Investigate a host - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-01-16
Category
Administrator Guide
Abstract

Investigate host assets associated with your incidents

Notice

The Host Risk View requires the Identity Threat Module add-on.

Drilldown on a host on the Host Risk View. On this view you can see insights and profiling information about a host. When investigating alerts and incidents, you can view anomalies in the context of the host that can help you to make better and faster decisions about risks. On the Host View View you can take the following actions:

  • Assess the host's behavior and score.

  • Analyze the host's behavior over time, and compare it to peer hosts with the same asset role.

  • Review related incidents and past alerts for the host.

  • Star the host to be included in the watchlist.

How to investigate a host
  1. Right-click the host that you want to investigate and select Open Host Risk View.

    Tip

    You can also see a list of all hosts under AssetsAsset Scores.

  2. In the left panel, review the overview of the host.

    The overview displays network operations, incidents, actions, and threat intelligence information relating to the selected host. You can see the host score, the metadata aggregated by Cortex XSIAM, and review the CVEs breakdown by severity. The displayed information and available actions are context specific.

    Common Vulnerabilities and Exposures (CVE) are grouped by severity. For more information on each of the CVEs, refer to Related CVEs.

  3. Review the Score Trend graph.

    The graph is based on new incidents created within the selected time frame, and updates on past incidents that are still active. The straight line represents the host score, which is based on the scores of the incidents associated with the host.

    The bubbles in the graph represent the number of alerts and insights generated on the selected day. Bigger bubbles indicate more alerts and insights, and a possible risk.

  4. Drilldown on a score for a specific day by clicking a bubble. Alternatively, review the host information for the selected timeframe (Last 7D, 30D, or custom timeframe). The widgets in the right panel reflect the selected timeframe.

  5. Review the Related Incidents for the selected timeframe or score selected in the Score Trend graph. If you are drilling down on a score, you can see the incidents that contributed to the total score on the selected day. Review the following data:

    • The Status column provides visibility into the reason for the score change. For example, if an incident is resolved, its score will decrease, bringing down the host score.

    • The Points column displays the risk score that the incident contributed to the host score. The points are calculated according to SmartScore or Incident Scoring Rules.

  6. Review the Related Alerts and Insights for the selected timeframe or score selected in the Score Trend graph.

    The timeline displays all detection activities associated with the host. The alerts are grouped into buckets according to MITRE ATT&CK tactics. Click on a tactic to filter the alerts in the table. To further investigate an alert, click the alert to open the Alert Panel and click Investigate.

  7. Review the Latest Logins to Host during the selected timeframe or on the day selected in the Score Trend graph.

    You can see details of the related login attempts, and whether the attempts were successful. To further investigate login activity for the host, click View In XQL to link to a prefilled query in the Query Builder. Using Cortex Query Language you can create queries to refine your search.

  8. Review the host's Latest Authentication Attempts during the selected timeframe or on the day selected in the Score Trend graph.

    You can see details of the related authentication attempts, and whether the attempts were successful. To further investigate authentication attempts by the host, click View In XQL to link to a prefilled query in the Query Builder. Using Cortex Query Language you can create queries to refine your search.

  9. Review the Related CVEs during the selected timeframe or on the day selected in the Score Trend graph.

    You can see details of the specified CVEs. This information can help you to access and prioritize security threats on each of the endpoints. To further investigate related CVEs, click View In XQL to link to a prefilled query in the Query Builder. Using Cortex Query Language you can create queries to refine your search.

  10. For hosts with associated asset roles, compare the data with other peer hosts with the same asset role. In the Score Trend graph click Compare To and select an asset role to which you want to compare the data.

    The dashed line presents the average score for peers with the same asset role as the host, over the same time period. Hover over a bubble on the dashed line to see the Average score for the selected peer, and a breakdown of the score per endpoint. Click Show x Hosts to see a full breakdown of the score on the Peer Score Breakdown, filtered by the selected asset role. From the Peer Score Breakdown you can select any host name and pivot to additional views for further investigation.

  11. (Optional) Take actions on the host.

    In the left panel, click Actions to see a list of available actions. Actions are context specific.