Identify High-Risk Entities

You can identify high-risk user in your environment in the following ways:

  • View top five high-risk entities
  • View all the high-risk entities
  • View users of a specific group
  • View users and other entities based on forensic investigation

View Top Ten Risky Entities

In the OVERVIEW tab, you can view the list of top five high-risk entities in your environment along with the risky score.

To view the top risky entities:

Log into NetWitness and go to Investigate > ENTITIES.
The Overview tab is displayed with the high-risk users displayed in the High Risk Users tab, and high-risk SSL and hight-risk JA3 are displayed under the Network tab. 122_HigRisUsrPan_123.png

View All High-Risk Entities

In the Network tab, you can view the list of all the high risk users in your environment along with the user score and total number of alerts associated with the users.

To view all high-risk users:

  1. Log into NetWitness and go to Investigate > ENTITIES.

    The Overview tab is displayed.

  2. Click ENTITIES tab.

    The list of all high-risk entities are displayed.

    122_EntyAltTypIndi_1123.png

View Entities of Specific Group

In the Network tab, you can use different types of filters to identify targeted group of high-risk entity.

To view users of specific group:

  1. Log into NetWitness and go to Investigate > ENTITIES.

    The Overview tab is displayed.

  2. Click the ENTITIES tab.

  3. In the Filters panel, do any of the following:

    • Risky Entities: To view all the risky entities in your environment, select Risky . By default, risky entities along with their risky score are displayed.

      122_EntyRisScoAlr_123.png

    • Watchlist : To view the list of entities that you added to the watchlist to monitor for specific changes, select Watchlist.

      122_UsrAltTypIndi_123.png

Note: You can view users of one or more group by selecting one or more filters. For example, if you want to view the list of admin users who are risky users, select the Admin Users and Risky Users filters.

View Entity Based on Forensic Investigation

In the ENTITIES tab, you can use Alert Types and Indicators which are behavioral filters to view high-risk users based on forensic investigation. For more information on forensic investigation, see Forensic Workflow in the Introduction topic.

To view users based on specific forensic investigation:

  1. Log into NetWitness and go to Investigate > ENTITIES.

    The Overview tab is displayed.

  2. Click ENTITIES tab.
  3. To create a behavioral filter using alert types, select one or more alerts in the ALERTS drop-down list.
  4. To create a behavioral filter using indicators, select one or more indicators in the INDICATORS drop-down list.
  5. To filter the result for JA3 entity, select JA3 from the ENTITY TYPE drop-down list.

Note: You can select combination of one or more alert types and indicators to create a behavioral filter based on your requirement. For example, to monitor abnormal access to confidential files and theft of sensitive data, you can create a behavioral filter with Alert Types = Data Exfiltration and Indicators = Abnormal JA3 for Source Netname (3 JA3).

122_UsrAltTypIndi_123.png

To save these behavioral filters as favorites for future investigation, click Save as....

To delete the filters click Reset Filters.

Similarly, you can view the results for the SSL entity based on forensic investigation.