Investigate user assets associated with your incidents.
Drilldown on a user in the User Risk View or the User View. On this view Cortex XSIAM aggregates all of the data collected for a user, displays the information in graphs and tables, and provides further drilldown options for easy investigation. Cortex XSIAM uses Identity Analytics to aggregate information on a user and displays insights about the user.
Notice
If the Identity Threat module is enabled you can open the User Risk View. This view displays insights and profiling information to help you investigate alerts and incidents. Viewing anomalies in the context of baseline behavior facilitates risk assessment and shortens the time you require for making verdicts.
If the Identity Threat module is not enabled you can open the User View. This view displays an overview of the user and information about the user's score and activity.
You can take the following actions to investigate a user:
Assess the user's behavior and score.
Star the user to be included in the watchlist.
(User Risk View only) Review the user's working hours and related alerts.
(User Risk View only) Analyze the user's behavior over time and compare to their peers with the same asset role.
Right-click a user name and select Open User Risk View or Open User Card.
Tip
You can also see a list of all users under
→ .Select the timeframe to view the user's details.
Note
Cortex XSIAM normalizes and displays incident and alert times in your time zone. If you're in a half-hour time zone, the activity in the Normal Activity and the Actual Activity charts is displayed in the whole-hour time slot preceding it. For example, if you're in a UTC +4.5 time zone, the time displayed for the activity will be UTC +4.5, however, the visualization in the Normal Activity and the Actual Activity charts will be in the UTC +4 slot.
Investigate the user.