Investigate a Host - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-16
Category
Administrator Guide

Note

The Host Risk View is available only if the Identity Threat Module add-on is enabled.

The Host Risk view provides insights and profiling information about a host when investigating alerts and incidences. Viewing anomalies in the context of the host enables you to make better and faster decisions about risks. With the Host Risk view, you can do the following:

  • Assess the host's behavior and score.

  • Analyze the host's behavior over time and compare to their peers with the same asset role.

  • Review related incidents and past alerts for the host.

  • Star the host to be included in the watchlist.

Open the Host Risk View.

  1. Under AssetsAsset Scores, select the Hosts tab, right click on any endpoint, and select Open Host Risk View.

  2. Select the timeframe to view the host's details.

  3. Investigate the Host overview.

The Host Risk view displays the following data. Depending on your permissions, some information might be limited by your scope.

  • General Information

    • Actions enables you to perform the available actions for this endpoint.

    • Star—indicates if the host is part of a watch list. The star is reflected in the context of the current host, not globally.

    • Name—Unique ID of the host.

    • Host Score assigned on the last day of the selected time frame, and the change in the score for the selected time frame. The score is updated continuously as new alerts are associated with incidents.

    • Host metadata enriched by the information aggregated by Cortex XSIAM

      • IP Addresses

      • Default User

      • Location

      • Agent Installed—last time the agent was installed

      • Last Communication—last time the console communicated with the endpoint

      • Operating System

      • Tags

      • Asset Role—automatically detected or manually configured

      • CVEs breakdown by severity—Common Vulnerabilities and Exposures (CVE) are grouped by severity. For more information on each of the CVEs, refer to Related CVEs.

  • Time period based information.

    • Host Score Trend for the selected time period—the straight line represents the host score, which is based on the scores of the incidents associated with the host. The graph is based on both new incidents created within the selected time frame and updates on past incidents that are still active.

      The bubbles in the graph represent the number of alerts and insights generated on the selected day. Bigger bubbles indicate more alerts and insights, and a possible risk.

      Click a bubble to display in the Related Incidents and the Related Alerts and Insights tables the incidents, alerts, and insights that contributed to the total host score on a specific day.

      For hosts with associated Asset Roles, you can compare the data with other peer hosts with the same asset role. Select an asset role to Compare To. The dashed line presents the average score for peers with the same asset role as the host, over the same time period.

      Hover over a bubble on the dashed line to see the Average score for the selected peer, and a breakdown of the score per endpoint. Click Show x Hosts to see a full breakdown of the score on the Peer Score Breakdown, filtered by the selected asset role. From the Peer Score Breakdown you can select any host name and pivot to additional views for further investigation.

    • The Related Incidents table displays the following incident details for the day selected in the Score Trend graph.

      • Starred—Whether the incident is starred.

      • Date Created

      • Description

      • Severity

      • Status—gives visibility into the reason for the score change. For example, if an incident is resolved, its score will decrease, bringing down the host score.

      • Points—Risk score that the incident contributed to the host score. The points are calculated according to either Cortex XSIAM SmartScore or Incident Scoring Rules (user-view-user-rule.png).

    • The Related Alerts and Insights widget displays the timeline of all the detection activities associated with the host for the day selected in the Score Trend graph. The information is grouped into buckets according to mitre attack tactics.

  • Latest Logins to Host displays the details and outcomes of the related login attempts to the host. When you select a day in the Score Trend graph, the information changes to reflect the logins for that day.

  • Latest Authentication Attempts displays the details and outcomes of the related authentication attempts to the host. When you select a day in the Score Trend graph, the information changes to reflect the authentication attempts for that day.

  • Related CVEs displays the details of the specified CVE. The information can help you to access and prioritize security threats on each of the endpoints.