Checks Tab

Overview

The Checks tab in the User 360 shows a detailed view of all of a user's current check failures/observations, the reasons a user has failed a particular check, and other information related to the user's check history. Understanding the various checks a user is failing at once, or in close succession, can make it more obvious to identify an active attack or possible compromise on a given user's account. The Checks tab is the last tab of the User 360. You can also see the number of checks a given user is currently failing next to the tab name. In this article, we will go through the data and functionality available on the Checks tab including:

Different Types of Checks

When looking at the available checks in the platform, you may notice that some checks are marked as Identity Posture Insight checks, while others are marked as Identity Threat Insight checks. Behind the scenes, Identity Intelligence also categorizes checks as either state based or event based to retain and display a user's check history.

Checks table elements

On the Checks tab, there are 2 different tables - the first table displays the checks that a given user is currently failing. The second table shows the given user's resolved checks, which are checks that the user is no longer failing. If the user does not have any resolved checks you will only see the Failing Checks table. If the user is not currently failing any checks, you will only see the Resolved Checks table.

Below, we will explain the fields that appear in each table, as well as the definition of each field.

Failing Checks

Failing Check Observations

If there has been more than one observation for a check failure, the row can be expanded using the arrow to the left of the check name, so that you can see the history of observations.

Up to 5 observations will be displayed by default, but you can click the 'See More' button under the last observation to see additional events if they exist. Observations are displayed in order from newest (top) to oldest (bottom).

The fields available for observations are:

Resolved Checks

The fields available in the Resolved Checks table are:

Resolved Check Observations

Similarly to failed check observations, if there has been more than one resolved observation for a check failure, the row can be expanded using the arrow to the left of the check name, so that you can see the history of resolved observations.

Up to 5 observations will be displayed by default, but you can click the 'See More' button under the last observation to see additional events if they exist. Observations are displayed in order from newest (top) to oldest (bottom).

Resolved check widgets

Under or next to the two checks tables are also two small widgets with the number of mitigated checks a given user has, the number of checks a given user has been excluded from, and the median count per user for your tenant.

Diving deeper into a check failure

For each failing check, you can click in and view more information about that particular failing check, along with the most important context, such as the actions that contributed to the user failing a given check and high level context about that user. This is called the 'check explainability'.

To review the check explainability, click on any blank space in the row related to the specific check or observation you'd like to dig into. This will open a slide panel from the right side of the page. To access an observation's explainability, you can also click the button on the right side of the observation row, outlined in blue in the screenshot below. To close the slide panel, click the X in the top right corner of the panel, or click anywhere outside of slide panel.

The explainability available will vary from check to check based on what information or context is most relevant for a particular check, and can include information such as such as user title, failing data source, factor type, application accessed, IP address used, etc.

Resolved check explainability

How to triage a user's check failure

• Exclude a user - Removes the user from the list of check failures and stops them from being evaluated against a given check for a specified time frame. You can also leave a comment explaining why this user has been excluded from this check for that amount of time. Check will appear in Resolved Checks table in Checks tab of User 360

• Mark as Normal Behavior - Note: Only available for event based checks. Remediates the failed check for that occurrence and moves it to the Resolved table in the User360 Checks tab. User is not evaluated against this check for the specific context that caused the given observation for 30 days. If Identity Intelligence notes that user has the same exact behavior again tomorrow, the user will not fail the check again, unless an observation is logged for that check with new context (new IP address, device, etc). Read more about this on the Triaging Alerts and Remediation Actions docs

  • Identity Intelligence team compiles this data to determine if customers find the detection accurate or not, so logic improvements can be made if needed

• Mark as Suspicious - Note: Only available for event based checks. Remediates the failed check for that occurrence and moves it to the Resolved section of the User360 Checks tab. User is not evaluated against this check for the specific context that caused the given observation for 30 days. If Identity Intelligence notes that user has the same exact behavior again tomorrow, the user will not fail the check again, unless an observation is logged for that check with new context (new IP address, device, etc).

  • Identity Intelligence team compiles this data to determine if customers find the detection accurate or not, so logic improvements can be made if needed

There are also additional remediation actions, such as Reset MFA, Log out User, Delete User, Quarantine, etc, that can be taken on a given user's account, depending on the sources associated with a given user and the permissions configured at the data source.