Skip to main content

Responses are generated using AI and may contain mistakes.

Attack Surface InsightsAttack Surface Insights Guide

Understand Linking for a Specific User Account

Learn how a specific account was linked to a user entity in the user entity details. You can view the link method, the matched field value linking the account to a user entity, and other linking details.

  1. In the Users tab, select an entity.

  2. Under Usernames, click View linked accounts.

  3. Under the LINK REASON column, view the method and field value used to link the account to the user entity. The value in blue is the link method. The value next to it is the matched field value linking the account to the entity.

    Possible link methods include:

    • MANUAL_LINK – An account was linked to the user entity using custom linking.

    • SID_MATCH – The value of an identifying user_sid attribute matches the value of u_object_sid in Active Directory context data.

    • CONTEXT_PREFIX_UPN – Prefix search using @ as the delimiter. The prefix before @ in an identifying attribute value matches the prefix before @ in a context field value.

    • CONTEXT_PREFIX_HYPHEN – Prefix search using space hyphen space, - , as the delimiter. The prefix before - in an identifying attribute value matches the prefix before - in a context field value.

    • CONTEXT_DIRECT_MATCH – An exact match between an identifying attribute value and context field value.

    • ENTITY_STORE_PREFIX_SCAN – An orphaned entity is an entity that has not been linked to any context record. In this linking method, an attribute in an orphaned entity matches the attribute of a newly created entity using prefix search.

  4. To view more details about the link, hover over the column value. You can view:

    • Method – The method used to link the account with the user entity.

    • Context Field – The context field that matched the identifying entity attribute.

    • Matched Value – The actual value that matches in both the entity and context. For example, if prefix search was used, the matched value is the prefix.

    • Source Key – The identifying entity attribute that matched the context field.

    • Context Source – The context source of the context field:

      • If the context field is from Active Directory, the context source is AD.

      • If the context field is from another context source, the context source is Context.

      • If the ENTITY_SCORE_PREFIX_SCAN linking method was used, the context source is Entity.

    • Context Table – The name of the context table where the context field was stored. ENTITY_STORE indicates no external context table was used.

    • Timestamp – The date and time the link was created.