The Users Overview view shows what is happening in your environment at a glance. NetWitness UEBA Cloud enables you to quickly determine potential malicious activity, investigate it further, detect anomalies, and take action.
In this view you can look at the top ten users listed, which are the top ten users with the highest user risk scores. The circled user indicates high score and severity. Compare and see if any user scores have increased since the previous day. Also, investigate users with critical alerts.
In the above example, Levi Thomas has a user score of 112, which is over 100, and 2 critical alerts. Charlie Martin has a user score of 80, which is not over 100, but Charlie has 4 critical alerts. (All of the top ten users listed show +0 next to their score, so the scores did not increase since yesterday.) In the Top Alerts panel, look at the top alerts for Users in the last 24 hours or a later time period if you do not see any alerts.
a. Check the alerts by severity level, starting with the critical alerts. What type of alerts are they? Which users are associated with the alerts?
b. Check for alerts with a high number of indicators (anomalies).
c. To view the specific indicators associated with an alert, hover over the number of indicators listed.
In this example, the Top Alerts panel shows four Snooping User critical alerts shown for user Charlie Martin in the last 3 months. Hovering over “3 indicators” for one of the alerts shows the names of the indicators of compromise in the alert: Multiple File Access Events, Multiple File Delete Events, and Abnormal File Access Event. In the above example, user Charlie Martin has one critical Snooping User alert containing 3 indicators in the last 3 months. In the Alerts Severity panel, look at when the critical alerts happened in the last three months. In this example, the majority of the alerts in the last three months occurred on the same day. If you click on this day, it opens the Alerts view, where you can drill down into the alerts from the selected day. If you go back to the Top Risky Users panel (Users > Overview), you can drill further into the alerts listed for each of the top risky users. For example, Charlie’s user profile shows Snooping User alerts and provides details of multiple files accessed and deleted.