Docy

Behavior Analytics User Confidence Index

Behavior Analytics User Confidence Index

The Behavior Analytics User Confidence Index page displays the top risky users based on their User Confidence Index. Admins will access this page to view details for each user.

Important

Basic UBA or UBA standard includes UEBA 9 predefined sequential rules. Advanced UBA includes UEBA ML models, UEBA user scoring with user confidence index (UCI), UCI based inline policies, and Custom UBA sequence rules.

Contact Support to enable this feature in your account, additional licensing is required.

To access this page, click Incidents > Behavior Analytics. The User Confidence Index based view displays.

The User Confidence Index details page shows:

Total Users: The total number of users with UCI scores. Click the number of users to view the users in the User Confidence section of the page.

BAUserConfidenceTotalUsers.png

Poor: Total number of users with a Poor User Confidence Index score. Click the number to view details in the User Confidence section of the page.

BAUserConfidencePoorScoreUsers.png

Moderate: Total number of users with an Moderate User Confidence Index score. Click the number to view details in the User Confidence section of the page.

UCI_Total_Users_Moderate.jpg

User Confidence Alert: Click the pencil icon to raise an alert if the user’s UCI drops below a set threshold within 24 hours.

UCI_Edit.jpg

Users active: Select a time range within which users have been active. Choices include: past 48 hours, 7, 30, 60, or 90 days

This is helpful to alert admins when a user’s UCI drops below a certain score to further investigate the user for security concerns. View alert details in Skope IT > Events > Alerts page. Click View Anomalies to see view the anomaly details.

UCI_Anomaly_Alerts.jpg

You can filter the information that displays in the User Confidence section by clicking the dropdown. The selection you make (All, Poor, Medium, or Good) displays the list of users accordingly.

Select a listed user (1) to view details of the user in the right hand section (2).

UEBAListedUser.jpg

Click the ‘Sort By Most Recent’ dropdown to filter the view for the specified user.

UEBAsortBy.jpg

Sort By Most Recent: Displays the current information the system has for by the current information the system has for the specified user.

Sort By Score Impact: Displays the most recent user confidence changes for the specific user.

Sort by Date: Click the date to view a calendar and sort by a specific date.

UCI Time box Timeline: A range selector bar allows extending the timeline view for User Confidence Index (UCI) scores to more than the default 14 days. You can view up to 90 days of UCI scores for the selected user. This allows investigating historical UCI score trends and related anomalies for a user.

Key Detection Scenario

The Key Detection Scenario is the single largest type of security risk a user currently represents which contributes to the UCI score dropping. Each anomaly (scenario and sub-scenario combination) are listed individually below and can be sorted by ‘Most Recent,’ ‘Score Impact,’ or ‘date.’ However, the single largest anomaly (scenario and sub-scenario combination) is listed at the top as the ‘Key Detection Scenario’ for the specified user.

Click the Key Detection Scenario and the Policy Behavior Analytics page displays with the pre-selected scenario filters. From this page, admins can view different policies based on the scenario filter. This view helps to assess the users current insider risk.

There are three scenario categories by which you can filter:

  • Compromised credential
  • Compromised device
  • Insider threat

Nested beneath each scenario category are the available sub-categories.

Click the pop-out icon at the end of the user details to open the Incidents > Users page. See the Behavior Analytics Incident Details topic for tab details.

UEBAviewUsers.jpg
Share this Doc
In this topic ...