Investigate a host - Investigate host assets associated with your cases - Administrator Guide - Cortex XDR - Cortex

Investigate a host - Investigate host assets associated with your cases - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 5.x Documentation

Product

Cortex XDR

License

XDR + Cloud

Creation date

2025-07-13

Last date published

2026-06-04

Notice

The Host Risk View requires the Identity Threat Module add-on. Depending on your permissions, some information may be limited by your scope.

The Host Risk view provides a centralized and interactive overview of activities on the host and risk scores, enabling you to investigate host events across core data sources. It enables you to identify and prioritize high-risk endpoint, gives you immediate context for risks, helps prevent missed indicators of compromise, and accelerates triage by offering proactive mitigation strategies.

Customize the Host Risk view for your use case by dragging and dropping each widget to position it where you want in the layout. You can also collapse the widgets to hide or show content as needed.

Drilldown on a host on the Host Risk View. In this view you can see insights and profiling information about a host. When investigating issues and cases, you can view anomalies in the context of the host that can help you to make better and faster decisions about risks. In the Host Risk View you can take the following actions:

Assess the host's behavior and score.
Analyze the host's behavior over time, and compare it to peer hosts with the same asset role.
Review related cases and past issues for the host.
Star the host to be included in the watchlist.

How to investigate a host

Right-click the host that you want to investigate and select Open Host Risk View.
Tip
You can also see a list of all hosts under Inventory → Assets → Asset Scores.
Select the timeframe to view the host details.
Note
Cortex XDR normalizes and displays case and issue times in your time zone. If you're in a half-hour time zone, the activity in the graphs is displayed in the whole-hour time slot preceding it. For example, if you're in a UTC +4.5 time zone, the time displayed for the activity will be UTC +4.5, however, the visualization will be in the UTC +4 slot.
Investigate the host.
Host Risk view
Notice
The Host Risk view is available with the ITDR add-on. Depending on your permissions, some information may be limited by your scope.
Host identity and risk score
The host identity and risk score at the top provide an at-a-glance summary of the host details and risk posture. The host risk score displays the score assigned on the last day of the selected time frame and the change in the score for the selected time frame. The score is updated continuously as new issues are associated with cases.
Click the host to view more information about it in a panel that opens on the right. You can see the agent installation date, last communication with the host, details about the operating system, and the IP addresses associated with the host.
The highlight widgets under the host name provide an overview of the host's risk posture. They change according to the selected tab, Risk Assessment or Activities. The elements in the widgets are clickable and filter the information displayed in the tabs.
Risk Assessment
Investigate host risk changes in detail.
Highlights
Case Breakdown: Open cases involving this host within the selected timeframe, with a breakdown of how many cases were opened within each risk severity. Click the different severities to filter the rest of the page to display only the information relevant to that severity level.
CVEs Breakdown by severity: Summary chart grouping Common Vulnerabilities and Exposures (CVEs) found on this host by severity, highlighting urgent patching needs.
Mitre Att&ck Overview: Aggregate count of the host's detected behaviors correlated against the MITRE ATT&CK kill chain. The widget highlights the specific tactics and techniques observed in the host's behavior.
Main section
Risk Score Trend: Graph showing the fluctuation of the host's risk score over time, to help identify sudden spikes or long-term high-risk behavior. The graph is based on new cases created within the selected time frame, and updates on past cases that are still active. The straight line represents the host score, which is based on the scores of the cases associated with the host.
The bubbles in the graph represent the number of issues and insights generated on the selected day. Bigger bubbles indicate more issues and insights, and a possible risk.
Drill down on a score for a specific day by clicking a bubble. Alternatively, review the host information for the selected timeframe (Last 7D, 30D, or custom timeframe).
For hosts with associated asset roles, compare the data with other peers with the same asset role. In the Risk Score Trend graph click Compare To and select an asset role to which you want to compare the data.
The dashed line presents the average score for peers with the same asset role as the host, over the same time period. Hover over a bubble on the dashed line to see the Average score for the selected peer and a breakdown of the score per endpoint. Click Show x Hosts to see a full breakdown of the score on the Peer Score Breakdown, filtered by the selected asset role. From the Peer Score Breakdown, you can select any host name and pivot to additional views for further investigation.
Cases: Cases triggered for the host for the selected timeframe or severity selected in the Case Breakdown widget. If you are drilling down on a score, you can see the cases that contributed to the total score on the selected day. Review the following data:
The Status column provides visibility into the reason for the score change. For example, if a case is resolved, its score will decrease, bringing down the host score.
Issues & Insights: Comprehensive list of configuration issues, policy violations, or anomalies detected on the host machine. The issues are grouped into buckets according to MITRE ATT&CK tactics. Click a tactic to filter the issues in the table.
To further investigate an issue, click the issue to open the Issue Panel and click Investigate.
Related CVEs: Details of the specified CVEs related to the host, correlating device vulnerability with identity risk. This information can help you to access and prioritize security threats on each of the endpoints.
To further investigate related CVEs, click View In XQL to link to a prefilled query in the Query Builder. Using Cortex Query Language you can create queries to refine your search.
Mitre Att&ck Matrix Breakdown: Detailed visualization of the Mitre Att&ck tactics and techniques detected on the host. This widget breaks down the attack lifecycle, allowing you to pinpoint exactly which tactics and techniques were employed and identify the progression of the threat.
Click Open Mitre Triage to remediate the threat.
Activities
Investigate host activities in detail.
Highlights
Failed Logins: Numeric counter displaying the total number of failed login attempts on this host within the currently selected timeframe.
Main section
Login Attempts: All login attempts onto this host. Use the widget to identify lateral movement or unauthorized access.
To further investigate login activity for the host, click View In XQL to link to a prefilled query in the Query Builder. Using Cortex Query Language you can create queries to refine your search. A table showing all user logins occurring onto this specific host, helping to identify lateral movement or unauthorized access
Authentication Attempts: Authentication protocols and requests processed by this host during the selected timeframe. You can see authentication. details of the related authentication attempts, and whether the attempts were successful.
To further investigate authentication attempts by the host, click View In XQL to link to a prefilled query in the Query Builder. Using Cortex Query Language you can create queries to refine your search.
(Optional) Take actions on the host.
On the top right, click Actions to see a list of available actions. Actions are context specific.

Notice

Tip

Note

Notice

Host identity and risk score

Risk Assessment

Activities