Investigate user assets associated with your incidents.
The User View provides
a powerful way to investigate user type assets by reducing the number
of steps it takes to collect and research a user. Cortex XDR, using Identity Analytics,
automatically aggregates information on a user and displays the
investigate the user:
Open the User View.
You can access the view from:
of the Incident View Key Assets & Artifacts tab
User Scores Table
Analytics Alert View User Node
Top 5 Notable Users Widget
Select to view the User details over either the
Last 14 Days
Investigate the User overview.
Displays the following information
aggregated by Cortex XDR from incidents, Workday, and Active Directory
User Name—Represents the assigned user name.
Department—Represents the user assigned department name.
Phone Number—Represents the user assigned phone number.
Location—Represents the user assigned location.
Last Authentication—Last date and time of an authentication
event associated with the username.
Last Login—Last date and time of a login event associated
with the username.
Workday Fields—If available, select
display Workday user details.
Current User Score—User Score currently assigned to the user.
The score is updated continuously as new alerts are associated with
User Score Trend
Investigate the User Score variation
over the selected timeframe.
Select a score to display in
User Associated Incidents
table the incidents
that contributed to the total user score on a specific day. In the
table, you can view if the following incident details:
the incident is starred, you can select to
Creation Time—When the incident was created
Description—Description of the incident
Severity—Severity of the incident
Points Added—Number of risk score the incident contributed
to the user. The points are calculated according to either Cortex
XDR System Rules (
) or Incident Scoring Rules (
over a User defined score to display the Rule name that contributed
to the User Score.
Select an incident and pivot
to the Incident View. Incidents that no longer exist or have been
merged are grayed out.
User Associated Insights
Displays all the insights
associated with the user filtered.
Top 5 Hosts Logged Into
Top 5 hosts the user logged
Top 5 Authentication Target Hosts
Top 5 host names
which the user requested access.
Top 5 Authentication Source Hosts
Top 5 host names
where the user started authentication.