The User View provides a powerful way to investigate user type assets by reducing the number of steps it takes to collect data to research a user. Cortex XDR, using Identity Analytics, and when enabled the Identity Threat module, automatically aggregates information on a user and displays insights about the user. The data displayed is limited by your scope, and may be missing if you don't have the necessary permissions to access the information about the host.
To investigate the user:
Open the User View.
You can access the view from the following locations.
In the Incidents page, next to the user you want to investigate further, click the three dots and select Open User View.
Under → , right click on any user, and select Open User View.
From the Alerts Table, right click the alert you want to investigate, then select → .
Navigate from the Analytics Alert View User Node.
Top 5 Notable Users Widget
Select to view the User details over either the Last 7 Days, Last 14 Days, or Last 30 Days.
Investigate the User overview.
The User View without the Identity Threat Module enabled
Details Header
Displays the following information aggregated by Cortex XDRfrom incidents, Workday, and Active Directory data.
User Name—Represents the assigned user name.
Department—Represents the user assigned department name.
Phone Number—Represents the user assigned phone number.
Location—Represents the user assigned location.
Last Authentication—Last date and time of an authentication event associated with the username.
Last Login—Last date and time of a login event associated with the username.
Workday Fields—If available, select All Info to display Workday user details.
Current User Score—User Score currently assigned to the user. The score is updated continuously as new alerts are associated with incidents.
Score Trend
Investigate the User Score variation over the selected timeframe.
Select a score to display in the Incidents table the incidents that contributed to the total user score on a specific day. In the table, you can view the following incident details:
Starred—Whether the incident is starred, you can select to Star if you wish.
Creation Time—When the incident was created
Description—Description of the incident
Severity—Severity of the incident
Points Added—RIsk score that the incident contributed to the user score. The points are calculated according to either Cortex XDR SmartScore or Incident Scoring Rules (
).
Select an incident and pivot to the Incident View. Incidents that no longer exist or have been merged are grayed out.
User Associated Insights
Displays all the insights associated with the user filtered.
Top 5 Hosts Logged Into
Top 5 hosts the user logged into.
Top 5 Authentication Target Hosts
Top 5 host names to which the user requested access.
Top 5 Authentication Source Hosts
Top 5 host names where the user started authentication.
Recent Login
Displays the recent user login details.
Recent Authentications
Displays the recent user authentication.
The User Risk View with the Identity Threat Module enabled
The Identity Threat module adds insights and profiling information to the User view which help you investigate alerts and incidents. Viewing anomalies in the context of baseline behavior facilitates risk assessment and shortens the time you require for making verdicts. With the User Risk view, you can do the following.
Assess the user's behavior and score.
Review the user's working hours and past alerts.
Analyze the user's behavior over time and compare to their peers with the same asset role.
Star the user to be shown as part of the watchlist.
The User Risk View displays the following data. The information displayed is limited by your scope, and may be missing if you don't have the necessary permissions to access the entity.
General Information
Star—indicates if the user is part of a watch list. If not starred, you can select to add to a watch list.
Name—Unique ID of the user. The queries used for the widgets in this view are based on the normalized user name, in the format <company domain>\<user name>, and the email address.
User Score assigned to the user on the last day of the selected time frame and the change in the score for the selected time frame. The score is updated continuously as new alerts are associated with incidents.
User metadata enriched by the information aggregated from Active Directory and Workday, if you have an integration with Workday for the tenant.
Full Name—assigned user name.
Department—assigned department name.
Title
Last Login— date and time of the last login event associated with the username.
Default Host
Asset Role—automatically detected or manually configured
Normal Activity schedule for the user. This data is based on the preceding several weeks and takes into account holidays and seasonality to present an accurate picture.
Time period based information. Select to view the User insights over either the Last 7 Days, Last 14 Days, Last 30 Days, or a Custom period. The time period selected can be at most 100 days.
User Score Trend for the selected time period—the straight line represents the user score, which is based on the scores of the incidents associated with the user. The graph is based on both new incidents created within the selected time frame and updates on past incidents that are still active.
The bubbles in the graph represent the alerts and insights generated on the selected day. Bigger bubbles indicate more alerts and insights, and a possible risk.
The dashed line presents the average score for peers with the same asset role as the user, over the same time period. If the user is assigned multiple asset roles, select the asset role at the top of the graph to compare to the data for peer hosts with that specific asset role.
Click a bubble to display in the Related Incidents and the Related Alerts and Insights tables the incidents, alerts, and insights that contributed to the total user score on a specific day.
The Related Incidents table displays the following incident details for the day selected in the Score Trend graph.
Starred—Whether the incident is starred.
Date Created
Description
Severity
Status—gives visibility into the reason for the score change. For example, if an incident is resolved, its score will decrease, bringing down the user score.
Points—Risk score that the incident contributed to the user score. The points are calculated according to either Cortex XDR SmartScore (
) or Incident Scoring Rules ().
The Related Alerts and Insights widget displays the timeline of all the detection activities associated with the user for the day selected in the Score Trend timeline. The information is grouped into buckets according to mitre attack tactics.
To view the details of the Alert in the Alert Panel view, click the alert. This enables you to see all the details about the alert in one page.
Actual Activity that took place per day. The darker the cells, the more activity took place in that time slot. If there is a dashed frame around the slot, Cortex XDRdetected uncommon activity in that time slot.
Login Attempts displays the details and outcomes of the related login attempts by the user. When you select a day in the Score Trend graph, the information changes to reflect the logins for that day.
Latest Authentication Attempts displays the details and outcomes of the related authentication attempts by the user. When you select a day in the Score Trend graph, the information changes to reflect the authentication attempts for that day.
SAAS Logs associated with the user. When you select a day in the Score Trend graph, the information changes to reflect the SAAS Logs for that day.
Note
Cortex XDR normalizes and displays incident and alert times in your time zone. If you're in a half-hour time zone, the activity in the Normal Activity and the Actual Activity charts is displayed in the whole-hour time slot preceding it. For example, if you're in a UTC +4.5 time zone, the time displayed for the activity will be UTC +4.5, however, the visualization in the Normal Activity and the Actual Activity charts will be in the UTC +4 slot.