Investigate an Asset - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-10-13
Category
Administrator Guide
Abstract

Investigate host insights, such as users, groups, services, drivers, hardware, and network shares.

The Asset View provides a powerful way to investigate assets by reducing the number of steps it takes to collect and research hosts. Cortex XSIAM automatically aggregates information on hosts and displays the host insights and a list of related incidents.

Note

If you have selected the Unified Inventory toggle on the Asset Inventory page, you can Open Asset Inventory View while investigating an asset. For more information, see Asset Inventory.

To investigate an asset:

  1. Open the Asset View for an asset.

    You can access the view from:

    • A host with Cortex XDR agent installed in Cortex XSIAM console by right-click > Open Asset View.

    • The IP View of an internal IP address with a Cortex XDR Agent by selecting Host Insights from the navigation bar.

    • The Quick Launcher, by searching for a specific Host Name.

  2. Review the Asset overview.

    The overview displays the host name and any related incidents.

    1. Review the Host name.

    2. Add an Alias or Comment to the host name.

    3. Review any related incidents:

      Related Incidents lists the most recent incidents that contain the host as part of the incident Key Artifacts according to the Last Updated timestamp. If the host belongs to an endpoint with a Cortex XDR agent installed, the incidents are displayed according to the host name. To dive deeper into specific incidents, select the Incident ID. To view all the related incidents, select View All.

  3. Filter the host information you want to display.

    Select from the following criteria to refine the scope of the host information you want to display. Each selection aggregates the displayed data.

    Filter

    Description

    Type

    The type of information you want to display.

    • Host Insights—A list of the host artifacts.

    • Network Connections—Pivot to the IP view of the IP addresses associated with the host.

    • Host Risk View—Insights and profiling information. Available with the the Identity Threat Module.

    Primary

    List of host artifacts you want to display.

    • Users

    • Groups

    • Users to Groups

    • Services

    • Drivers

    • Autorun

    • System Information

    • Shares

    • Disks

    Compare

    Compare host insights collected by Cortex XSIAM over the last 30 days.

    Select ip-view-cluster-enter.png to apply your selections and update the information displayed in the visualization pane.

  4. Review the Host Inventory.

    Select Run insights collection to initiate a new collection. The next time the Cortex XDR agent connects, the insights are collected and displayed.