Investigate a user - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-13
Category
Administrator Guide
Abstract

Investigate user assets associated with your incidents.

Drilldown on a user in the User Risk View or the User View. On this view you can investigate user type assets by reducing the number of steps it takes to collect data to research a user. Cortex XSIAM uses Identity Analytics to aggregate information on a user and displays insights about the user.

Notice

If the Identity Threat module is enabled you can open the User Risk View. This view displays insights and profiling information to help you investigate alerts and incidents. Viewing anomalies in the context of baseline behavior facilitates risk assessment and shortens the time you require for making verdicts.

If the Identity Threat module is not enabled you can open the User View. This view displays an overview of the user and information about the user's score and activity.

On the User Risk View, you can take the following actions.

  • Assess the user's behavior and score.

  • Review the user's working hours and past alerts.

  • Analyze the user's behavior over time and compare to their peers with the same asset role.

  • Star the user to be included in the watchlist.

How to investigate a user
  1. Open the User Risk View or the User View.

    Identify a user and select Open User Risk View or Open User Card.

    Tip

    You can also see a list of all users under AssetsAsset Scores.

  2. Select the timeframe to view the user's details.

  3. Investigate the user.