The User Risk View enables you to investigate user type assets by reducing the number of steps it takes to collect data to research a user. Cortex XDR uses Identity Analytics to aggregate information on a user and displays insights about the user. The data displayed in the view depends on whether the Identity Threat module is enabled.
If the Identity Threat module is enabled, this view displays insights and profiling information to help you investigate alerts and incidents. Viewing anomalies in the context of baseline behavior facilitates risk assessment and shortens the time you require for making verdicts. With the User Risk view, you can do the following.
Assess the user's behavior and score.
Review the user's working hours and past alerts.
Analyze the user's behavior over time and compare to their peers with the same asset role.
Star the user to be included in the watchlist.
If the Identity Threat module is not enabled, the User View is displays an overview of the user and information about the User's Score and activity.
Open the User Risk View or the User View.
Under → , select the Users tab, right click on any user, and select Open User Risk View.
Select the timeframe to view the User's details.
Investigate the User overview.
The User Risk View with the Identity Threat Module enabled
The User Risk View displays the following data. Depending on your permissions, some information might be limited by your scope.
General Information
Star—indicates if the user is part of a watch list.
Name—Unique ID of the user. The queries used for the widgets in this view are based on the normalized user name, in the format <company domain>\<user name>, and the email address.
User Score assigned on the last day of the selected time frame and the change in the score for the selected time frame. The score is updated continuously as new alerts are associated with incidents.
User metadata enriched by the information aggregated from Active Directory and Workday, if you have an integration with Workday for the tenant.
Full Name—assigned user name.
Email
Title
Last Login— date and time of the last login event associated with the username.
Location
Department—assigned department name.
Last Authentication
Asset Role—automatically detected or manually configured
Regular Activity Hours for the user. This data is based on the preceding several weeks and takes into account holidays and seasonality to present an accurate picture.
Time period based information.
User Score Trend for the selected time period—the straight line represents the user score, which is based on the scores of the incidents associated with the user. The graph is based on both new incidents created within the selected time frame and updates on past incidents that are still active.
The bubbles in the graph represent the alerts and insights generated on the selected day. Bigger bubbles indicate more alerts and insights, and a possible risk.
Click a bubble to display in the Related Incidents and the Related Alerts and Insights tables the incidents, alerts, and insights that contributed to the total user score on a specific day.
For users with associated Asset Roles, you can compare the data with other peer users with the same asset role. Select an asset role to Compare To. The dashed line presents the average score for peers with the same asset role as the user, over the same time period.
Hover over a bubble on the dashed line to see the Average score for the selected peer, and a breakdown of the score per endpoint. Click Show x Users to see a full breakdown of the score on the Peer Score Breakdown, filtered by the selected asset role. From the Peer Score Breakdown you can select any user name and pivot to additional views for further investigation.
The Related Incidents table displays the following incident details for the day selected in the Score Trend graph.
Starred—Whether the incident is starred.
Date Created
Description
Severity
Status—gives visibility into the reason for the score change. For example, if an incident is resolved, its score will decrease, bringing down the user score.
Points—Risk score that the incident contributed to the user score. The points are calculated according to either Cortex XDR SmartScore (
) or Incident Scoring Rules (
).
The Related Alerts and Insights widget displays the timeline of all the detection activities associated with the user for the day selected in the Score Trend timeline. The information is grouped into buckets according to mitre attack tactics.
To view the details of the Alert in the Alert Panel view, click the alert. This enables you to see all the details about the alert in one page.
Actual Activity that took place per day. The darker the cells, the more activity took place in that time slot. If there is a dashed frame around the slot, Cortex XDRdetected uncommon activity in that time slot.
Login Attempts displays the details and outcomes of the related login attempts by the user. When you select a day in the Score Trend graph, the information changes to reflect the logins for that day.
Latest Authentication Attempts displays the details and outcomes of the related authentication attempts by the user. When you select a day in the Score Trend graph, the information changes to reflect the authentication attempts for that day.
SAAS Logs associated with the user. When you select a day in the Score Trend graph, the information changes to reflect the SAAS Logs for that day.
Note
Cortex XDR normalizes and displays incident and alert times in your time zone. If you're in a half-hour time zone, the activity in the Normal Activity and the Actual Activity charts is displayed in the whole-hour time slot preceding it. For example, if you're in a UTC +4.5 time zone, the time displayed for the activity will be UTC +4.5, however, the visualization in the Normal Activity and the Actual Activity charts will be in the UTC +4 slot.
The User View without the Identity Threat Module enabled
Details Header
Displays the following information aggregated by Cortex XDRfrom incidents, Workday, and Active Directory data.
User Name—Represents the assigned user name.
Department—Represents the user assigned department name.
Phone Number—Represents the user assigned phone number.
Location—Represents the user assigned location.
Last Authentication—Last date and time of an authentication event associated with the username.
Last Login—Last date and time of a login event associated with the username.
Workday Fields—If available, select All Info to display Workday user details.
Current User Score—User Score currently assigned to the user. The score is updated continuously as new alerts are associated with incidents.
Score Trend
Investigate the User Score variation over the selected timeframe.
Select a score to display in the Incidents table the incidents that contributed to the total user score on a specific day. In the table, you can view the following incident details:
Starred—Whether the incident is starred, you can select to Star if you wish.
Creation Time—When the incident was created
Description—Description of the incident
Severity—Severity of the incident
Points Added—Risk score that the incident contributed to the user score. The points are calculated according to either Cortex XDR SmartScore or Incident Scoring Rules (
).
Select an incident and pivot to the Incident View. Incidents that no longer exist or have been merged are grayed out.
User Associated Insights
Displays all the insights associated with the user filtered.
Top 5 Hosts Logged Into
Top 5 hosts the user logged into.
Top 5 Authentication Target Hosts
Top 5 host names to which the user requested access.
Top 5 Authentication Source Hosts
Top 5 host names where the user started authentication.
Recent Login
Displays the recent user login details.
Recent Authentications
Displays the recent user authentication.