Users

The Users page shows information about the user assets in your account and the details of related devices and incidents.

To view the Users page, access the Infinity XDR Extended Detection & Response/XPR Extended Prevention & Response Administrator Portal and click Assets > Users. By default, it shows details of users whose Last activity date is within the past seven days.

Users by Priority

The Users by priority widget shows the number of users based on the priority level of the incidents they are involved in, within the selected time period.

To filter the Users overview page according to a specific priority level, click the relevant section on the pie chart. The system filters the page based on your selection and adds this filter to the Filter list.

Users by Related Devices Number

The Users by related devices number widget shows the total number of users and the statistics of related devices, within the selected time period.

To view information of users with a specific device count, click the relevant section on the pie chart. The system filters the page based on your selection and adds this filter to the Filter list.

Example:

For the statistics displayed above, to view information about the two users with four related devices, click the pink section.

Users Table

The Users table is sorted by the priority of incidents related to the users. It shows:

Item	Description
User name	Name of the user in the events and alerts processed by Infinity XDR/XPR.
Full name	Full name of the user.
Incidents priority	Highest priority level among all the related incidents.
Related incidents	Number of incidents in which the user is involved. Hover over the count to view the number of the filtered incidents (if applicable) and the total number of incidents. Note - Some incidents that impact a large number of assets are excluded from determining the Incident Correlation of one or more insights into a security incident potentially impacting your environment. It can be based on insights generated from one or more products. Priority. Such incidents are considered as Filtered. To view the incidents details, click the count. The Incidents page appears.
Email addresses	Email address(es) of the user.
Related devices	Devices used by the user.
Domain	Domain(s) accessed by the user.
Last activity	Date of last activity by the user.

To sort the table, click the icon in the Incidents priority column.

To search for a specific user in the table, enter the user name in the Search field.

Filtering the Users Page

You can filter the information on the Users overview page for different time periods. The system shows information of users whose Last activity time is within the selected time period.

Adding Filters

To add a new filter:

1. Click + Add Filter.

   

2. Enter these details:

   1. Field - Select the user field.

   2. Operator - Select the operator to be applied.

   3. Value - Select the value of the user field.

3. Click Save.

   Note - You can add multiple filters.

   The system updates the Users overview page based on all the active filters.

   

Note - You can define the filters below to specify the incidents to be considered to determine the Incident priority and Related incidents: [Related Incidents]: Assignee - Allows filtering to consider all incidents or only the unassigned ones. It helps you to prioritize incidents that have not yet been assigned to a team member, ensuring focus on new incidents. [Related Incidents]: Priority - Filters incidents with a specific priority level. It allows you to focus on incidents of a specific priority, for example, to consider only High priority incidents while ignoring other levels.

Filter In and Filter Out in Users Table

You can filter the Users overview page by either including (Filter) or excluding (Filter out) specific user fields in the Users table. To do that, hover over the field and click the icon and then select the required option.

User Threat Hunting Details

To view the Threat Hunting details for the user:

1. Hover over the user name and click the icon.

2. Click Open in Threat Hunting.

The Threat Hunting page appears and displays the Threat Hunting details for the user.

Viewing Devices and Incidents Related to a User

To view the devices and incidents related to a user, click the user name in Users table.

The system shows the user information, devices used by the user and the incidents in which the user was involved.

User Details

To view the user details, see the User Info section.

The User Info section shows:

Item	Description
User name	Name of the user in the events and alerts processed by Infinity XDR/XPR.
Last activity	Date and time of last activity by the user.
Incidents	Number of incidents in which the user was involved during the past 30 days.
Related devices	Devices used by the user.

Users - Device Details

To view the devices used by the user, click the Devices tab (displayed by default).

The Devices table shows:

Item	Description
Device name	Name of the device.
OS	Operating System on the device.
OS version	Operating System version.
Related username	Users who have used the device.
Domains	Domains accessed on the device.
Security agent	Security agent running on the device.
Last activity	Date of last activity on the device.

To view more information about a device, click the device name.

Users - Incident Details

To view incidents in which the user was involved, click the Incidents tab.

The Incident tab shows:

• Incidents by priority - Number of incidents in which the user was involved during the past 30 days, based on their priority.

• Incidents over time - Timeline of incidents during the past 30 days. Incidents are color-coded based on the priority levels.

• Top insights - Top insights in which the user was involved during the past 30 days.

• Incidents table:

  Item	Description
  Incident ID	ID of the incident. To view more information about an incident, click the ID. The Incidents - Overview page appears.
  Incident title	Title of the incident.
  Creation date	Date on which the incident was generated.
  Last insight	Date when the last insight was created for the incident.
  Security agents	Security agent(s) running on the device
  Status	Status of the incident.
  Priority	Priority level of the incident.
  Confidence	Confidence level of the security event detection.
  Severity	Severity level of the incident.
  Assets	Number of affected assets in the incident. To view the asset details, click the count link. The Incidents - Affected Assets page appears.
  Indicators & Artifacts	Number of indicators and artifacts involved in the incident. To view more details on the indicators and artifacts, click the count link. The Incidents - Indicators & Artifacts page appears.

  To filter the Incidents table, click the icon.