📇Users

Overview

The Users page provides high level information on all the user identities in your environment, along with several filters and sortable columns, so that you can better understand, analyze and share user population data based on a variety of useful parameters. By default, the table on the Users page is sorted by User Name, and excludes user accounts that have been deleted, deprovisioned, or disabled.

This section covers:

Definitions of the elements in the table
Users page actions such as searching, exporting results, etc
Basic Filters and Advanced Query Mode
Pivoting on IP address

To get a high level overview of the Users page, watch the video below.

Users table elements

The section below details the fields that appear in the table by default, as well as the definition of each field:

Element	Description
User	The user's display name and their corresponding email or username
Checks	The total number of checks a user is failing. A 🚫 icon in this column indicates that the corresponding user is not part of the protected population and checks are not being evaluated against this user
# IPs	The total number of IP addresses associated with a user's activity across all providers
# Logins	The total number of attempted logins across all providers, regardless of result (success, failure, challenge, other)
Last Seen (UTC)	The date and time of the last login attempt, regardless of outcome, for a user across all providers
Last IP Address	The IP address associated with the last successful or failed login attempt for a user across all providers To learn how to pivot on this IP address, click here
Last Location	The location associated with the last successful or failed login attempt for a user across all providers
MFA	= MFA configured = MFA not configured
Providers	The logo icon(s) for the corresponding identity data sources where a user's account has been associated Hovering over a source will show you the integration name and user's status as gathered from the identity data source
Status	The user's Identity Intelligence Status and Lifecycle Event tag, if applicable. Lifecycle events highlight recent, notable events that have occurred on a user's account that can be beneficial to know about during an investigation. Lifecycle event badges are displayed for 7 days after the event is noted Status - Active (green badge): This account is enabled in an identity data source and has successfully logged in over the last X days. The number of days is consistent with the value set on the Inactive Users and Inactive Guest Users checks (default setting is 30 days) - Inactive (Grey badge): This account is enabled in an identity data source, but has not successfully logged in over the last X days. The number of days is consistent with the value set on the Inactive Users and Inactive Guest Users checks. (default setting is 30 days) - Deprovisioned (Grey badge): This account is no longer enabled in an identity data source and cannot be signed into - Inconsistent (red badge): This account has been flagged because there are account status discrepancies that may pose a significant security threat. See Inconsistent Users to learn about what factors contribute to a user being marked as inconsistent Lifecycle Events (yellow badge) - New Account: indicates that this account was recently created. Includes the date the account was created Significant Change: indicates that an uncommon, but important, activity has recently happened on this account (for ex: MFA factor added, admin privileges granted, sensitive app assigned, etc). You can query for specific Significant change events using Advanced Query mode

Element

Description

User

The user's display name and their corresponding email or username

Checks

The total number of checks a user is failing. A 🚫 icon in this column indicates that the corresponding user is not part of the protected population and checks are not being evaluated against this user

# IPs

The total number of IP addresses associated with a user's activity across all providers

# Logins

The total number of attempted logins across all providers, regardless of result (success, failure, challenge, other)

Last Seen (UTC)

The date and time of the last login attempt, regardless of outcome, for a user across all providers

Last IP Address

The IP address associated with the last successful or failed login attempt for a user across all providers To learn how to pivot on this IP address, click here

Last Location

The location associated with the last successful or failed login attempt for a user across all providers

MFA

= MFA configured = MFA not configured

Providers

The logo icon(s) for the corresponding identity data sources where a user's account has been associated Hovering over a source will show you the integration name and user's status as gathered from the identity data source

Status

The user's Identity Intelligence Status and Lifecycle Event tag, if applicable. Lifecycle events highlight recent, notable events that have occurred on a user's account that can be beneficial to know about during an investigation. Lifecycle event badges are displayed for 7 days after the event is noted Status - Active (green badge): This account is enabled in an identity data source and has successfully logged in over the last X days. The number of days is consistent with the value set on the Inactive Users and Inactive Guest Users checks (default setting is 30 days) - Inactive (Grey badge): This account is enabled in an identity data source, but has not successfully logged in over the last X days. The number of days is consistent with the value set on the Inactive Users and Inactive Guest Users checks. (default setting is 30 days) - Deprovisioned (Grey badge): This account is no longer enabled in an identity data source and cannot be signed into - Inconsistent (red badge): This account has been flagged because there are account status discrepancies that may pose a significant security threat. See Inconsistent Users to learn about what factors contribute to a user being marked as inconsistent Lifecycle Events (yellow badge) - New Account: indicates that this account was recently created. Includes the date the account was created Significant Change: indicates that an uncommon, but important, activity has recently happened on this account (for ex: MFA factor added, admin privileges granted, sensitive app assigned, etc). You can query for specific Significant change events using Advanced Query mode

Additional columns can be added to the table view using the Columns button:

Element	Description
Created Date (UTC)	The date a user's account was created. Uses the first creation date available across all configured providers
Employee ID	The employee ID, gathered from the provider if available
Manager Login	The user's manager's email address, gathered from the provider if available
Title	The user's job title, gathered from the provider(s) if available
Department	The department a user belongs to, gathered from the provider(s) if available
Compiled Status	Compiled status combines provider user types (ie: internal, external, service accounts, etc) and the user's Identity Intelligence Status
Inconsistency Severity	The severity of the inconsistency noted for a user with Inconsistent status
User Type	The Identity Intelligence user type assigned based on compiled identity data source user types

Element

Description

Created Date (UTC)

The date a user's account was created. Uses the first creation date available across all configured providers

Employee ID

The employee ID, gathered from the provider if available

Manager Login

The user's manager's email address, gathered from the provider if available

Title

The user's job title, gathered from the provider(s) if available

Department

The department a user belongs to, gathered from the provider(s) if available

Compiled Status

Compiled status combines provider user types (ie: internal, external, service accounts, etc) and the user's Identity Intelligence Status

Inconsistency Severity

The severity of the inconsistency noted for a user with Inconsistent status

User Type

The Identity Intelligence user type assigned based on compiled identity data source user types

Users page general actions

There are several general actions that can be performed on the Users page:

Search
Sort, add or remove columns
Download results
Share results
Refresh

Click through the tabs below to read more about how to utilize each action.

Search

Use the search bar to search based on users, names, group, applications and IPs. When searching, you do not need to provide an exact value. Typing a piece of the word will return results.

If you have searched on a particular parameter, the search criteria is retained as you navigate between different tabs within the platform.

To clear the search bar click the X on the right most side of the search bar, next to the Advanced button.

Filters

The Users table is filterable by a number of attributes, enabling you to slice and dice your user population based on the parameters that are important to you.

There are two types of filters that can be used on the Users table - basic filters, which can be found to the left of the Users table and Advanced Query mode, which can be enabled via the search bar above the users table. Click here to learn about how to use Advanced Query Mode.

Filtered results derived from both basic filters, as well as advanced queries, can be saved to access later or share with teammates. To learn more about how to save filters, see Saved Filters to learn more.

Applying basic filters

You can see all the available basic filters on the left hand side of the Users page.

To enable a filter, click the check box for the attribute you would like to filter by. The applied filters will be added to the search bar, as seen in the screenshot below. The number of users that you are currently viewing, based on the filters and searches used, will appear in the top left corner of the Users table above the column headers.

To remove a filter, you can either deselect the attribute from the filters list on left hand side of the Users table, or click the X on the right hand side of the filter box that is in the search bar. To remove all filters besides the default filter, click the X located next to the Advanced Filter button in the search bar.

After you have selected your filters, the filters are retained as you navigate between different areas within the platform.

By default, the Users Table excludes user accounts that have been deleted, deprovisioned, or disabled. To include these accounts in the results, click the X on the right side of the 'NOT Status' filter box in the search bar.

Distinct filters are separated by an AND operator. For example, if you select the Duo value from the Sources filter and the No value for MFA Configured filter, the table will display all users in Duo who have No MFA Configured.

For most filters, you can select more than one value to filter by. Within a given filter, selecting more than one value will separate the values with an OR operator by default. For example, if you select the values Okta and Duo for the Sources filter, users with accounts in either Okta OR Duo will be displayed.

However, within a given filter, if you would like to filter for users with accounts in both Okta AND Duo, you can click on the OR operator found in the filter box in the search bar or in the left hand filter menu (screenshots below), to switch it to AND. Doing this will allow you to see users that are in both Okta AND Duo.

Filters that use radio buttons cannot have more than one value selected at once (for ex: Is Admin)

Filter values can also be excluded from the results for most filters, except for those that cannot have more than one value selected at once. To exclude a value from filtered results (ie: NOT), you can click on the 🚫 icon in either the filter box in the search bar or the left hand filter menu.

Similarly, you can 'include all' filter values in the results, except for filters that cannot have more than one value selected at once. To select all values within a given filter, click All next to the filter value title.

Pivot on IP address

The IP address in the table has a few actions associated with it that can be useful to learn more about an IP address and the associated activity.

The actions menu will pop up when left-clicking on a specific IP address in a user row. The actions are:

Find user activity - Takes you to the Activity tab of the User 360 for the respective user, with the selected IP address added as a filter, so you can see all the user's activity associated with this particular IP address
Find users who attempted to sign in from X.X.X.X - Adds the selected IP address as a search parameter on the Users page so you can see any other users who have activity associated with this particular IP address
See IP info - Takes you to the Networks tab of the User 360 for the respective user, with the selected IP address added as a filter, and opens the slide panel so you can see more detailed information about that IP address for this user
Copy to clipboard - Copies the IP address to your clipboard so that you can paste it within Identity Intelligence or another tool