Last updated
Last updated
You've completed the "Getting Started" checklist - Congratulations!
This guide aims to detail how you can operationalize Identity Intelligence once you have completed the initial onboarding set up steps.
Identity Intelligence is unique because it is both an Identity Security Posture Management (ISPM) tool and an Identity Threat Detection and Response (ITDR) tool. To get the most of out the insights and data Identity Intelligence provides, it is crucial to understand why ISPM and ITDR are equally important, and how you can leverage both types of insights to make your organization more secure.
The identities in your environment are under constant threat, and while bad actors may adjust or change the techniques used, they will certainly not stop trying to compromise your users' accounts. As detailed in the documentation, making sure that the identities in your environment are secure is a necessary step to protect your organization from the attacks and threats targeted at those identities.
Without strong identity security posture, not only are your identities more vulnerable to being successfully compromised, but also every attack that comes in is inherently riskier. That means you and your team will need to spend more time and resources investigating every risky event or suspected attack to ensure that the impacted identities were not actually compromised.
Identity teams are spread thin enough as is - Why spend time worrying and investigating suspicious log in attempts on an account that has not been used in 3 years when that account should have just been deleted years ago?
For this reason, we recommend starting with user clean up before diving head first into the threat insights available, even if your primary responsibility is focused on user investigation and threat hunting. There are a few checks that we typically recommend starting with for user clean up, and multiple ways you can make the clean up easier to manage that are described below.
There are several ways you can use Identity Intelligence's insights to improve your organization's identity posture. To find areas for improvement, you can use the recommended actions associated with your organization's or go through the list of checks and pick a couple that stand out. We usually suggest starting with the following checks (which are also part of the posture score) since they are often quick and easy to take action on and bring immediate value:
Never Logged In
Inactive Guest Users
Inactive Users
No MFA Configured
To start, we typically recommend picking only 1 or 2 checks/posture recommendations to focus on cleaning up properly. If you pick too many checks to clean up at once, it can be difficult to make real progress.
Depending on the size of your environment, there can be a lot of users failing a given check, which can be very overwhelming and make it difficult to decide where to start. Below are a couple ways to help you can make the results of checks more manageable and actionable, and prioritize certain users who may be carry more inherent risk to your organization.
Before you start cleaning up users on a given check, regardless of if you are using posture score recommendations or specific checks, review that check to see if there are custom settings that can and should be modified to better align with your organization's processes, policies and risk tolerance levels. This will ensure that the users failing the check are actually relevant to take action on for your organization.
Each organization has different priorities and concerns, which means not all identities are created equal for every company for every check - some users may be more important to take action on, and others may be less urgent.
If you have a lot of users failing a check that you would like to clean up, we recommend utilizing the filters on the Users page to partition a given check's failing users into smaller, more manageable sub-groups so that you and your team can more easily take action. You can do this from two places:
Via the desired Check's page
Use the View Users button above the table's column headers, or in the table area if there are more than 1,000 users failing the check, to go to the Users page pre-filtered on the given check where you can add additional filters or column sorting
Use the Failing Users by Integration widget on the right of the screen. Click a desired integration to go to the Users page pre-filtered on the selected integration and the given check where you can add additional filters or column sorting
For example, for the Inactive Users check, use the filters to display only inactive users that are internal accounts and do not have MFA configured.
If you need to share a list of users with other members of your team who may not have access to Identity Intelligence, you can download the results from the Users page into a .csv. On the right side of the page, next to the Search bar is a button with a Download icon which will export the list of users (up to 2,000 users), as well as any applied filters, column additions and column sorting that was done in the platform.
Below are some tips and tricks for making the clean up process more manageable for the specific checks listed above; however, these tips can apply to many other checks, so getting familiar with the features mentioned below can be useful when cleaning up other checks.
Once you have completed the clean up of a few checks we suggest doing the following:
Configuring your notification target on the cleaned up checks - This allows you to take quicker action on newly failing users, preventing the number of failing users from increasing substantially over time with you noticing. Cleaning up a couple of users here and there is much easier and saves a lot of time and effort compared to going through massive clean up processes a couple times a year
We do not recommend that you configure notification targets on these checks BEFORE you complete the clean up as it can overwhelm you more, and newly failing users may be less critical to take immediate action on
Review your organization's internal policies and processes based on your findings to identify areas for improvement - Are there any changes that can be made to onboarding or offboarding processes to ensure that unused accounts are removed automatically? Are there updates you can make to admin assignment procedures to ensure that admin accounts are not created if they are not really needed? Is there a reason that users are automatically granted access to certain resources or apps that frequently go unused - can you get rid of the resource all together or make access more 'as needed' ? Having these conversations can spark some great ideas to automate and proactively improve your organization's identity hygiene, and reduce the amount of manual clean up that needs to happen
Find new things to clean up - You've cleaned up a couple checks already, now it's time to find your next area to focus on! Use the Identity Posture Score to find high priority items or go through the list of checks to see everything that is available and find issues that are particularly concerning to your organization. Review the check recommendations and then utilize the same techniques, tips and features discussed above to make the clean up as manageable as possible.
Once your organization has spent some time addressing its postural issues, you can also start looking more into the Threat Detection functionality that Identity Intelligence has to offer.
Even if your role's primary focus is investigating and responding to threats, or proactively threat hunting, we still highly recommend working with the relevant teams in your organization to follow the steps above for account clean up. This will make using Identity Intelligence easier to use and more effective since you can focus on the right accounts, rather than unnecessary dormant accounts that have lingered around for too long.
Once the clean up is complete, you can leverage Identity Intelligence to identify and investigate the attacks coming in on the accounts in your environment. There is a lot of data and detections available in Identity Intelligence that can easily overwhelm you and your team, which is why we recommend figuring out a plan first before diving in to the deep end.
There are two ways you can start finding accounts to investigate
User Trust Levels
With the User Trust Level, the riskiest users are called out so that prioritization work is already done for you. Users who are assigned an Untrusted level should be investigated immediately. We also recommend investigating users with a Questionable level if time permits.
Another way you can find users to investigate is on a per check basis. For some customers, there are specific threat based detections that are particularly of interest or of concern that they want to keep a very close eye on, so they choose to use this method alone - or combine it with the User Trust Level method.
Start by reviewing the list of available checks to determine if there are any checks that are critical to your organization to be alerted about. Like with account clean up, we recommend picking only a few checks (approx 3-5) to start with so that you and your team can get comfortable with operationalizing the checks first.
When you receive your first alert, practice investigating one user end to end to get a feel for how to operationalize Identity Intelligence in your organization.
When you have identified a user for investigation, you may not know where to start to get the information needed.
Depending on how to found the user - trust levels, failed checks, or just by accident - your investigation may have a different start point such as the Trust Level explainability, check explainability, or a strange looking user's activity flow widget.
Regardless of how you start - Identity Intelligence is full of information that can help you conduct your investigation, without having to jump around to different product consoles to try and compare activity logs.
Once you have successfully investigated a user end to end and remediated the account as needed, you need to remove the user from the list of failing users so that someone else does not spend time investigating the same person.
As with the account clean up, we also recommend using the findings of your investigations to identify wider organizational changes that can be made to improve the organization's posture and thus, reduce the risk of each threat, and time needed investigating.
For example - you may find that you have many users failing the A Bypass Code Was Used To Successfully Sign In check. Rather than consistently investigating these users to revoke long standing bypass codes, work with your teams to change the issuing process for bypass codes so that there is an automated expiration date or usage count instead. If there is rampant Personal VPN usage from risky VPNs, consider implementing a corporate policy that disallows usage of VPNs on corporate devices or to access corporate assets so that you can enforce this with end users. If you consistently see threats from certain IP addresses, IP ranges, or countries, work with your networking teams to ensure these IPs are blocked.
Once you feel comfortable with the volume of alerts coming in from the checks you initially chose to focus on, pick another few checks to add notification targets to so that you can start investigating users failing those checks as well!
We hope this article provided you with some helpful guidance on how to start using Identity Intelligence and incorporate it into your team's workflows. This just begins to scratch the surface of what is possible with Identity Intelligence. The more you use the tool, the more you will find. In the future, we plan to create new Journeys, like the Getting Started Journey that brought you here, to reflect this kind of information within Identity Intelligence directly!
For example, by default the Never Logged In check will fail on users who have not successfully signed in 7 days after their account was created. However, your organization's account creation procedure is to create accounts 14 days before a user's start date. In this case, it would be critical to to better align to that procedure, otherwise there will be many users failing the check who are not actually actionable.
Directly on the page - use the Failing check filter for the desired check, and then use additional filters or column sorting
To quickly access the same combination of filters later on, to your Identity Intelligence tenant. These filters are available to anyone with access to your tenant.
You can also download the list of failing users from a given check using the Download button above the table of failing users, which will include the information from the table, as well as the . If there are more than 1,000 users failing a check, you cannot download from this view. You must go to the Users page, using the View Users button in the middle of the table, and download there. If needed, use the filters to get to a group of 2,000 users or less so that you can download everyone
External users failing this check are typically low risk to remove as the account has never been used and can easily be re-added to your environment if needed. These accounts pose a risk because it is often unknown exactly what permissions or data access a guest user was given. Depending on how the user was invited into your environment, you can review the Invited By info in the source card on the user's .
Delete any accounts that were created at least 1 month ago and have never successfully signed in. You can download these users via .csv if needed (see for info). Temporarily any users from this check if there is a reason they need to remain in the system for a period of time
Users must be deleted directly at the identity data source (ex: Entra). However, if you have for Entra you can delete external Entra users through Identity Intelligence via the button on a given user's page
If the user has accounts in multiple sources, you can see where they are an admin in the source cards on the
Delete any accounts that were created at least 3 months ago and have never successfully signed in. You can download these users via .csv if needed (see for info). Temporarily any users from this check if there is a reason they need to remain in the system for a period of time
Delete any accounts that were created at least 3 month ago and have never successfully signed in. You can download these users via .csv if needed (see for info). Temporarily any users from this check if there is a reason they need to remain in the system for a period of time
Remove any users in the list, starting with the users with the oldest Last Seen date. Temporarily any users from this check if there is a reason they need to remain in the system for a period of time
Remove any users in the list, starting with the users with the oldest Last Seen date. Temporarily any users from this check if there is a reason they need to remain in the system for a period of time
The first way to identify concerning accounts is through User Trust Levels. At a high level, each user in your organization is assigned a User Trust Level that is calculated based on the user's context, behavior and common tendencies, and failing checks. You can read for more in-depth information.
To easily find these users, you can refer to the User Trust Level widget in the and select the desired trust level to drill into the users, or you can use the available on the Users page. From here, dive into any user to go to their where you can find the Trust Level widget at the top of the page, which details why the user received a particular score. Read the User 360 documentation to learn more about how to utilize the widget on this page to conduct your investigation.
There is also a check called User Trust Level Alert that detects users who have been assigned an Untrusted level. If desired, you can also modify the to fail users who have been assigned a Questionable level. We recommend adding a , such as the one created during the initial onboarding journey, to this check so that you can be proactively alerted to any new failing users and they can be investigated as quickly as possible.
For each desired check, look through the of some of the failing users, when available, to understand what types of behaviors or factors lead to users failing the given check. Once you have an understanding of what causes a user to fail each check, adjust the accordingly, if needed, so that they align with your organization's risk tolerance levels, policies, tools, etc. This ensures that whenever a user does fail a check, there is a higher likelihood that it is something worth investigating. For example - you see users failing the Users with Email Forwarding check because they are forwarding emails internally, so you add your company's domain to the Ignore List on the check settings, or you see users failing the Impossible Travel check with corporate IP addresses, so you import an with your office IPs and change the check's settings to exclude "good known IPs".
After adjusting any necessary check settings, add a , such as the one created during the initial onboarding journey, to each check so that you can be proactively alerted to any new failing users, instead of logging in daily to check if there are any new users failing the desired checks.
When investigating we recommend using the See in Context buttons that are available on both a given user's Trust Level widget on the Overview tab of the User 360, or in the check explainability if it is an . This takes you to the user's log where you can easily see the user's events, across all available systems, that happened before and after Identity Intelligence flagged the user.
You may also find yourself needing more information about a user, such as their location or the device they used, to better understand if certain events are actually malicious or not, or you may want to find out if any other users may be under similar attacks from the same IP. Get familiar with all the and the different functionality available in each tab. Because Identity Intelligence is pulling user data from multiples sources, it can provide an incredibly rich and in-depth view into an affected user with only a few clicks, making it much easier to compare events and identify concerning behavior, ultimately saving your team time and effort which is often critical in these situations.
If you do confirm that a user's account has been compromised, or highly suspect that it may have been, make sure to take the necessary steps to protect the account such as logging the user out of all sessions, resetting the user's credentials and factors, or even deprovisioning the account entirely and creating a new one. You can conduct certain from within Identity Intelligence directly as well if needed.
Depending on the result of your investigation and the , there are a few different that can be used so that the user will no longer fail the check. Review the documentation provided to understand the different triage options available and what triage action to use in each situation. We highly recommend not excluding users from checks when possible; however if it is needed, we recommended using a temporary exclusion so that the account can be audited and re-reviewed at a later date to determine if they should still be excluded from the given check.