📇Users
Last updated
Last updated
The Users page provides high level information on all the user identities in your environment, along with several filters and sortable columns, so that you can better understand, analyze and share user population data based on a variety of useful parameters. By default, the table on the Users page is sorted by User Name, and excludes user accounts that have been deleted, deprovisioned, or disabled.
This section covers:
Users page actions such as searching, exporting results, etc
To get a high level overview of the Users page, watch the video below.
The section below details the fields that appear in the table by default, as well as the definition of each field:
User
The user's display name and their corresponding email or username
Trust Level
The user's current Trust Level
Checks
The total number of checks a user is failing. A 🚫 icon in this column indicates that the corresponding user is not part of the protected population and checks are not being evaluated against this user
# IPs
The total number of IP addresses associated with a user's activity across all providers
# Logins
The total number of attempted logins across all providers, regardless of result (success, failure, challenge, other)
Last Seen (UTC)
The date and time of the last login attempt, regardless of outcome, for a user across all providers
Last IP Address
The IP address associated with the last successful or failed login attempt for a user across all providers To learn how to pivot on this IP address, click here
Last Location
The location associated with the last successful or failed login attempt for a user across all providers
MFA
Providers
The logo icon(s) for the corresponding identity data sources where a user's account has been associated Hovering over a source will show you the integration name and user's status as gathered from the identity data source
Status
The user's Identity Intelligence Status and Lifecycle Event tag, if applicable. Lifecycle events highlight recent, notable events that have occurred on a user's account that can be beneficial to know about during an investigation. Lifecycle event badges are displayed for 7 days after the event is noted Status - Active (green badge): This account is enabled in an identity data source and has successfully logged in over the last X days. The number of days is consistent with the value set on the Inactive Users and Inactive Guest Users checks (default setting is 30 days) - Inactive (Grey badge): This account is enabled in an identity data source, but has not successfully logged in over the last X days. The number of days is consistent with the value set on the Inactive Users and Inactive Guest Users checks. (default setting is 30 days) - Deprovisioned (Grey badge): This account is no longer enabled in an identity data source and cannot be signed into - Inconsistent (red badge): This account has been flagged because there are account status discrepancies that may pose a significant security threat. See Inconsistent Users to learn about what factors contribute to a user being marked as inconsistent Lifecycle Events (yellow badge) - New Account: indicates that this account was recently created. Includes the date the account was created Significant Change: indicates that an uncommon, but important, activity has recently happened on this account (for ex: MFA factor added, admin privileges granted, sensitive app assigned, etc). You can query for specific Significant change events using Advanced Query mode
Additional columns can be added to the table view using the Columns button:
Created Date (UTC)
The date a user's account was created. Uses the first creation date available across all configured providers
Employee ID
The employee ID, gathered from the provider if available
Manager Login
The user's manager's email address, gathered from the provider if available
Title
The user's job title, gathered from the provider(s) if available
Department
The department a user belongs to, gathered from the provider(s) if available
Compiled Status
Compiled status combines provider user types (ie: internal, external, service accounts, etc) and the user's Identity Intelligence Status
Inconsistency Severity
The severity of the inconsistency noted for a user with Inconsistent status
User Type
The Identity Intelligence user type assigned based on compiled identity data source user types
There are several general actions that can be performed on the Users page:
Search
Sort, add or remove columns
Download results
Share results
Refresh
Click through the tabs below to read more about how to utilize each action.
Use the search bar to search based on users, names, group, applications and IPs. When searching, you do not need to provide an exact value. Typing a piece of the word will return results.
If you have searched on a particular parameter, the search criteria is retained as you navigate between different tabs within the platform.
To clear the search bar click the X on the right most side of the search bar, next to the Advanced button.
The Users table is filterable by a number of attributes, enabling you to slice and dice your user population based on the parameters that are important to you.
There are two types of filters that can be used on the Users table - basic filters, which can be found to the left of the Users table and Advanced Query mode, which can be enabled via the search bar above the users table. Click here to learn about how to use Advanced Query Mode.
Filtered results derived from both basic filters, as well as advanced queries, can be saved to access later or share with teammates. To learn more about how to save filters, see Saved Filters to learn more.
You can see all the available basic filters on the left hand side of the Users page.
To enable a filter, click the check box for the attribute you would like to filter by. The applied filters will be added to the search bar, as seen in the screenshot below. The number of users that you are currently viewing, based on the filters and searches used, will appear in the top left corner of the Users table above the column headers.
To remove a filter, you can either deselect the attribute from the filters list on left hand side of the Users table, or click the X on the right hand side of the filter box that is in the search bar. To remove all filters besides the default filter, click the X located next to the Advanced Filter button in the search bar.
After you have selected your filters, the filters are retained as you navigate between different areas within the platform.
By default, the Users Table excludes user accounts that have been deleted, deprovisioned, or disabled. To include these accounts in the results, click the X on the right side of the 'NOT Status' filter box in the search bar.
Distinct filters are separated by an AND operator. For example, if you select the Duo
value from the Sources
filter and the No
value for MFA Configured
filter, the table will display all users in Duo
who have No MFA Configured
.
For most filters, you can select more than one value to filter by. Within a given filter, selecting more than one value will separate the values with an OR operator by default. For example, if you select the values Okta
and Duo
for the Sources
filter, users with accounts in either Okta
OR Duo
will be displayed.
However, within a given filter, if you would like to filter for users with accounts in both Okta
AND Duo
, you can click on the OR operator found in the filter box in the search bar or in the left hand filter menu (screenshots below), to switch it to AND. Doing this will allow you to see users that are in both Okta
AND Duo
.
Filters that use radio buttons cannot have more than one value selected at once (for ex: Is Admin
)
Filter values can also be excluded from the results for most filters, except for those that cannot have more than one value selected at once. To exclude a value from filtered results (ie: NOT
), you can click on the 🚫 icon in either the filter box in the search bar or the left hand filter menu.
Similarly, you can 'include all' filter values in the results, except for filters that cannot have more than one value selected at once. To select all values within a given filter, click All
next to the filter value title.
The IP address in the table has a few actions associated with it that can be useful to learn more about an IP address and the associated activity.
The actions menu will pop up when left-clicking on a specific IP address in a user row. The actions are:
Find user activity - Takes you to the Activity tab of the User 360 for the respective user, with the selected IP address added as a filter, so you can see all the user's activity associated with this particular IP address
Find users who attempted to sign in from X.X.X.X - Adds the selected IP address as a search parameter on the Users page so you can see any other users who have activity associated with this particular IP address
See IP info - Takes you to the Networks tab of the User 360 for the respective user, with the selected IP address added as a filter, and opens the slide panel so you can see more detailed information about that IP address for this user
Copy to clipboard - Copies the IP address to your clipboard so that you can paste it within Identity Intelligence or another tool
= MFA configured = MFA not configured