- Get Started with Attack Surface Insights
- Configure Attack Surface Insights
- Search for Entities in Attack Surface Insights
- View Entities in Attack Surface Insights
- Manage Entities in Attack Surface Insights
- Entity Attributes
View Entity Details
Learn and review details about a specific entity.
To view more details about an entity, select the entity.
In the entity details, you can review all attributes related to the entity. For user entities, you can also review the number of associated open Threat Center cases, a history of the user entity risk score, their associated accounts, and the attributes associated with a specific account. For device entities, you can also review the IP addresses associated with the device.
Available attributes vary based on entity type. For some attributes, you can hover over the attribute to reveal more information or actions.
View User Entity Details
To view details about a user entity, select the user entity. From the details, view:
View User Entity Attributes
You can view all user entity attributes in user entity details.
Critical attributes are highlighted at the top of the entity details. Other attributes are organized by the source from which they're derived: attributes derived from context tables are under Context Data and attributes derived from events are under Event Data.
To view all the events associated with a user entity or an account, hover over the Event ID field. To navigate to these events in Search, click Find in search. To copy all associated event IDs to your clipboard, click Copy to clipboard.
View User Entity Threat History
Under User Risk Trend, view the cases and alerts associated with a user entity over a period you specify: last seven days, last two weeks, last month, last two months, or last three months:
 |
To view the number of open cases and alerts created over the specified period, minimize User Risk Trend:
To view details about the cases and alerts, click <#> cases or <#> alerts:
 |
 |
To view a line chart of a user entity's risk score over time, expand User Risk Trend. Each point on the line chart represents the highest Threat Center case or alert risk score associated with the user entity on a given day.
 |
To view more information about the case or alert with the highest risk score, hover over the point on the line chart:
To navigate to the case or alert with the highest risk score in Threat Center, click the point.
View User Entity Accounts
You can view all accounts associated with the user entity and the attributes associated with a specific account.
Accounts are associated with user entities through linking.
To view all attributes across all accounts, select All Accounts.
To view attributes associated with a specific account, select the account from the menu.
To view all associated accounts, under Usernames, click View linked accounts.
For each account, view:
User name – The user name associated with the account.
Email address – The email address associated with the account.
Employee ID – The employee ID associated with the account.
User SID – A unique security identifier for a security principal object.
Badge ID – The badge ID associated with the account.
Password reset – The time when the user last reset their account password.
Source – The sources from where the account attributes are derived.
Link reason – The method and field value used to link the account to the user entity. The value in blue is the link method. The value next to it is the matched field value linking the account to the entity.
Possible link methods include:
MANUAL_LINK – An account was linked to the user entity using custom linking.
SID_MATCH – The value of an identifying
user_sidattribute matches the value ofu_object_sidin Active Directory context data.CONTEXT_PREFIX_UPN – Prefix search using @ as the delimiter. The prefix before @ in an identifying attribute value matches the prefix before @ in a context field value.
CONTEXT_PREFIX_HYPHEN – Prefix search using space hyphen space, - , as the delimiter. The prefix before - in an identifying attribute value matches the prefix before - in a context field value.
CONTEXT_DIRECT_MATCH – An exact match between an identifying attribute value and context field value.
ENTITY_STORE_PREFIX_SCAN – An orphaned entity is an entity that has not been linked to any context record. In this linking method, an attribute in an orphaned entity matches the attribute of a newly created entity using prefix search.
To view more information about the link, hover over the link reason value. You can view:
Method – The method used to link the account with the user entity.
Context Field – The context field that matched the identifying entity attribute.
Matched Value – The actual value that matches in both the entity and context. For example, if prefix search was used, the matched value is the prefix.
Source Key – The identifying entity attribute that matched the context field.
Context Source – The context source of the context field:
If the context field is from Active Directory, the context source is AD.
If the context field is from another context source, the context source is Context.
If the ENTITY_SCORE_PREFIX_SCAN linking method was used, the context source is Entity.
Context Table – The name of the context table where the context field was stored. ENTITY_STORE indicates no external context table was used.
Timestamp – The date and time the link was created.
View Device Entity Details
To view details about a device entity, select the device entity. From the details, view:
Critical attributes are highlighted at the top of the entity details. Other attributes are organized by the source from which they're derived: attributes derived from context tables are under Context Data and attributes derived from events are under Event Data.
Under IP Address History observed in events, all IP addresses observed in events related to the device entity. To refresh the list, click
