Manage User Scores

From the Cortex® XDR™ management console, you can manage the user scores.
The
User Scores
page provides a central location from which you can view and investigate information relating to the user scores in your network.
Using Identity Analytics, Cortex XDR is able to aggregate from Workday and Active Directory a list of all the user assets located within your network according to their associated incidents. To help investigate user activities and detect compromised accounts and malicious activities, Cortex XDR calculates a User Score that allows you to easily identify the most high-risk users in your organization.
The User Score is the higher score of the following two components:
  • Incident Scoring Rules—Alerts within an incident matching your scoring rules criteria are each given a score. The alert with the highest score from the incident is assigned as the User Score.
  • System Rules—Alerts within an incident matching Cortex XDR generated scoring rules are each given a score. Cortex XDR sums all the alerts for each incident up to a total of 100. The highest score is assigned as the User Score.
As new alerts are associated with incidents, the User Score assigned is recalculated. Navigate to the User Scores table to view the latest score, and the User View to track the User Score trend.
To investigate your users, Cortex displays the following information:
  1. Navigate to
    Assets
    Asset Management
    User Scores
    .
  2. Filter and review your assets.
    The following table describes the fields in the table:
    Field
    Description
    SCORE
    Represents the Cortex XDR high-risk user score. The score is updated continuously as new alerts are associated with incidents.
    USER NAME
    Name of the user as provided by Cortex XDR.
    FULL NAME
    Name of user as provided by Workday or Active Directory.
    DEPARTMENT
    Department of user as provided by Workday or Active Directory.
    PHONE NUMBER
    Phone number of user as provided by Workday or Active Directory.
    EMAIL
    Email of user as provided by Workday or Active Directory.
    LOCATION
    Location of user as provided by Workday or Active Directory.
    LAST LOGIN
    Last date and time the user accessed Cortex XDR.
  3. Investigate further by locating the user you want to investigate, right-click and Open User View.

Recommended For You