Investigate a user - Investigate user assets associated with your cases. - Administrator Guide

Investigate a user - Investigate user assets associated with your cases. - Administrator Guide - Cortex CLOUD

Cortex Cloud Runtime Security Documentation

Product

Cortex Cloud Application Security > Cortex CLOUD

License

Cloud Runtime Security

Creation date

2024-12-24

Last date published

2026-06-10

Notice

If the Identity Threat module is enabled, you can open the User Risk View. This view displays insights and profiling information to help you investigate issues and cases. Viewing anomalies in the context of baseline behavior facilitates risk assessment and shortens the time you require for making verdicts.

If the Identity Threat module is not enabled you can open the User View. This view displays an overview of the user and information about the user's score and activity.

You can take the following actions to investigate a user:

Assess the user's behavior and score.
Star the user to be included in the watchlist.
(User Risk View only) Review the user's working hours and related issues.
(User Risk View only) Analyze the user's behavior over time and compare it to their peers with the same asset role.

How to investigate a user

Right-click a user name and select Open User Risk View or Open User Card.
Tip
You can also see a list of all users under Inventory → Assets → Asset Scores.
Select the timeframe to view the user's details.
Note
Cortex Cloud normalizes and displays case and issue times in your time zone. If you're in a half-hour time zone, the activity in the Issues & Insights Heatmap is displayed in the whole-hour time slot preceding it. For example, if you're in a UTC +4.5 time zone, the time displayed for the activity will be UTC +4.5, however, the visualization in the Issues & Insights Heatmap will be in the UTC +4 slot.
Investigate the user.
User Risk view
Notice
The User Risk view is available with the ITDR add-on. Depending on your permissions, some information may be limited by your scope.
The User Risk view provides a centralized and interactive overview of user identity activities and risk scores, enabling you to investigate user events across core identity data sources. It enables you to identify and prioritize high-risk users quickly, gives you immediate context for identity-related risks, helps prevent missed indicators of compromise, and accelerates triage by offering proactive mitigation strategies.
Customize the User Risk view for your use case by dragging and dropping each widget to position it where you want in the layout. You can also collapse the widgets to hide or show content as needed.
User identity and risk score
The user identity and risk score at the top provide an at-a-glance summary of the user's identity and risk posture. The user risk score displays the score assigned on the last day of the selected time frame and the change in the score for the selected time frame. The score is updated continuously as new issues are associated with cases.
Click the user to view more information about them in a panel that opens on the right. You can see the user's title, department, primary location and endpoint, when the user was created in the organization and when their last activity took place. You can also see their tags and the highlighted tags.
The highlight widgets under the username provide an overview of the user's risk posture. They change according to the selected tab, Risk Assessment or Activities. The elements in the widgets are clickable and filter the information displayed in the tabs.
Risk Assessment
Investigate user risk changes in detail.
Highlights
Case Breakdown: Open cases withing the selected timeframe, with a breakdown of how many cases were opened within each risk severity. Click the different severities to filter the rest of the page to display only the information relevant to that severity level.
Mitre Att&ck Overview: Mitre Att&ck tactics and techniques detected for the user.
Main section
User Risk Score Trend: The graph is based on new cases created within the selected time frame, and updates on past cases that are still active. The straight line represents the user score, which is based on the scores of the cases associated with the user.
The bubbles in the graph represent the number of issues and insights generated on the selected day. Bigger bubbles indicate more issues and insights, and a possible risk.
Drill down on a score for a specific day by clicking a bubble. Alternatively, review the user information for the selected timeframe (Last 7D, 30D, or custom timeframe).
For users with associated asset roles, compare the data with other peers with the same asset role. In the Risk Score Trend graph click Compare To and select an asset role to which you want to compare the data.
The dashed line presents the average score for peers with the same asset role as the user, over the same time period. Hover over a bubble on the dashed line to see the Average score for the selected peer and a breakdown of the score per endpoint. Click Show x Users to see a full breakdown of the score on the Peer Score Breakdown, filtered by the selected asset role. From the Peer Score Breakdown, you can select any user name and pivot to additional views for further investigation.
User Cases: Related cases triggered for the user for the selected timeframe or severity selected in the Case Breakdown widget. If you are drilling down on a score, you can see the cases that contributed to the total score on the selected day. Review the following data:
The Status column provides visibility into the reason for the score change. For example, if a case is resolved, its score will decrease, bringing down the user score.
Issues & Insights: All detection activities associated with the user. The issues are grouped into buckets according to MITRE ATT&CK tactics. Click on a tactic to filter the issues in the table. To further investigate an issue, click the issue to open the Issue Panel and click Investigate.
Mitre Att&ck Matrix Breakdown: Detailed information about the Mitre Att&ck tactics and techniques detected. Click Open Mitre Triage to remediate the threat.
Activities
Investigate user activities in detail.
Highlights
Common User Locations: A breakdown of the countries from which the user connected in the past few weeks.
Common Operating Systems: A breakdown of the operating systems that the user used to connect in the past few weeks.
Failed Logins: Details about failed login attempts by this user.
Main section
Activity Timeline: Consolidated timeline view aggregating the activities of the user from different sources like Auth, Cloud, Endpoint into a single chronological stream. Displays the volume and type of activities over the selected time period.
The list provides a detailed, chronologically ordered timeline of individual events. Each event includes its timestamp, description, event type, and data source icon.
Issues & Insights Heatmap: Grid visualizing the volume and density of user activity across specific times of the day and days of the week. It aggregates events to show when a user is most active versus when they are inactive.
The widget compares the user's actual activity data with their regular activity hours and highlights any differences or anomalies in the user's expected activity.
The cells are marked according to the activity that took place, and a dashed frame indicates that Cortex Cloud detected uncommon activity in the time slot.
A dashed ribbon highlights discrepancies between regular activity hours and actual activity.
A colored ribbon indicates the level of activity on a specific day/hour.
A numbered ribbon indicates the number of issues and insights that occurred on a specific day/hour.
Login Attempts: Details of the user's login attempts and whether the attempts were successful. To further investigate login activity for the user, click View In XQL to link to a prefilled query in the Query Builder. Using Cortex Query Language you can create queries to refine your search.
Authentication Attempts: User's latest authentication attempts during the selected timeframe. You can see details of the related authentication attempts, and whether the attempts were successful. To further investigate authentication attempts by the user, click View In XQL to link to a prefilled query in the Query Builder. Using Cortex Query Language you can create queries to refine your search.
SaaS Logs: User's SAAS Log activity during the selected timeframe or on the day selected in the Score Trend graph. You can see details of the SaaS logs that were ingested into the platform in the context of the user.
To further investigate SaaS log activity for the user, click View In XQL to link to a prefilled query in the Query Builder. Using Cortex Query Language you can refine your search.
User View
Review the sections of the User View. Depending on your permissions, some information might be limited by your scope.
In the left panel, review the overview of the user. The displayed information is aggregated by Cortex Cloudfrom cases, Workday, and Active Directory data.
The User Score displays the score that is currently assigned to the user and is updated continuously as new issues are associated with cases.
Review the Score Trend graph.
The graph is based on new cases created within the selected time frame, and updates on past cases that are still active. The straight line represents the user score, which is based on the scores of the cases associated with the user.
Select a score to display in the Cases table, the cases that contributed to the total user score on a specific day.
Click a score to drill down on the score for a specific day. Alternatively, review the user information for the selected timeframe (Last 7D, 30D, or custom timeframe).
The widgets in the right panel reflect the selected timeframe.
Review the Related Cases for the selected timeframe or score selected in the Score Trend graph. If you are drilling down on a score, you can see the cases that contributed to the total score on the selected day. Review the following data:
The Status column provides visibility into the reason for the score change. For example, if a case is resolved, its score will decrease, bringing down the host score.
The Points column displays the risk score that the case contributed to the host score. The points are calculated according to SmartScore or Case Scoring Rules.
Review the following additional widgets:
User Associated Insights
Top 5 Hosts Logged Into
Top 5 Authentication Target Hosts
Top 5 Authentication Source Hosts
Recent Login
Recent Authentications

Notice

Tip

Note

Notice

User identity and risk score

Risk Assessment

Activities