Behavior Analytics Incident Details
Behavior Analytics Incident Details
The Incident details page provides the summary, alert and events details, and context analysis. Admins will access this page to Acknowledge the violation. Admins must have a minimum of “View and Manage” privileges to acknowledge violations.
To access this page, click Incidents > Behavior Analytics > Incident Description name. The Summary tab is the default tab.
The fields that display will vary based on the policy that triggered the event. A policy triggers when a policy interval and threshold are met. The fields you see, such as email, source, location, device, etc. are attributes of the last event which met the conditions to trigger the policy. For example, if a policy is created to alert if a user downloads 100 files in five minutes, then the information displayed is for the 100th event that occurred within the five minutes.
The Summary tab shows:
- Number of alerts for this incident.
- Number of events for this incident.
- Ability to scroll quickly through the list of incidents from the details page.
- Status of the incident and ability to the alert.
- Ability to allow / report false positives, click .
Tip
This feature: Allows a detected anomalous activity, removes the impact of the UCI deduction for the detection, and restores the user’s UCI score immediately.
- Application that triggered the policy.
- Instance account name.
- Email for the user(s) that triggered the policy.
- Device that triggered the policy.
- Source Location for the user(s).
- Policy name that was triggered. Admins can click the arrow icon to view the policy details.
- Optionally, you may see Malware profile name and access method listed. Click View Alert to open the SkopeIT events page to see the alert associated with the anomaly.
- Optionally, you may see a 3rd party app that triggered a policy. For example a malicious file that is identified by a 3rd party such as Box. Click the arrow icon to open the Behavior Analytics policy page for details.
- Optionally, you may see a DLP alert that was triggered. Click the arrow icon to open the Behavior Analytics policy page for details.
- Severity level of the incident.
- Timestamp when the alert was triggered.
The Event Timeline tab shows:
- Ability to display the latest or earliest alerts and events for the particular incident.
- Enter a query into the Filter field. This is a Skope IT advanced search query. For details, click Skope IT Query Language. TIP: Query “~user” to search these alerts by a specific user in the Skope IT alerts page.
- View the user’s last 24-hour activity. This is the user associated with the incident. Click on the far-right side of the page. The UEBA alert name in Skope IT is Shared Credentials and includes all users seen sharing a specific credential in past 24 hours.
- Each alert and event are listed in sequential order (latest or earliest). Click the icon to view details. The Alert Details or Network Event Details side panel displays. For example, the image above shows a Shared Credential anomaly. This shows aggregate information and alerts for users seen sharing a specific credential in a single detection alert. For advanced UEBA, all the users seen in the anomaly detection will have the same deduction of UCI. This reduces the number of alerts that need investigation for a specific shared credential, helping accelerate investigation.
The Context Analysis tab displays contextual insights by looking into a user’s 24-hour activities before the incident to provide more detail.
Additional indicators are listed in the right-hand panel.