Skip to content

UEBA Module

In order to spot possible security threats, UEBA is a security technology that examines user and entity behavior across a network. When anomalous activity is found, UEBA can generate alerts, enabling security teams to rapidly investigate and take action.

Access the UEBA module by pressing the Alt Image button located in the left-side panel of the Web Interface.

UEBA (User and Entity Behavior Analytics) Module enables analysis of user activity within the enterprise, helping to identify behavioral patterns and detect anomalies.

1 - Displays the number of users, computers, and events with a risk score higher than zero.

2 - Allows selection of the time interval for viewing high-risk events (Today, Yesterday, Last Week, or Last Month).

3 - Top 10 Riskiest Events:

  • Events highlighted in green indicate low risk.
  • Events highlighted in yellow indicate medium risk.
  • Events highlighted in red indicate high risk.

To view event details, click the button to open the event page.

4 - Lists the Top 10 riskiest alerts.

To view risk score details from recent alerts, click the button to open the corresponding page.

5 - The Events / Risks / Alerts chart displays the number of events, along with the maximum and average risk levels identified during the selected time interval, presented in sample data points.

The refresh interval for the graphic can be adjusted to 1 minute, 5 minutes, or turned off entirely:

6 - The Quick Stats graphic displays the Maximum, Minimum, and Average Risk percentages. The refresh interval for this graphic can be set to 1 minute, 5 minutes, or turned OFF.

7 - This graphic presents the Number of Events Grouped by Risk, with refresh options of 1 minute, 5 minutes, or disabled (OFF).

8 - The Top 10 Riskiest Events graphic is available, with configurable refresh intervals of 1 minute, 5 minutes, or OFF.

9 - The Most Frequent Alerts graphic is shown, also offering refresh options of 1 minute, 5 minutes, or disabled (OFF).

From the Recent Alerts and Most Recent Riskiest Events sections, detailed activity related to a user or computer can be analyzed by selecting the corresponding entry.

Clicking the button redirects to a dedicated page displaying the Activity Stream for the selected user or computer.

Entity View

User Entity Summary

The Entity Summary section provides a high-level overview of user activity, risk posture, and behavioral patterns. Located on the first page of the User or Entity profile, this summary consolidates essential information like as recent alerts, total risk score, notable events, and behavioral insights over time. It offers a quick snapshot to help identify anomalies or deviations from expected behavior, supporting faster investigation and response.

1 - User-Linked Entities Overview Displays the total number of events, alerts, assets, and locations associated with the selected user during the specified time frame.

2 - Time Interval Selection

Enables selection of the time range for risk analysis (Today, Yesterday, or Last Week).

3 - User Alert Volume A visual representation of the number of alerts linked to the user within the selected time frame.

Includes refresh interval controls (1min / 5min / OFF):

4 - User Quick Stats Displays maximum, minimum, and average risk percentages for the user. Refresh settings allow updates every 1 or 5 minutes, or manual refresh (OFF).

5 - Alert Generation Over Time Displays the number of alerts associated with the selected user, triggered by related computers, across configurable time intervals (1 minute, 10 minutes, 1 hour, 6 hours, 8 hours, 24 hours). Refresh settings allow updates every 1 or 5 minutes, or manual refresh (OFF).

6 - Top 10 Riskiest Events on User Lists the most critical events based on risk scoring. Refresh settings allow updates every 1 or 5 minutes, or manual refresh (OFF).

7 - Event Count by Risk Level Displays a grouped count of user-related events segmented by risk category. Refresh settings allow updates every 1 or 5 minutes, or manual refresh (OFF).

8 - Most Frequent User Alerts Highlights the most commonly triggered alerts related to the user. Refresh settings allow updates every 1 or 5 minutes, or manual refresh (OFF).

User Entity Timeline

The Entity Timeline provides a chronological view of all notable activities performed by or associated with the selected user. This stream aggregates and visualizes event data such as logons, access attempts, triggered alerts, risk changes, and interactions with different systems or assets.

It helps security analysts trace user behavior over time, identify patterns or anomalies, and correlate events with risk scores or alerts for investigation.

1 - Displays the total number of events, alerts, assets, and locations associated with the user during the selected time frame.

2 - Allows selection of the time interval for risk-related data analysis (e.g., Today, Yesterday, Last Week).

3 - Shows all events identified as having a risk component, presented in chronological order. To examine the details of a specific event, click the button.

4 - Risk scores are assigned to events based on predefined detection patterns and logical evaluation methods, enabling effective risk prioritization.

To view risk score details, click the button to open the corresponding page.

In the Rule Name field, the patterns defined in the UEBA Manager are displayed.

Computer Entity Summary

The Entity Summary page provides a consolidated overview of activity related to a specific computer within the monitored environment. This section displays key metrics and visualizations that help assess the computer’s involvement in security events, alert generation, risk levels, and interactions with other entities (such as users, assets, and network locations).

1 - Event Summary - Displays the total number of events, alerts, users, and locations associated with the computer during the selected time frame.

2 - Time Range Filter - Allows selection of a specific analysis window (Today, Yesterday, or Last Week) to view computer-related risk events.

3 - Alert Volume on Computer - A chart showing the number of alerts linked to the computer within the chosen time interval.

A refresh interval can be set to 1 minute, 5 minutes, or disabled (OFF):

4 - Quick Stats on Computer - Presents maximum, minimum, and average risk scores (as percentages) associated with the computer. Refresh settings allow updates every 1 or 5 minutes, or manual refresh (OFF).

5 - Alert Generation Over Time - Displays how many alerts have been triggered by the computer over configurable time intervals (1m, 10m, 1h, 6h, 8h, 24h). Refresh settings allow updates every 1 or 5 minutes, or manual refresh (OFF).

6 - Top 10 Riskiest Events - Highlights the ten highest-risk events involving the computer. Refresh settings allow updates every 1 or 5 minutes, or manual refresh (OFF).

7 - Risk-Based Event Distribution - Visualizes the number of events grouped by associated risk level for the selected computer. Refresh settings allow updates every 1 or 5 minutes, or manual refresh (OFF).

8 - Most Frequent Alerts - Lists the most common alerts involving the computer. Refresh settings allow updates every 1 or 5 minutes, or manual refresh (OFF).

Computer Entity Timeline

The Entity Timeline provides a chronological activity stream for the selected computer. This view helps security analysts trace system behavior and correlate events over time. It includes detailed entries for alerts, user interactions, location changes, and other event-based actions that involve the computer. Each entry in the timeline is enriched with metadata - like as timestamps, event types, severity scores, and triggering rules - enabling quick identification of anomalous or risky activity.

1 - Displays the count of events, alerts, users, and locations associated with the selected computer during the specified time range.

2 - Displays the count of events, alerts, users, and locations associated with the selected computer during the specified time range.

3 - Shows all events with an assigned risk factor, sorted in chronological order. Each event can be further explored using the details icon: .

4 - Events are evaluated using predefined detection rules or behavioral patterns. Each matching event is assigned a risk score based on its severity and context.

To review the risk score details, select the event by clicking the icon: . This opens a detailed analysis page.