05-26-2023 01:52 AM
Hello everyone!
Recently, I have been learning about the Identity Analytics feature in Cortex XDR.
After enabling Identity Analytics, I found that not every tenant presents the same interface.
I found that the following UI features are not identical:
I checked some official documents, it seems to be caused by the Identity Threat Module not being enabled.
I’m a little confused about a few points:
Perhaps someone can help me clarify the above questions. Thank you all.🙏
05-28-2023 11:08 PM
Hi @Chilla
Thank you for writing to live community! Please find response to your above queries inline.
- So enabled Identity Analytic does not represent the Identity Threat Module is enabled? Yes. ITDR is a new separate module. This module is an Add-On Premium that provides analytical and risk-based detections that correlates with User & Entity behavior analytics (UEBA) and is available for a free trial through July 31st, 2023.
- To fully enable the Identity Threat Module, we not only need to enable Identity Analytics in Cortex XDR but also need to activate the Cloud Identity Engine, right? Yes, for ITDR full analytics capabilities and in order to improve precision in terms of detection CIE is highly recommended.
- About Risk Management Dash Board, I check the document about Metrics Widgets.
Regarding the description of "Top 5 Users at Risk" and "Watchlist" in Widgets, both are about users who are most vulnerable to potential security threats. I would like to know more about the differences between them. Main difference is Watchlist Widget is custom like widget which can show upto 10 users that are selected as starred. i.e. You may star a user which you would like to monitor even if its not under Top 5 users at Risk you may monitor or see under Watchlist. Hope this helps.- In User Risk Card, "Login Attempts" and "Latest Authentication Attempts", it seems that both display login information, including src_ip, dst_ip, and vendor. I would like to ask for more information about the differences between the two. Let me get back to you on this!
You may also check more about this module here.
Hope this helps!
Regards.
05-29-2023 08:50 PM
Hi @PiyushKohli ,
Thanks for the information.
I'm trying to star some users, but not every starred user appears on my watchlist. May I ask why some of the starred users cannot appear on the watchlist?
Furthermore, I understand that selecting "Gained" as the sorting method shows the score gained within a custom timeframe. Therefore, selecting "Total" as the sorting method should show the total score after enabling ITDR, right? However, I not sure why some user scores become negative when I switch to "Total", I want to understand the reason behind this result.
Best wishes.
05-31-2023 03:31 AM
Hi @Chilla
In case you are seeing any issues where you have star users but those are not appearing on the watchlist , you may open Support Case for their investigation.
For user scores which are being seen as negative after you select "Total" could you share some additional info or screenshot by redacting any user/org info.
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
