Users
Users are ingested from your directory integrations and enable ChatOps, VIP identification, and technical user identification.
User Exclusions
You can exclude Users that are frequently flagged as malicious but are intended for legitimate use. See Exclusions for more information.
Breach Data
Breach data for your users is included by default with our Have I Been Pwned integration.
VIPs
Very Important Persons (VIPs) are part of our directory integrations and allow us to automatically identify people of importance within your organization. These would commonly be people with special organizational or technological privileges such that when a detection is ingested in relation to them should get special handling.
VIP Automations
You can configure custom VIP identification rules underneath Assets > Users. Create a search query that identifies the VIPs you want and click “Create VIP Automation”. Any new or existing users matching that query will be automatically marked as a VIP.
Technical Users
Technical users are part of our directory integrations and allow us to automatically identify people that commonly perform technical operations within your organization. These would be people that interact with the command line, download tools, or do other IT/engineering tasks regularly. Understanding these users helps us decide when to escalate suspicious commands on their endpoints.
Technical User Automations
You can configure custom technical user identification rules underneath Assets > Users. Create a search query that identifies the users you want and click Actions > Create Technical User Automation. Any new or existing users matching that query will be automatically marked as technical.
Administrative Users
Administrative users are part of our directory integrations and allow us to automatically identify people that commonly perform administrative operations within your organization. These would be people that are considered System Administrators, Global Admins, or anyone else that has privileged access in your organization.Any user marked as an administrator will be automatically marked as technical.
Administrative User Automations
You can configure custom administrative user identification rules underneath Assets > Users. Create a search query that identifies the users you want and click Actions > Create Administrative User Automation. Any new or existing users matching that query will be automatically marked as administrative.
Containment
More information on containment can be found here.