Manage Asset Scores - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-02-26
Last date published
2024-05-15
Category
Administrator Guide
Abstract

Learn how to view and investigate User Scores and Host Scores using the Asset Scores page.

The Asset Scores page provides a central location from which you can view and investigate information relating to User Scores and Host Scores in your network.

Cortex XDR aggregates data from Workday and Active Directory to create a list of user and host assets located within your network.  When alerts and incidents occur, they are associated with a host or user asset and Cortex XDR calculates a score that represents the risk level of each asset. This score can help you to identify high-risk assets in your organization, and detect compromised accounts and malicious activities.

Note

As new alerts are associated with incidents, the User and Host Scores are recalculated. You can view the latest User and Host Scores on the Asset Scores page, or track the Score trend on the User Risk View and Host Risk View.

To investigate your users and hosts, take the following steps.

  1. Select AssetsAsset Scores. Use the toggle in the page header to switch between the USERS and HOSTS tabs.

    Note

    The HOSTS tab is available only if the Identity Threat Module add-on is enabled.

  2. Filter and review your assets.

    The following table describes the fields in the USERS tab.

    The following table describes the fields in the HOSTS tab.

  3. Investigate further by locating the user or host you want to investigate, right-click and Open User Risk View or Host Risk View. For more information, see Investigate a User and Investigate a Host.

    Note

    Some User Associated Insights may not appear as part of the User Associated Incidents due to the insight generation mechanism. For example, when an insight related to one of the assets in an incident is generated a few days after the associated incident, the insight may not be associated with the incident.