The Host Risk View is available only if the Identity Threat Module add-on is enabled.
The Host Risk view provides insights and profiling information about a host when investigating alerts and incidences. Viewing anomalies in the context of all the available data about the host enables you to make better and faster decisions about risks.
The data displayed is limited by your scope, and may be missing if you don't have the necessary permissions to access the information about the host.
Access the view.
Under Open IP View.→ , right click on any endpoint, and select
Under type, click Host Risk View.
The Host Risk view displays the following data.
Actions enables you to perform the available actions for this endpoint.
Host Score assigned to the host on the last day of the selected time frame and the change in the score for the selected time frame. The score is updated continuously as new alerts are associated with incidents.
Host metadata enriched by the information aggregated by Cortex XDR
Agent Installed—last time the agent was installed
Last Communication—last time the console communicated with the endpoint
Asset Role—automatically detected or manually configured
Time period based information. Select to view the Host insights over either the Last 7 Days, Last 14 Days, Last 30 Days, or a Custom period. The time period selected can be at most 100 days.
Host Score Trend for the selected time period—the straight line represents the host score, which is based on the scores of the incidents associated with the host. The graph is based on both new incidents created within the selected time frame and updates on past incidents that are still active.
The bubbles in the graph represent the number of alerts and insights generated on the selected day. Bigger bubbles indicate more alerts and insights, and a possible risk.
The dashed line presents the average score for peers with the same asset role as the host, over the same time period. If the host is assigned multiple asset roles, select the asset role at the top of the graph to compare to the data for peer hosts with that specific asset role.
Click a bubble to display in the Related Incidents and the Related Alerts and Insights tables the incidents, alerts, and insights that contributed to the total host score on a specific day.
The Related Incidents table displays the following incident details for the day selected in the Score Trend graph.
Starred—Whether the incident is starred.
Status—gives visibility into the reason for the score change. For example, if an incident is resolved, its score will decrease, bringing down the host score.
Points—Risk score that the incident contributed to the host score. The points are calculated according to either Cortex XDR SmartScore or Incident Scoring Rules ().
The Related Alerts and Insights widget displays the timeline of all the detection activities associated with the host for the day selected in the Score Trend graph. The information is grouped into buckets according to mitre attack tactics.
Latest Logins to Host displays the details and outcomes of the related login attempts to the host. When you select a day in the Score Trend graph, the information changes to reflect the logins for that day.
Latest Authentication Attempts displays the details and outcomes of the related authentication attempts to the host. When you select a day in the Score Trend graph, the information changes to reflect the authentication attempts for that day.