User Events and Behavior Analysis Incidents

Table of Contents

Incident Details

Object Type—this will always display as Activity for UEBA incidents.
Name—the name of the event that triggered the incident.
Platform—the platform in which the incident occurred.
Owner—the name of the user that caused the incident.
Location—the location where the event took place.
Policy—the policy which triggered the incident.
Status—the current status of the incident.
Severity—the severity of the incident as chosen in policy criteria.
Time—the date and time the event took place that triggered the incident.
IP Address—the IP address of the user's activity that triggered the incident.

Clicking trust this IP will open a panel to add the IP address to the Trusted IP Library.
Clicking mark as suspicious will open a panel to add the IP address to the Suspicious IP Library.

The bottom section of the screen displays the matches for events the violated the policy. In this example, a velocity policy was violated when a user logged into two locations with a significant distance between them in under an hour. The Matches lists the detection date, the match type, and the match details. The match details can include:

  • Event name
  • Location
  • Time and date of the event
  • IP Address

On the top right of the Incident panel, you can click Show Activity which brings you to the Activities Page filtered by the user and the date of the events.

Incident History

Incident History displays a list of events affecting the incident such as response action workflow or viewing the object.

< name="notes">

Incident Notes

Incident Notes enables collaborating users to add any notes regarding the incident for auditing or review purposes.

Updated about a month ago

User Events and Behavior Analysis Incidents


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.