Versions Compared

Version Old Version 1 New Version 2
Changes made by

Gunther Brenes

Virginia Camuñas Núñez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel2
outlinefalse
typeflat
separatorbrackets
printabletrue

About this page

The Entity Details page provides the analyst with insight into a selected entity’s risk score. In this page you will information about the entity, such as its latest risk score, risk group, and whether or not the entity is on the notables list. Additionally you can you browse the alerts and behavior signals which contributed to the entity’s risk score in a variety of visualizations.

...

To navigate to the Entity Details page, simply click on the name of any entity in the Overview dashboard, in the Entity Analysis page, or in the results of the Quick Search box in the application’s top header.

The Entity Details page is divided intro three sections: the page header, the risk trend chart, and a visualization area. Each of these sections is described below.

...

Entity Details page header

Near the top of the page is the page header:

...

  • The entity type (user, device or domain), displayed as an icon.

  • The name of the entity.

  • The latest risk score and relative risk computed for the entity.

  • The timestamp of the entity’s last risk; that is, the last alert or behavior signal that contributed to the entity’s risk score.

  • The risk group that the entity currently belongs to (if any) as a drop down. If the entity does not belong to any risk group, then “(none)” is displayed. If the entity does belong to a risk group, then that risk group’s score multiplier is shown in a badge above the dropdown (for example, “x 2”). Click the drop down to move the entity to a different risk group or to remove the entity from a risk group.

  • A star “star” icon indicating whether or not the entity is on the notable entities list. If the entity is notable, the icon will appear highlighted with color; otherwise the icon is not highlighted. Click the icon to add/remove the entity from the notable entities list.

...

Below the page header is a dual axis trend chart:

...

The chart plots two trends over time:

  • The selected entity’s risk score (shown as a blue line). Note that this plot uses the left Y axis.

  • The selected entity’s volume of triggered alerts & signals (shown as purple bars); i.e. the number of alerts and behavior signals which mention that entity’s name. Note that this plot uses the right Y axis.

...

Additionally, the count of associated entities is also shown above the chart (far right). By “associated entities”, we refer to any other entities mentioned in the triggered alerts & signals of the chart. To browse the names of those associated entities, click the arrow beside the count. This opens the Associated Entities panel on the right side of the page, as pictured in the example below. From the Associated Entities panel, click on any entity name to navigate to the Entity Details page for that entity.

...

Below the risk trend chart is the main section of the Entity Details page, where you can browse the list of triggered alerts & signals which contributed to the selected entity’s risk score.

...

  • The risk score contribution for this list item.

    • If the list item represents only a single triggered alert or signal, then the contribution will just display a number (for example, +35).

    • Otherwise if the list item represents a group of repeated alerts/signals, then the contribution will display both the total contribution from the group (for example, +140) and the individual contribution from each group item (for example, =35x4).

    • Place your mouse over the risk score contribution to reveal a tooltip that briefly describes how the risk score was configured.

      entity-details-risk-reason1.pngentity-details-risk-reason2.png
Info

Note that certain items (namely, Behavior Alerts & Risk Based Alerts) do not affect risk scores. Therefore those items will not display any risk score contribution. (To learn more, see the Key concepts section

...

.)

  • An icon indicating the type of list item; either alert or behavior signal.

  • The name of the list item; either an alert name or behavior signal name. If the alert/signal was triggered multiple times that day, the count is displayed in a badge after the name.

  • The category of the list item; either “Behavior Signal”, “Behavior Alert”, “Risk Based Alert”, “SecOps Alert” or “Misc Alert”.

  • The priority, MITRE tactic & MITRE technique of the list item, if defined. Note that only alerts can have a priority & MITRE labels; signals do not.

To further investigate a list item in the Timeline view, click on the item name (or on the arrow on the far right end of the item). This opens a side panel with additional details.

...

  • For alerts, the side panel displays the alert priority, MITRE tactic & technique, summary, description, and the LINQ query source code.

  • For behavior signals, the side panel displays the description of the behavior model that generated the signal.

  • For both alerts and behavior signals, a single-day subset of the timeline shows the individual instances of the selected alert/signal which were triggered on the selected day in chronological order. This timeline may include any additional context that was gathered when the signal/alert was triggered. The timeline can also display tags with the names of any other entity names discovered in each of those individual alerts/signals. Clicking on any of the entity name tags here will navigate the user to the Entity Details page for the clicked entity.

MITRE view

The MITRE view helps you to better understand the selected entity’s progression in the context of the MITRE ATT&CK framework. The MITRE view overlays the entity’s triggered alerts over the MITRE ATT&CK matrix, mapping each alert’s tactic and technique to their corresponding position on the matrix.

...

Techniques are highlighted and color-coded according to the priority of the triggered alerts related to each of them. Clicking on a detected technique will open a side panel to provide info about the selected technique and a compact timeline (similar to Timeline view) of the triggered alerts matching that selected technique.

...

Info

Note that only alerts have MITRE tactic & technique labels; behavior signals do not. Thus behavior signals are not shown in the MITRE view.

Associations view

The Associations view displays the set of associated entities in a node-link graph. By “associated entities”, we refer to any other entities mentioned in the triggered alerts & signals of the selected entity during the selected time range.

...

Hovering over an entity in the graph reveals two buttons:

  • Load Connections (“+”): Click this button to search for more entities associated with the entity in question. (Such entities may not be associated to the starting entity that was initially selected for the Entity Details page.) If any are found, those entities will be added to the graph. This process can be performed iteratively, thus enabling the user to “walk” the graph and discover “n-th degree” associations in ad-hoc fashion.

  • Go To Entity Analysis (“>”): Click this button to navigate to the Entity Details page for the entity in question.

...

At the bottom left of the Associations view, there is a blue caption with the count of entities included in the graph (for example, “Showing 23 entities”). Clicking it reveals a side panel listing the entities in a table format. From this table, you can customize the graph by checking the boxes of the entities you want to plot (maximum of 500).

...