topic Re: Confirmed issues with some identity threat modules and risk management dashboard in Cortex XDR Discussions

Confirmed issues with some identity threat modules and risk management dashboard

Chilla — Fri, 26 May 2023 08:52:09 GMT

Hello everyone!

Recently, I have been learning about the Identity Analytics feature in Cortex XDR.

After enabling Identity Analytics, I found that not every tenant presents the same interface.

I found that the following UI features are not identical:

absence of a Risk Management Dashboard
less information displayed in User Risk View (e.g. Regular Activity Hoursartifact info, Actual activity...)
no Asset Roles Configuration(Asset → Asset Roles Configuration).
no Host Risk View

I checked some official documents, it seems to be caused by the Identity Threat Module not being enabled.

I’m a little confused about a few points：

So enabled Identity Analytic does not represent the Identity Threat Module is enabled?
To fully enable the Identity Threat Module, we not only need to enable Identity Analytics in Cortex XDR but also need to activate the Cloud Identity Engine, right?
About Risk Management Dash Board, I check the document about Metrics Widgets.
Regarding the description of ＂Top 5 Users at Risk＂ and ＂Watchlist＂ in Widgets, both are about users who are most vulnerable to potential security threats. I would like to know more about the differences between them.
In User Risk Card, ＂Login Attempts＂ and ＂Latest Authentication Attempts＂, it seems that both display login information, including src_ip, dst_ip, and vendor. I would like to ask for more information about the differences between the two.

Perhaps someone can help me clarify the above questions. Thank you all.🙏

Re: Confirmed issues with some identity threat modules and risk management dashboard

PiyushKohli — Mon, 29 May 2023 06:08:11 GMT

Hi @Chilla

Thank you for writing to live community! Please find response to your above queries inline.

So enabled Identity Analytic does not represent the Identity Threat Module is enabled? Yes. ITDR is a new separate module. This module is an Add-On Premium that provides analytical and risk-based detections that correlates with User & Entity behavior analytics (UEBA) and is available for a free trial through July 31st, 2023.

To fully enable the Identity Threat Module, we not only need to enable Identity Analytics in Cortex XDR but also need to activate the Cloud Identity Engine, right? Yes, for ITDR full analytics capabilities and in order to improve precision in terms of detection CIE is highly recommended.

About Risk Management Dash Board, I check the document about Metrics Widgets.
Regarding the description of ＂Top 5 Users at Risk＂ and ＂Watchlist＂ in Widgets, both are about users who are most vulnerable to potential security threats. I would like to know more about the differences between them. Main difference is Watchlist Widget is custom like widget which can show upto 10 users that are selected as starred. i.e. You may star a user which you would like to monitor even if its not under Top 5 users at Risk you may monitor or see under Watchlist. Hope this helps.

In User Risk Card, ＂Login Attempts＂ and ＂Latest Authentication Attempts＂, it seems that both display login information, including src_ip, dst_ip, and vendor. I would like to ask for more information about the differences between the two. Let me get back to you on this!

You may also check more about this module here.

Hope this helps!

Regards.

Re: Confirmed issues with some identity threat modules and risk management dashboard

Chilla — Tue, 30 May 2023 03:50:22 GMT

Hi @PiyushKohli ,

Thanks for the information.

I'm trying to star some users, but not every starred user appears on my watchlist. May I ask why some of the starred users cannot appear on the watchlist?

Furthermore, I understand that selecting ＂Gained＂ as the sorting method shows the score gained within a custom timeframe. Therefore, selecting ＂Total＂ as the sorting method should show the total score after enabling ITDR, right? However, I not sure why some user scores become negative when I switch to ＂Total＂, I want to understand the reason behind this result.

Best wishes.

Re: Confirmed issues with some identity threat modules and risk management dashboard

PiyushKohli — Wed, 31 May 2023 10:31:36 GMT

Hi @Chilla

In case you are seeing any issues where you have star users but those are not appearing on the watchlist , you may open Support Case for their investigation.
For user scores which are being seen as negative after you select "Total" could you share some additional info or screenshot by redacting any user/org info.

Thanks