Confirmed issues with some identity threat modules and risk management dashboard

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Confirmed issues with some identity threat modules and risk management dashboard

L1 Bithead

Hello everyone!

Recently, I have been learning about the Identity Analytics feature in Cortex XDR.

After enabling Identity Analytics, I found that not every tenant presents the same interface.

I found that the following UI features are not identical:

  • absence of a Risk Management Dashboard
  • less information displayed in User Risk View (e.g. Regular Activity Hoursartifact info, Actual activity...)
     
  • no Asset Roles Configuration(Asset → Asset Roles Configuration).
  • no Host Risk View

I checked some official documents, it seems to be caused by the Identity Threat Module not being enabled.

 

 

I’m a little confused about a few points:

  1. So enabled Identity Analytic does not represent the Identity Threat Module is enabled?
  2. To fully enable the Identity Threat Module, we not only need to enable Identity Analytics in Cortex XDR but also need to activate the Cloud Identity Engine, right?
  3. About Risk Management Dash Board, I check the document about Metrics Widgets.
    Regarding the description of "Top 5 Users at Risk" and "Watchlist" in Widgets, both are about users who are most vulnerable to potential security threats. I would like to know more about the differences between them.
  4. In User Risk Card,  "Login Attempts" and "Latest Authentication Attempts", it seems that both display login information, including src_ip, dst_ip, and vendor. I would like to ask for more information about the differences between the two.

Perhaps someone can help me clarify the above questions. Thank you all.🙏

3 REPLIES 3

L4 Transporter

Hi @Chilla 

 

Thank you for writing to live community! Please find response to your above queries inline.

 

  1. So enabled Identity Analytic does not represent the Identity Threat Module is enabled? Yes. ITDR is a new separate module. This module is an Add-On Premium that provides analytical and risk-based detections that correlates with User & Entity behavior analytics (UEBA) and is available for a free trial through July 31st, 2023. 
  2. To fully enable the Identity Threat Module, we not only need to enable Identity Analytics in Cortex XDR but also need to activate the Cloud Identity Engine, right? Yes, for ITDR full analytics capabilities and in order to improve precision in terms of detection CIE is highly recommended.
  3. About Risk Management Dash Board, I check the document about Metrics Widgets.
    Regarding the description of "Top 5 Users at Risk" and "Watchlist" in Widgets, both are about users who are most vulnerable to potential security threats. I would like to know more about the differences between them.  Main difference is Watchlist Widget is custom like widget which can show upto 10 users that are selected as starred. i.e. You may star a user which you would like to monitor even if its not under Top 5 users at Risk you may monitor or see under Watchlist. Hope this helps.
  4. In User Risk Card,  "Login Attempts" and "Latest Authentication Attempts", it seems that both display login information, including src_ip, dst_ip, and vendor. I would like to ask for more information about the differences between the two. Let me get back to you on this! 

You may also check more about this module here

 

Hope this helps!


Regards.

Hi @PiyushKohli ,

Thanks for the information.

I'm trying to star some users, but not every starred user appears on my watchlist. May I ask why some of the starred users cannot appear on the watchlist?

 

Furthermore, I understand that selecting "Gained" as the sorting method shows the score gained within a custom timeframe. Therefore, selecting "Total" as the sorting method should show the total score after enabling ITDR, right? However, I not sure why some user scores become negative when I switch to "Total", I want to understand the reason behind this result.

 

Best wishes.

Hi @Chilla 

In case you are seeing any issues where you have star users but those are not appearing on the watchlist , you may open Support Case for their investigation. 
For user scores which are being seen as negative after you select "Total" could you share some additional info or screenshot by redacting any user/org info.

 

Thanks

  • 1679 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!