Entity Details page
- Gunther Brenes
About this page
The Entity Details page provides the analyst with insight into a selected entity’s risk score. In this page you will information about the entity, such as its latest risk score, risk group, and whether or not the entity is on the notables list. Additionally you can you browse the alerts and behavior signals which contributed to the entity’s risk score in a variety of visualizations.
To navigate to the Entity Details page, simply click on the name of any entity in the Overview dashboard, in the Entity Analysis page, or in the results of the Quick Search box in the application’s top header.
The Entity Details page is divided intro three sections: the page header, the risk trend chart, and a visualization area. Each of these sections is described below.
Page header
Near the top of the page is the page header:
The page header displays the following information about the selected entity:
The entity type (user, device or domain), displayed as an icon.
The name of the entity.
The latest risk score and relative risk computed for the entity.
The timestamp of the entity’s last risk; that is, the last alert or behavior signal that contributed to the entity’s risk score.
The risk group that the entity currently belongs to (if any) as a drop down. If the entity does not belong to any risk group, then “(none)” is displayed. If the entity does belong to a risk group, then that risk group’s score multiplier is shown in a badge above the dropdown (for example, “x 2”). Click the drop down to move the entity to a different risk group or to remove the entity from a risk group.
A star icon indicating whether or not the entity is on the notable entities list. If the entity is notable, the icon will appear highlighted with color; otherwise the icon is not highlighted. Click the icon to add/remove the entity from the notable entities list.
Risk trend chart
Below the page header is a dual axis trend chart:
The chart plots two trends over time:
The selected entity’s risk score (shown as a blue line). Note that this plot uses the left Y axis.
The selected entity’s volume of triggered alerts & signals (shown as purple bars); i.e. the number of alerts and behavior signals which mention that entity’s name. Note that this plot uses the right Y axis.
For convenience, a set of summary metrics is also displayed above the chart:
The total count of triggered alerts & signals in the chart.
The counts of triggered alerts by alert priority (very high, high, normal, or low/very low) in the chart.
The counts of triggered alerts by alert type (behavior alerts, risk based alerts, SecOps alerts, or other “miscellaneous” alerts) in the chart.
The count of triggered behavior signals in the chart.
Additionally, the count of associated entities is also shown above the chart (far right). By “associated entities”, we refer to any other entities mentioned in the triggered alerts & signals of the chart. To browse the names of those associated entities, click the arrow beside the count. This opens the Associated Entities panel on the right side of the page, as pictured in the example below. From the Associated Entities panel, click on any entity name to navigate to the Entity Details page for that entity.
Visualization
Below the risk trend chart is the main section of the Entity Details page, where you can browse the list of triggered alerts & signals which contributed to the selected entity’s risk score.
Near the top left corner of this section is a drop down for choosing one of the following views:
Timeline view: a chronological listing of triggered alerts & signals;
MITRE view: a mapping of triggered alerts onto the MITRE ATT&CK matrix; helps contextualize the entity and its alerts within the MITRE framework;
Associations view: a node-link graph of the entities mentioned in the triggered alerts & signals; helps identify how far the entity’s impact can expand by proximity with other entities.
Each of these 3 views is described below.
Additionally, to the right of the view drop down is a set of drop downs for filtering the triggered alerts & signals:
Name: Filters for triggered alerts & signals with the given text in their name.
Category: Filters for the selected type of alert; either “Behavior Signal”, “Behavior Alert”, “Risk Based Alert”, “SecOps Alert” or “Misc Alert”.
Alert Priority: Filters for the selected alert priority; either very high, high, medium, low or very low. Note that only alerts have a priority; signals do not. Therefore using this filter will filter out any signals from the view below.
Alert Tactic & Alert Technique: Filters for the selected MITRE label. Note that only alerts have MITRE labels; signals do not. Therefore using this filter will filter out any signals from the view below.
These filters are applicable in all of the 3 views described below.
Timeline view
The timeline view displays the triggered alerts and signals as a list in chronological order, grouped by date, showing the most recent first.
In Timeline view, each day’s display shows the list of alerts & signals triggered by the selected entity on that day. For conciseness, the day’s list is grouped by distinct alert/signal name; thus a single alert/signal that is triggered multiple times on the same day is displayed as a single list item (with a counter)
Each list item displays the following information:
The risk score contribution for this list item.
If the list item represents only a single triggered alert or signal, then the contribution will just display a number (for example,
+35).Otherwise if the list item represents a group of repeated alerts/signals, then the contribution will display both the total contribution from the group (for example,
+140) and the individual contribution from each group item (for example,=35x4).Place your mouse over the risk score contribution to reveal a tooltip that briefly describes how the risk score was configured.
Note that certain items (namely, Behavior Alerts & Risk Based Alerts) do not affect risk scores. Therefore those items will not display any risk score contribution. (To learn more, see the Key concepts section of this documentation.)
An icon indicating the type of list item; either alert or behavior signal.
The name of the list item; either an alert name or behavior signal name. If the alert/signal was triggered multiple times that day, the count is displayed in a badge after the name.
The category of the list item; either “Behavior Signal”, “Behavior Alert”, “Risk Based Alert”, “SecOps Alert” or “Misc Alert”.
The priority, MITRE tactic & MITRE technique of the list item, if defined. Note that only alerts can have a priority & MITRE labels; signals do not.
To further investigate a list item in the Timeline view, click on the item name (or on the arrow on the far right end of the item). This opens a side panel with additional details.
The details shown in the side panel depend on whether the clicked item in the Timeline view represents triggered alerts or behavior signals.
For alerts, the side panel displays the alert priority, MITRE tactic & technique, summary, description, and the LINQ query source code.
For behavior signals, the side panel displays the description of the behavior model that generated the signal.
For both alerts and behavior signals, a single-day subset of the timeline shows the individual instances of the selected alert/signal which were triggered on the selected day in chronological order. This timeline may include any additional context that was gathered when the signal/alert was triggered. The timeline can also display tags with the names of any other entity names discovered in each of those individual alerts/signals. Clicking on any of the entity name tags here will navigate the user to the Entity Details page for the clicked entity.
MITRE view
The MITRE view helps you to better understand the selected entity’s progression in the context of the MITRE ATT&CK framework. The MITRE view overlays the entity’s triggered alerts over the MITRE ATT&CK matrix, mapping each alert’s tactic and technique to their corresponding position on the matrix.
To help navigate the matrix at a glance, buttons above the matrix enable the user to zoom in & out, and to filter out techniques which were not detected for the selected entity.
Techniques are highlighted and color-coded according to the priority of the triggered alerts related to each of them. Clicking on a detected technique will open a side panel to provide info about the selected technique and a compact timeline (similar to Timeline view) of the triggered alerts matching that selected technique.
Note that only alerts have MITRE tactic & technique labels; behavior signals do not. Thus behavior signals are not shown in the MITRE view.
Associations view
The Associations view displays the set of associated entities in a node-link graph. By “associated entities”, we refer to any other entities mentioned in the triggered alerts & signals of the selected entity during the selected time range.
Each graph node represents an entity. Each graph link between entities indicates that the pair of entities were both involved in the same triggered alert or signal.
Hovering over an entity in the graph reveals two buttons:
Load Connections (“+”): Click this button to search for more entities associated with the entity in question. (Such entities may not be associated to the starting entity that was initially selected for the Entity Details page.) If any are found, those entities will be added to the graph. This process can be performed iteratively, thus enabling the user to “walk” the graph and discover “n-th degree” associations in ad-hoc fashion.
Go To Entity Analysis (“>”): Click this button to navigate to the Entity Details page for the entity in question.
At the bottom left of the Associations view, there is a blue caption with the count of entities included in the graph (for example, “Showing 23 entities”). Clicking it reveals a side panel listing the entities in a table format. From this table, you can customize the graph by checking the boxes of the entities you want to plot (maximum of 500).