 24 hours. |
| Trending Data (Days) | The trending data for last 7 days shows the increase in the user's score in the last 7 days. |
| Alerts |
The following information is displayed:
|
|
Sort by |
The alerts are sorted based on Severity and Date. By default, it is sorted by severity. |
Alert Flow Panel
The Alert Flow panel displays the following information:
| Name | Description |
|---|---|
| Alert name | The name of the alert. |
| Time frame | The timeframe of the alert (hourly). |
| Severity level | The severity of the alert. |
| Contribution in score |
The contribution to the user score value (for example, +20). |
|
Sources |
The data sources for the alert (for example, Active Directory). |
| Tamerlane graph | The timeline of events that are related to the formation of the alert. |
Indicator Panel
Click on a graph icon in the Alert Flow panel to open the Indicator panel. The following table describes the indicator panel elements:
| Name | Description |
|---|---|
| Indicator | The name of the indicator with timeframe of the indicator in parentheses. For example, Multiple Group Membership Changes (Hourly). |
| Contribution to Alert | The alert contribution percentage. |
| Anomaly Value | The anomaly value. |
| Data source | The data source from where the alert is triggered. |
In the Indicator panel the events table list events specific to the data sources.
- Common events for User Entity
The following tables list events specific to all the data sources.
| Event Name | Description |
|---|---|
|
Time |
The date and time when an event is triggered. |
|
Username |
The name of user for whom an indicator is triggered. |
|
Normalized user name |
The name of user for whom an indicator is triggered. |
|
Operation Type |
The action performed by the user. For example, Member Added To Group. |
|
Result |
The status of the action performed by the user. |
- Windows File Servers
The following tables list events specific to Windows file servers.
| Event Name | Description |
|---|---|
|
Source Folder Path |
Absolute folder path of a file for which an event is triggered. |
|
Source File Path |
Absolute file path for which an event is triggered. |
- Active Directory
The following tables list event specific to Active Directory.
| Event Name | Description |
|---|---|
|
Object Name |
Object name defined in the Active Directory. |
- Logon Activity
The following tables list events specific to Logon Activity.
| Event Name | Description |
|---|---|
|
Computer |
Host name from where an event is triggered. |
|
Result Code |
- Process
The following tables list events specific to Process.
| Event Name | Description |
|---|---|
|
Machine Name |
Name of the host from where this event is triggered for the user. |
|
Source Process |
Process triggered by the event |
|
Destination Process |
Process triggered by source process. |
- Registry
The following tables list events specific to Registry.
| Event Name | Description |
|---|---|
|
Machine Name |
Name of the host from where this event is triggered for the user. |
|
Process Directory |
Absolute directory path of the process for which an event is triggered. |
|
Process File Name |
Process file name for which an event is triggered. |
|
Registry Key Group |
Type of registry key. |
|
Registry Key |
Registry key path. |
|
Registry Value Name |
Registry value name that is created or modified. |
|
Operation Type |
The action performed by the user. For example, Member Added To Group. |
Network Entities
The following tables list events specific to SSL Subject.
| Event Name | Description |
|---|---|
| Source IP | The IP address from which network data is sent. |
| Destination IP | The IP address to which network data is sent. |
| Destination Country | The country name to which the network data is sent. |
| SSL | The SSL Subject. |
| Destination Organization | The organization name where the network data is sent. |
| Domain | The domain name to which the network data is sent. |
| Destination Port | The port number to which the network data is sent. |
|
Source Netname |
The name of the source netname. |
| Number of Bytes Sent | The number of bytes sent. |
|
Destination ASN |
|
| Number of Bytes Received | The number of bytes received. |
Modeled Behaviors Panel
The Modeled Behaviors panel displays the following information:
| Name | Description |
|---|---|
| Modeled Behaviors |
The following information is displayed:
|
| Data Source | The data source can be selected from the drop-down. |
| Sort by | The Modeled Behaviors are sorted based on date and alphabetical order. By default, it is sorted by alphabetical order. |
