Investigate a User - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-02-19
Category
Administrator Guide
Abstract

Investigate user assets associated with your incidents.

The User Risk View enables you to investigate user type assets by reducing the number of steps it takes to collect data to research a user. Cortex XDR uses Identity Analytics to aggregate information on a user and displays insights about the user. The data displayed in the view depends on whether the Identity Threat module is enabled.

If the Identity Threat module is enabled, this view displays insights and profiling information to help you investigate alerts and incidents. Viewing anomalies in the context of baseline behavior facilitates risk assessment and shortens the time you require for making verdicts. With the User Risk view, you can do the following.

  • Assess the user's behavior and score.

  • Review the user's working hours and past alerts.

  • Analyze the user's behavior over time and compare to their peers with the same asset role.

  • Star the user to be included in the watchlist.

If the Identity Threat module is not enabled, the User View is displays an overview of the user and information about the User's Score and activity.

Open the User Risk View or the User View.

  1. Under AssetsAsset Scores, select the Users tab, right click on any user, and select Open User Risk View.

  2. Select the timeframe to view the User's details.

  3. Investigate the User overview.

The User Risk View with the Identity Threat Module enabled

The User View without the Identity Threat Module enabled