Viewing Detailed Insights of a User Entity

  • Updated
Table of Contents:

The single entity page provides a clear, organized view of individual user entities—by grouping critical information into dedicated tabs and sections. It enables users to quickly assess entity-specific details such as risk levels, behavior patterns, generated signals, and their correlation to Situations and ActOns.

Viewing User Entity Details

Follow the steps below to view comprehensive details of a User entity:

To view user entity details:

  1. Navigate to Resolutions → Overview, under Entities. The Entities page appears.
  2. Select the User category to view the list of user entities.
  3. Click on a specific user entity name to open its detailed view. The entity's information is displayed on the Summary tab.

Summary Tab Overview (User Entity)

Contact Information

  • E-mail: The user's primary email address used for communication.
  • Job Title: The professional title or designation of the user within the organization.
  • Location: The physical location or office from which the user operates.
  • Mobile: The mobile phone number associated with the user.
  • Employee ID: A unique identifier assigned to the user for internal tracking.
  • Department: The organizational unit the user belongs to.

Manager Information

  • Name: Full name of the user’s reporting manager.
  • Job Title: The job title of the manager.
  • Email: The email address of the manager.
  • Location: The manager's office or work location.
  • Mobile: The manager’s contact number.
  • Employee ID: Unique identifier for the manager.

Meta Information

  • Source: Indicates the system from which this user entity is synchronized (e.g., Azure AD, GitHub).
  • Type: Denotes the entity classification, e.g., "User".
  • Created Time: Timestamp of when the user was first synced into the platform.
  • Updated Time: The last time the user’s metadata was modified.

Widgets

  • Risk Level: Displays the user’s risk classification (Low, Medium, or High) based on behavioral and contextual signals.
  • Device Locations: Shows the user’s last login location and other historically recorded login locations.
  • Entity Groups: Lists any entity groups the user is associated with. 
  • Behaviors: Displays patterns of behavior detected for the user based on MITRE tactics, including signals generated per observed behavior.

 

Common Widgets for Both User and Host Entities

Security Activities

  • Total Signals: Number of signals triggered from the entity.
  • Signals to Situations: Number of signals that were converted to Situations.
  • Situations to ActOns: Number of Situations that were converted to ActOns.

Situation vs. ActOn Graph

This widget presents an interactive time-series graph that visualizes trends in Situations and ActOns over a selected time range. Each plotted point represents the number of Situations and ActOns recorded on a specific date. Clicking a data point opens a side sheet that provides a focused view of the signals that were converted into Situations and ActOns on that day.

Side Sheet Details (from Graph)

Signals Tab

  • Signal ID: Unique identifier of the signal.
  • Signal Time: Timestamp when the signal was generated.
  • Subject: Context or subject of the signal.
  • Entities: All entities associated with the signal.
  • Function: Function or team assigned to handle the signal.
  • Priority: Assigned severity (e.g., High, Medium, Low).
  • Status: Current state of the signal (e.g., Open, In Progress, Resolved).
  • External Signal ID: Identifier from the originating platform/source.
  • Situation: ID of the associated Situation created from the signal.
  • Detection Rule: Rule name or identifier that triggered the signal.

Options:

  • Export CSV: Download signal data in CSV format.
  • Search Bar: Filter and locate specific signals quickly.

Impacted Entities Tab

  • Name: Name of the impacted entity.
  • Class: Classification of the entity (User or Host).
  • Type: Type of entity (e.g., Endpoint, Cloud Resource).
  • IP Address: The entity's IP address.
  • Source: System that synced the entity.
  • Critical: Whether the entity is flagged as critical.
  • Updated Time: Last metadata update time for the entity.

Additional Options

  • Critical / Non-Critical: Mark the criticality of the entity based on its importance to business operations.
  • Assign Functions: Assign one or more functions under which the signals triggered for the entity should be routed. 
  • Assign SKUs: Associate one or more SKUs with the entity. This option is available only at the tenant level. 
  • Add Tags: Open the side sheet to assign metadata tags in key-value format. Tags synced from external applications appear by default and are labeled as external tags. Internal tags can be manually added or removed as needed. Internal and external tags are visually distinguished using different colors, making them easy to identify.
  • Sync Now: Manually trigger a metadata sync for the entity from platforms such as AWS, Azure, OpsRamp, GCP, or GitHub. This option is also available at the tenant level. 

Note: Sync now option is available only at the tenant level.

Related articles

Comments

0 comments

Please sign in to leave a comment.