Identity Security Insights Detections Dashboard

Overview

The Detections page, with a list of possible detections displayed.

The Detections page summarizes areas of potential risk or compromised entities, including suspicious login failures, missing multi-factor authentication, and stale or dormant accounts. Detections include the source system and entity type by default, allowing at-a-glance views into potentially compromised services, applications, or accounts. Detections can also be viewed in a ungrouped list by clicking the Ungrouped tab.

By default, new and in-progress detections are displayed in order of severity and discovery date.

Clicking any individual detection displays additional information detailing the identified risk and its importance or severity.

The detections grid can be exported as a .csv by clicking the download button to the right of the results.

Detection Capabilities

Identity Security Insights leverages multiple methods to detect malicious and anomalous activity.

Tactics, Techniques, and Procedures (TTP) , Indicators of Compromise (IOC), and Indicators of Attack (IOA) represent activity that is strongly associated with attackers. Identity Security Insights is updated regularly with the latest in known attack strategies to ensure you are provided a comprehensive picture of identity-related risk. TTP, IOC, and IOA detections include areas of risk, like logins without MFA, dormant account activity, and new Identity Provider enrollment. Viewing the details of any detection provides a reason for the concern, and an example of how to address the threat.

Anomaly-based detections use AI-backed methods to report on unusual and specific account activity. This activity may not represent an attack signature, but instead allows Insights to detect novel and suspicious activity outside of recognized methods of compromise. Anomaly-based detections report on risk, like infrastructure changes following suspicious MFA events, which could indicate a compromised account; changes to Azure service principals which seem unusual compared to other environments, which can indicate a breach; and excessive Secret Safe read events, which may represent suspicious access within PasswordSafe. The details for these detections describe how to determine if they are malicious.

Additional detections exist around integrated BeyondTrust products, allowing you to receive detections on anomalous activity and malicious IP access within your organization.

Sort, Filter, and Display

The Detections list allows searching and filtering based on a number of parameters, including text-based source, account, or detection name searching, as well as filtering by severity, detection date, and status. Search and filter results display instantly, allowing you to easily narrow down your list of detections to those desired. Columns can be shown or hidden using checkboxes by clicking the Columns button.

 

The detections quick view window.

Clicking Quick View on any detection row displays a preview window without leaving the detections dashboard. This preview provides a high-level summary to aid in quickly evaluating areas of potential risk.

Click View Full Details to view additional information, or Close to return to your position on the dashboard.

 

 

View Detection Details

The Detection Details page for an individual detection, with associated source and recommendation.

Viewing Detection Details displays additional information regarding an individual detection. Along with viewing the severity, this dashboard provides a description of the detection, as well as an explanation of the risk and potential solutions to address the threat.

The Entity Details section shows any relevant entity information, such as the entity type (e.g., account), and the connected name or email. Clicking the entity name displays associated account information. Clicking the linked identity displays associated identity information.

Depending on the nature of the detection, the Detection Details page also displays additional key-value pairs and any associated context.

Status and Comments

The status of a detection can be changed by authorized users, and can optionally include a comment to describe the nature of the update or change. The history of status changes and comments can be viewed in the Detection Details dashboard at any time.

To change a status or add a comment, click Update Status on the right side of the detection details. Select a new status from the dropdown menu, or the same status to add a new comment. Once finished, click Update Status to save, or Cancel to discard your changes.

The detection status can be set to New, In Progress, Resolved, False Positive, or Ignored.