Investigate a host - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

You can drilldown on host details on the Host Risk View.

Notice

The Host Risk View requires the Identity Threat Module add-on.

Drilldown on a host on the Host Risk View. On this view you can see insights and profiling information about a host. When investigating alerts and incidents, you can view anomalies in the context of the host that can help you to make better and faster decisions about risks. On the Host View View you can take the following actions:

  • Assess the host's behavior and score.

  • Analyze the host's behavior over time, and compare it to peer hosts with the same asset role.

  • Review related incidents and past alerts for the host.

  • Star the host to be included in the watchlist.

How to investigate a host
  1. Open the Host Risk View.

    Right-click the host that you want to investigate and select Open Host Risk View.

    Tip

    You can also see a list of all hosts under AssetsAsset Scores.

  2. In the left panel, review the overview of the host.

    The overview displays network operations, incidents, actions, and threat intelligence information relating to the selected host. You can see the host score, the metadata aggregated by Cortex XDR, and review the CVEs breakdown by severity.

    Common Vulnerabilities and Exposures (CVE) are grouped by severity. For more information on each of the CVEs, refer to Related CVEs.

    The displayed information and available actions are context specific.

  3. In the right panel, select the timeframe to view the host's details and review the information:

    • Score Trend: Displays a graph based on new incidents created within the selected time frame and updates on past incidents that are still active. The straight line represents the host score, which is based on the scores of the incidents associated with the host.

      The bubbles in the graph represent the number of alerts and insights generated on the selected day. Bigger bubbles indicate more alerts and insights, and a possible risk.

      Click a bubble to drilldown into a score. The Related Incidents and the Related Alerts and Insights widgets display the incidents, alerts, and insights that contributed to the total score on the selected specific day.

      For hosts with associated asset roles, you can compare the data with other peer hosts with the same asset role. Click Compare To and select an asset role to which you want to compare the data. The dashed line presents the average score for peers with the same asset role as the host, over the same time period.

      Hover over a bubble on the dashed line to see the Average score for the selected peer, and a breakdown of the score per endpoint. Click Show x Hosts to see a full breakdown of the score on the Peer Score Breakdown, filtered by the selected asset role. From the Peer Score Breakdown you can select any host name and pivot to additional views for further investigation.

    • Related Incidents: Displays the incident details for the day selected in the Score Trend graph.

      The Status column gives visibility into the reason for the score change. For example, if an incident is resolved, its score will decrease, bringing down the host score.

      The Points column displays the risk score that the incident contributed to the host score. The points are calculated according to either Cortex XDR SmartScore or Incident Scoring Rules.

    • Related Alerts and Insights: Displays the timeline of all the detection activities associated with the host for the day selected in the Score Trend graph. The information is grouped into buckets according to MITRE ATT&CK tactics.

      To view the details of the alert in the Alert Panel view, click the alert. This enables you to see all the details about the alert in one page.

    • Latest Logins to Host: Displays the details and outcomes of the related login attempts to the host. When you select a day in the Score Trend graph, the information changes to reflect the logins for that day.

    • Latest Authentication Attempts: Displays the details and outcomes of the related authentication attempts to the host. When you select a day in the Score Trend graph, the information changes to reflect the authentication attempts for that day.

    • Related CVEs: Displays the details of the specified CVE. The information can help you to access and prioritize security threats on each of the endpoints.