About this page
The Entity Analysis page enables the end-user to browse the list of detected entities in an ad-hoc fashion. Whereas the Overview dashboard displays a set of auto-generated lists using a variety of pre-defined criteria, the Entity Analysis page supports searching the entities with more sophisticated options for on-the-fly filtering and sorting. It is a useful starting point for a Behavior Analytics user who wishes to explore the discovered entities beyond the most prominent entities displayed in the Overview dashboard.
Page contents
The main body of the page displays the list of detected entities in a table format, as pictured in the example below.
The table columns display information about each alert configuration, including the following:
Name: The name of the entity. Each name is hyperlinked. Click on an entity name to navigate to the Entity Details page for that entity.
Type: An icon indicating the type of entity (user, device or domain).
Notable: A star icon indicating whether or not the entity is on the Notable Entities list. If the entity is notable, the icon will appear highlighted with color; otherwise the icon is not highlighted. Click the icon to add/remove the entity from the notable entities list.
Risk Score: The latest risk score computed for the entity by the risk calculator; an unbounded number, for example
(see “Key concepts > Entity Risk Scoring” section).Relative Risk: The entity’s risk score normalized across all entities; displayed as fraction over 100, for example
(see “Key concepts > Entity Relative Risk” section).Unique Alerts: The count of distinct names observed in the triggered alerts for this entity in the last 7 days.
Unique Tactics: The count of distinct MITRE tactics observed in the triggered alerts for this entity in the last 7 days.
Unique Techniques: The count of distinct MITRE techniques observed in the triggered alerts for this entity in the last 7 days.
Last Risk: The timestamp of the most recent signal/alert which contributed to this entity’s risk score.
Risk Group: The risk group that the entity currently belongs to (if any) as a drop down. If the entity does not belong to any risk group, then “(none)” is displayed. If the entity does belong to a risk group, then that risk group’s score multiplier is shown in a badge above the dropdown (for example, “x 2”). Click the drop down to move the entity to a different risk group or to remove the entity from a risk group.
The list can be sorted by clicking on the arrows in the table’s column headers.
Above the table are controls for applying ad-hoc filters to the list. Use the set of round buttons (All, Users, Devices, Domains) to apply a 1-click filter to the list by entity type.
Beside the entity type buttons is a Filter button to reveal additional criteria. The Filter button has a badge with a number, which reflects how many of the additional filtering criteria are currently being applied to the entities table. Clicking the Filter button reveals the following filter drop downs:
Last Risk: This filter is useful for finding the entities which have been triggering alerts & signals most recently.
Relative Risk: This filter enables you to search for entities in a given range of risk relative to all other entities.
Entity List: Use this filter to filter only for those entities in the Notable Entities list.
Risk Group: Use this filter to filter only for those entities in a selected risk group.
Beneath these filter controls, a text box enables you to search by entity name (case insensitive).
Use the Download CSV button above the table (top right) to download the entities list to a CSV file. The downloaded list will preserve your current filter and sorting selections at that time.