Investigate a User

Investigate user assets associated with your incidents.
The User View provides a powerful way to investigate user type assets by reducing the number of steps it takes to collect and research a user. Cortex XDR, using Identity Analytics, automatically aggregates information on a user and displays the user insights.
To investigate the user:
  1. Open the User View.
    You can access the view from:
    • Users section of the Incident View Key Assets & Artifacts tab
    • User Scores Table
    • Analytics Alert View User Node
    • Top 5 Notable Users Widget
  2. Select to view the User details over either the
    Last 7 Days
    Last 14 Days
    , or
    Last 30 Days
  3. Investigate the User overview.
    • Details Header
      Displays the following information aggregated by Cortex XDR from incidents, Workday, and Active Directory data:
      • User Name—Represents the assigned user name.
      • Department—Represents the user assigned department name.
      • Phone Number—Represents the user assigned phone number.
      • Location—Represents the user assigned location.
      • Last Authentication—Last date and time of an authentication event associated with the username.
      • Last Login—Last date and time of a login event associated with the username.
      • Workday Fields—If available, select
        All Info
        to display Workday user details.
      • Current User Score—User Score currently assigned to the user. The score is updated continuously as new alerts are associated with incidents.
    • User Score Trend
      Investigate the User Score variation over the selected timeframe.
      Select a score to display in the
      User Associated Incidents
      table the incidents that contributed to the total user score on a specific day. In the table, you can view if the following incident details:
      • Starred—Whether the incident is starred, you can select to
        if you wish.
      • Creation Time—When the incident was created
      • Description—Description of the incident
      • Severity—Severity of the incident
      • Points Added—Number of risk score the incident contributed to the user. The points are calculated according to either Cortex XDR System Rules ( ) or Incident Scoring Rules ( ). Hover over a User defined score to display the Rule name that contributed to the User Score.
      Select an incident and pivot to the Incident View. Incidents that no longer exist or have been merged are grayed out.
    • User Associated Insights
      Displays all the insights associated with the user filtered.
    • Top 5 Hosts Logged Into
      Top 5 hosts the user logged into.
    • Top 5 Authentication Target Hosts
      Top 5 host names which the user requested access.
    • Top 5 Authentication Source Hosts
      Top 5 host names where the user started authentication.
    • Recent Login
      Displays the recent user login details.
    • Recent Authentications
      Displays the recent user authentication.

Recommended For You