Manage Asset Roles for Users - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-12-04
Category
Administrator Guide
Abstract

Learn how to edit the user lists assigned to asset roles.

Note

User Role Management is available only if the Identity Threat Module add-on is enabled.

The Edit User Role page enables you to edit the user lists assigned to asset roles. You may want to exclude some users from certain asset roles even if Cortex XSIAM automatically detected the user as having this asset role. For example, if a user's position in the organization is changed and you want their Analytics to be adjusted accordingly.

The User list on the page displays the users classified under the asset role, if the asset role was assigned automatically or edited manually for the user, the last modification date, and the modifier.

To access the Edit User Role page, from AssetsAsset Roles Configuration, right click to select the user asset role and click Edit Asset Role.

Some asset roles are nested under parent asset roles which are higher in the hierarchy of asset roles. The information icon next to the asset role name provides the name of the parent rule this asset role may be nested under. For example, an Admin User asset role may be a child asset role of the parent asset role Sensitive User.

INCLUDED USERS displays all the users Cortex XSIAM automatically detects as having this asset role and the users you specify manually as having this asset role. EXCLUDED USERS displays the users that were manually removed from an asset role. When you exclude a user from an asset role, it remains in the Excluded Users list and even if it's detected automatically again in the future as having this asset role, it will not be included in the asset role list.

If you want to remove a user from the list of users with this asset role, right click the user and select Exclude User. The user is then listed under EXCLUDED USERS for this asset role. When you exclude a user from an asset role, by default Cortex XSIAM also removes the user from the parent asset roles of the current asset role. To remove the user from the child asset role, but to leave it in any of its parent asset roles, click Advanced Exclusion Settings, and select Don't Exclude next to the name of the parent asset role(s).

To include an excluded user back in the asset role, right click the user in the Excluded Users list and select Delete User. If the user was automatically detected as having this asset role, it will be added back to the INCLUDED USERS list again. Otherwise, the next time Cortex XSIAM analyzes the assets and automatically detects their asset roles, this user will be included in the asset role list.

To include users from your system manually in an asset role list, in the asset role page, click Add User.

  • To add one or more users manually, click Add New, and then type the user names one by one in the format Netbios\samAccount.

  • To add users from a CSV file, click Import from File. You can use the example file provided to structure your CSV file.

Manually added users are also analyzed by Analytics when it runs next, and are displayed in the Incident view and the User Risk view.

To delete a manually added user from the INCLUDED USERS, right click and Delete User.

Note

Deleting a manually added user removes the user from the INCLUDED USERS list. If this user is detected automatically as having this asset role in the future, it will appear in the INCLUDED USERS list again.

Excluding a manually added user ensures that even if in the future the user is detected as having this asset role, this detection is overridden and the user isn't included in the asset role.

To change the name of a user, right click the user name and Edit User.