Content Comparison

About this page

The Entity Details page provides the analyst with insight into a selected entity’s risk score. In this page you will information about the entity, such as its latest risk score, risk group, and whether or not the entity is on the notables list. Additionally you can you browse the alerts and behavior signals which contributed to the entity’s risk score in a variety of visualizations.

...

The Entity Details page is divided intro three sections: the page header, the risk trend chart, and a visualization area. Each of these sections is described below.

Entity Details page header

Near the top of the page is the page header:

...

• The entity type (user, device or domain), displayed as an icon.

• The name of the entity.

• The latest risk score and relative risk computed for the entity.

• The timestamp of the entity’s last risk; that is, the last alert or behavior signal that contributed to the entity’s risk score.

• The risk group that the entity currently belongs to (if any) as a drop down. If the entity does not belong to any risk group, then “(none)” is displayed. If the entity does belong to a risk group, then that risk group’s score multiplier is shown in a badge above the dropdown (for example, “x 2”). Click the drop down to move the entity to a different risk group or to remove the entity from a risk group.

• A “star” icon indicating whether or not the entity is on the notable entities list. If the entity is notable, the icon will appear highlighted with color; otherwise the icon is not highlighted. Click the icon to add/remove the entity from the notable entities list.

Risk trend chart

Below the page header is a dual axis trend chart:

...

Additionally, the count of associated entities is also shown above the chart (far right). By “associated entities”, we refer to any other entities mentioned in the triggered alerts & signals of the chart. To browse the names of those associated entities, click the arrow beside the count. This opens the Associated Entities panel on the right side of the page, as pictured in the example below. From the Associated Entities panel, click on any entity name to navigate to the Entity Details page for that entity.

...

Visualization

Below the risk trend chart is the main section of the Entity Details page, where you can browse the list of triggered alerts & signals which contributed to the selected entity’s risk score.

...

These filters are applicable in all of the 3 views described below.

Timeline view

The timeline view displays the triggered alerts and signals as a list in chronological order, grouped by date, showing the most recent first.

...

• For alerts, the side panel displays the alert priority, MITRE tactic & technique, summary, description, and the LINQ query source code.

• For behavior signals, the side panel displays the description of the behavior model that generated the signal.

• For both alerts and behavior signals, a single-day subset of the timeline shows the individual instances of the selected alert/signal which were triggered on the selected day in chronological order. This timeline may include any additional context that was gathered when the signal/alert was triggered. The timeline can also display tags with the names of any other entity names discovered in each of those individual alerts/signals. Clicking on any of the entity name tags here will navigate the user to the Entity Details page for the clicked entity.

MITRE view

The MITRE view helps you to better understand the selected entity’s progression in the context of the MITRE ATT&CK framework. The MITRE view overlays the entity’s triggered alerts over the MITRE ATT&CK matrix, mapping each alert’s tactic and technique to their corresponding position on the matrix.

...

Associations view

The Associations view displays the set of associated entities in a node-link graph. By “associated entities”, we refer to any other entities mentioned in the triggered alerts & signals of the selected entity during the selected time range.

...