Manage Asset Scores - View and investigate User Scores and Host Scores using the Asset Scores page to identify high-risk assets and detect compromised accounts or malicious activities. - Administrator Guide - Cortex XDR - Cortex - Security Operations

An asset score is a dynamic risk metric, typically ranging from 10 to 100 though it can go higher with custom modifiers, assigned to users and hosts. It acts as an aggregate indicator of how much security risk a specific identity or machine currently represents.

Cortex XDR aggregates Workday and Active Directory data to create a list of user and host assets within your network. A user or host risk card is generated only after an alert associated with that specific entity is triggered. Cortex XDR calculates the score by summing the scores of the cases and alerts that the specific asset is implicated in.

For users, the underlying data driving these scores heavily relies on authentication logs, such as VPNs and Single Sign-On events. Cortex XDR aggregates this risk by the exact hostname or username. If multiple alerts map to the exact same name, the score aggregates under a single Risk View.

Asset scores act as an important input for the broader alert ecosystem. The Cortex SmartScore algorithm factors in the Asset Score, meaning a critical alert on an asset with a low asset score might be given a lower overall SmartScore, while minor alerts on highly critical assets might be elevated.

You can view the latest scores by navigating to Inventory → Assets → Asset Scores. This page provides a birds-eye view of your riskiest entities. Use the toggle in the page header to switch between the Users and Hosts tabs. Access to the Hosts tab and the associated Risk Management dashboard requires the Identity Threat Module add-on and Analytics to be enabled.

To include system users in the table, such as administrators or NT authority, select the Include System Users checkbox. From the table, you can filter and review your assets. To investigate further, right-click on a selected host or user and click Open User Risk View or Open Host Risk View to track the score trend over time.