Threats
Identity Intelligence has built a Threats Dashboard to help you easily identify and monitor potential risky behavior occurring within your organization so that they can be prioritized for investigation and remediated before becoming a bigger issue. To access the Threats Dashboard, navigate to the Dashboards landing page via the left hand menu item. Once on the Dashboards page, select the Dashboard header on the page (Default is Posture) as shown in the screenshot below to open a drop down with the different available Dashboards and then select Threats.
The Threats dashboard enables you to visualize a variety of potential threats, including:
NHI Risks (Over 30 days)
Non-Human Identities (NHIs) are identities that do not represent humans within your organization, rather they are "digital" identities used, for example, to manage services, infrastructure, and IT entities. NHI risks include privilege elevation, data leakage, unsecure authentication, and others.
This section highlights potential security vulnerabilities and risky behaviors associated with NHIs. Refer to our NHI Posture Dashboard documentation for more detailed descriptions on each counter in this widget.
Selecting any of the numbers within this widget will take you to the relevant page, pre-filtered on the selection you made.
Service Account Authentications by NIST Assurance Level
This pie chart displays breakdown of all multi-factor authentication usage per Service Account over the last 30 days, categorized by National Institute for Standards and Technology (NIST) assurance level. You can use this data to track how safely service accounts in your organization are used log in to work systems over time. Accounts that regularly use weak forms of MFA to access resources are more susceptible to getting hacked because those low assurance methods are easier to breach using simple techniques like MFA or push harassment, Adversary in the Middle (AitM) phishing attacks, social engineering, and so on. Hovering over a segment in the pie chart will display a small tool tip with the given assurance level and the count of service accounts making up that segment.
Factor Usage by NIST Assurance Levels
Pie chart that displays a breakdown of all multi-factor authentication usage per user over the last 30 days, categorized by National Institute for Standards and Technology (NIST) assurance level. As you roll out more secure MFA, use this data to track trends over time. Users with weak forms of MFA are more susceptible to getting hacked because those low assurance methods are definitely very easy to breach using simple techniques like MFA or push harassment, adversary in the middle phishing attacks, social engineering, and so on.
Hovering over a segment in the pie chart will display a tool tip with the given assurance level and the count of users making up that segment.
For example, in the screenshot below, we can see that 48 users have used a Medium assurance factor at least 1 time over the last 30 days.
MFA Threats
This widget surfaces risky behavior related to MFA adoption that should be investigated and remediated. Selecting any of the numbers within this widget will take you to the relevant page, pre-filtered on the selection you made. Refer to our MFA Posture Dashboard documentation for more detailed descriptions on each counter in this widget.
Users per Trust Level
The Users Per Trust Level widget displays the current breakdown of the number of identities in each Trust Levels across your organization.
Not only does this graph give you a sense of where your users are at today, but it is also a quick and easy way to find users that should be prioritized for investigations. Selecting one of the bars in this visualization will take you to the Users page, pre-filtered for the Trust Levels selected, so you can see all users who currently have a particular Trust Level.
To learn more about User Trust Levels, what factors are included in the calculation, how it is calculated, and more, see our general documentation about User Trust Levels.
Risky Users Distribution Over Time
Risky Users Distribution Over Time depicts fluctuations to the trust levels of the users in your organization overtime. This widget can be useful to identify sudden spikes in User Trust Levels.
By default, this widget looks at the last 30 days; however, you can use the timeframe filter in the top righthand corner of the widget to change the widget's timeframe to be longer or shorter depending on your needs.
If you hover over a data point in this widget, which are marked by a dot on the trend line, you will see a tool tip with the count of users, segmented by Trust Level, for that given date. Selecting a value in the legend below the graph will remove the corresponding data points from the visualization.
Risky Users Accessing Sensitive Applications
This widget depicts the number of users with neutral, questionable, and untrusted trust level that are accessing sensitive applications over time.
Users with lower trust levels should not be allowed to access sensitive applications. For example, an untrusted user might have a compromised account. This user, in turn, might be leaking customer data, employee personally identifiable information (PII), or sensitive company info like financial records or intellectual property,
By default, this widget looks at the last 30 days; however, you can use the timeframe filter in the top righthand corner of the widget to change the widget's timeframe to be longer or shorter depending on your needs.
Sensitive Applications Activity
Bar graph that displays the number of accounts using a sensitive application and assigned but not using the application. Click any bar on the graph to go to the Users page, filtered by that application.
Sensitive App Authentication
Bar graph that displays the number of password-using and passwordless authentications for sensitive application.
Refer to our MFA Dashboard documentation to learn more about how to use this widget.
Sign-In Attempts by Location Over the Past 30 Days
This map displays the number of sign-in attempts per country over the past 30 days, which can help you verify recent sign-in attempts and or quickly identify and pivot to unusual or unexpected sign-in attempts using the map data only, or in conjunction with the Sign-In Attempts per Country widget.
The Circles on the map represent the number of sign in attempts from a given location, while the outline of the circle also signifies if the sign in attempts were predominantly from known (blue) or unknown IP addresses. In the example screenshot below, this circle indicates a location has had 100 sign-in attempts, and more than half of them were from known IP addresses.
If you select a particular circle on the map, it will drill in more closely so you can see the specific locations that make up the sign in attempts from that circle
Circles may turn to pins as the map automatically zooms in, with the color of the pin indicating if the majority of sign ins attempts were successful or if they failed, as defined in the key below the map
You can also use the + or - buttons to manually zoom in or out on the map to see more detailed locations and pins. You may notice that the numbers in a location pin change as you zoom in or out as the aggregated data points within the circle turn to their own items
Selecting or hovering over a given pin to see a breakdown of sign in attempts with the associated count of users for each sign in result type
Select the count to drill to the Users page, filtered for those users with that sign in attempt result for that location
Example: View the number of logins from a city
In the Sign-In Attempts by Location map, select a circle within a country to get more detail on it, then zoom the map to a particular a city by selecting the + or scrolling the mouse wheel
Select or hover over a pin in the map to see more details about the login attempts for that particular location.
Sign-in Attempts per Country
This widget provides the number of sign in attempts for each country over the last 30 days, broken down by the number of users who have attempted to sign in to each country, as well as the number of users per sign in result. Select a value from the row in the table to go to the Users page, filtered on your selection.
Click a column header to sort data in the table in ascending or descending order by that column.
Toggle Only new countries in the top right corner to limit the table to countries that are newly seen in the last 7 days (meaning that it is the first access attempt for that location within the last 7 days, but not the first time this location has ever been seen before)
Insights & Unusual Activity
This section of the dashboard centers on identifying suspicious activities associated with user trust levels. Each check can be explored in detail to review failure criteria, recommended remediation steps, affected users, and additional context. By associating these checks with user trust levels, this data provides meaningful insight into active security risks, and the related security gaps, enabling you to prioritize and focus your efforts effectively. This approach helps clarify where vulnerabilities exist and guides targeted actions to proactively enhance the organization's identity security.
Select the check name or blank space of a row in the table to view detailed information about that check, such as detection logic, recommended remediation actions, failing users, etc, or select a particular trust level tag in a row to go to the Users page, pre-filtered for that trust level. Select Configure Checks to add checks to the table or remove checks from the table.
Explanation of the Insights & Unusual Activity Table
Data displayed in the table:
Check column: Name of the check that caused the users to be displayed in the table.
# Failing column: Number of users failing the check and the percent change in the value over the last week and last month.
Failing Users Trust Levels column: Number of users failing the given check per trust level.
Last updated