Entity overview

Starting UEBA 5.x UEBA now also monitors risky entities in the environment. Entities could be a device or an asset like a database server, firewall or endpoint.

UEBA uses asset database component that discovers and maintains asset information such as IP address, hostname, vulnerability score (if supported scanner data is connected). See entity tuning section to ensure Assets are up to date.

The UEBA dashboard now shows Monitored Users and Monitored Entities.

The top panel in the dashboard shows total monitored entities and total high risk entities in the environment.

UEBA Dashboard

Monitored Entity widget adds entity specific information to give a quick view of risky device IP address, hostname, linked users, recent risk and overall risk of those risky devices.

Monitored entities

Entity offenses

If the entity or a device risk goes beyond the configure threshold value, UEBA will generate an Offense for further investigation.

Offense widget in dashboard now has a drop-down menu to select user or entity offenses.

Recent offenses

Risk entity summary

You can click an entity in the UEBA dashboard to view the following information.

  • Overall risk
  • Anomalies detected in last 30 minutes
  • Linked users

Entity details

You can click View entity details to view entity details.

  • IP address
  • Hostname
  • MAC address
  • Location
  • Linked users
  • Vulnerability count
  • Vulnerability Risk Score

Vulnerability count and Vulnerability Risk Score are shown when a supported VA scanner data is connected to QRadar.

Timeline for entity is provided to drill down for further investigation.

Entity details

Searching for entities

You can use the UEBA dashboard search bar to search for any monitored entities in UEBA.

Search bar