I have been asking our rep for sometime about the notable behaviors. In its current form, the notable behaviors page is basically useless. might as well not show it in some cases because when you go to try and find the root cause for these events there is no context whatsoever. The only context available is a user name but if there is no username associated with the notable behavior then it basically shows you nothing. Also there does not seem to be a way to adequately select and filter time. the time selections are very cryptic at best and do not always work depending on the filters of the selected notable behavior. Is there any headway into doing something about this to make this something that is useful and actionable if necessary?
I would say that it certainly is not horrible, it allows you to filter which I think is helpful. From there you see users and then investigate.
For me its a nightmare to try and investigate simply by the user. Especially since there are no indicators to tell you where the log is generated from so you basically have to query every single log source with that user to find out what is going on. In our environment there are way to many event sources to sift through just for that one event let alone 200+ notable behaviors.
what I do is filter for what I am interested in. for example I am wanting to look at “Account Privilege Escalated”
and it shows me two users. If I click on one of the users I can then go to “investigate john.doe”
and select the date range from the blue blimps on the right (the part where it shows activity). from there it creates that investigation and throws in all the exact context from that date range I selected. having an investigation is great from there you could possibly pull in other info, take notes or track.
however I can see if you have a lot and right now mine is at like 104k. not sure how many you have but it does take a while to create all those but will help you pull in the context and help you keep track of it.
does this help?
That actually does help! Thank you. I did not know you could create an investigation and it will bring in those context items. Exactly what I needed actually. I wish someone would have told me sooner. But for the sake of false positives, it would be nice to see the context before having to create an investigation.
I did find an instance when this is not useful though. When a notable behavior does not have any users specified we can’t create an investigation because there is no user to follow. I found this to be true in the behavior called “Attacker Behavior Detected.” There are no users specified but it does show events at specific dates. There are a couple more Notable behaviors that sometimes don’t produce a user to reference.