The User Scores page provides a central location from which you can view and investigate information relating to the user scores in your network.
Using Identity Analytics, Cortex XDR is able to aggregate from Workday and Active Directory a list of all the user assets located within your network according to their associated incidents. To help investigate user activities and detect compromised accounts and malicious activities, Cortex XDR calculates a User Score that allows you to easily identify the most high-risk users in your organization.
The User Score is the higher score of the following two components:
Incident Scoring Rules—Alerts within an incident matching your scoring rules criteria are each given a score. The alert with the highest score from the incident is assigned as the User Score.
System Rules—Alerts within an incident matching Cortex XDR generated scoring rules are each given a score. Cortex XDR sums all the alerts for each incident up to a total of 100. The highest score is assigned as the User Score.
Note
As new alerts are associated with incidents, the User Score assigned is recalculated. Navigate to the User Scores table to view the latest score, and the User View to track the User Score trend.
To investigate your users, Cortex XDR displays the following information.
Select → .
Filter and review your assets.
The following table describes the fields in the table.
Field
Description
SCORE
Represents the Cortex XDR high-risk user score. The score is updated continuously as new alerts are associated with incidents.
USER NAME
Name of the user as provided by Cortex XDR .
FULL NAME
Name of the user as provided by Workday or Active Directory.
DEPARTMENT
Department of the user as provided by Workday or Active Directory.
PHONE NUMBER
Phone number of user as provided by Workday or Active Directory.
EMAIL
Email of the user as provided by Workday or Active Directory.
LOCATION
Location of the user as provided by Workday or Active Directory.
LAST LOGIN
Last date and time the user accessed Cortex XDR.
Investigate further by locating the user you want to investigate, right-click and Open User View.
Note
Some User Associated Insights may not appear as part of the User Associated Incidents due to the insight generation mechanism. For example, when an insight related to one of the assets in an incident is generated a few days after the associated incident, the insight may not be associated with the incident.