Users and Accounts

A user is the container that holds all the correlated account information from InsightIDR. An account is something that a user logs into, such as Active Directory or an Office 365 user token. If a user has multiple accounts, InsightIDR automatically identifies this information and builds dedicated pages for each and every user, asset, and process observed in your environment. There are several types of identified user accounts:

Additionally, you can add risky users to a watchlist.

View Users and Accounts

You can click a username to go to that user's page or you can use the global search bar at the top of the interface to search for a particular user, account, asset, or process.

On the Users & Accounts page, you will see several metrics about the different kinds of user accounts.

  • Active Users: This number of active users InsightIDR has discovered in your organization.
  • Directory User This user was directly collected from a directory service, such as Microsoft Active Directory.
  • Observed User This user was observed from logs collected by InsightIDR that are not associated with known directory users.

Although InsightIDR's primary way of detecting users is from your Active Directory domain in the LDAP event source, it will also find users in other places, such as cloud services, VPN, and ingress activity.

The number of active users is the total number of active user accounts, not including Service Accounts or disabled users.

The Users & Accounts page also shows data provided by various event sources in the context of user activity, such as graphical information about your risky users and virus alerts per user. Additionally, the page shows data related to vulnerabilities, firewall activity, intrusion detection systems (IDS), authentications, web proxies, unique processes, and ingress locations.

Note that many of these graphs can be filtered down to a more specific data set. For example, Firewall Activity can be filtered to show only Outbound Denies.

On any individual user's page, you will see specific information about Cloud Services, locations, assets, and more.

On the User Details page, select a log or log set from the Search Related Logs section to run a query on a user's activity in that log set.

Selecting a related log set will open Log Search, automatically select the log set from the log set panel, add this user to the query bar, and run the query.

Note: Queries created using the Search Related Logs buttons will default to a time range of the past hour.

Local Accounts

Any local accounts on an endpoint become visible as a result of the Insight Agent.

Local accounts for an asset are presented on that asset’s details page, and Lateral Movement from asset to asset using local accounts are displayed on the lateral movement graph for each asset.

Ingress Authentication

You can view authentication attempts on the Ingress Locations map, which is available from the Users and Accounts page or the InsightIDR Home page. Authentication events are sent from VPN, Cloud Services, or Universal Ingress event sources and appear on your map as success, failure, or unspecified events:

  • Success - successful authentication attempts.
  • Failure - failed authentication attempts.
  • Unspecified - authentication events that are unspecified because the event source does not provide enough information for InsightIDR to determine whether an authentication attempt succeeded or failed.

Primary Assets

You may see a primary asset tag on a User Details page. This indicates which user account primarily uses the asset. Assets without tags are likely shared or linked accounts. For more information on how this tag is determined, see User Attribution.

Export User Data

You can export data about a user from an individual user page. Search or go to the User Details page. Click the Download button at the top right of the page, which generates a PDF that will download to your local machine.