Users page
editUsers page
editThe Users page provides a comprehensive overview of user data to help you understand authentication and user behavior within your environment. Key performance indicator (KPI) charts, data tables, and interactive widgets let you view specific data and drill down for deeper insights.
The Users page has the following sections:
User KPI (key performance indicator) charts
editKPI charts show the total number of users and successful and failed user authentications within the time range specified in the date picker. Data in the KPI charts is visualized through linear and bar graphs.
Hover inside a KPI chart to display the actions menu (), where you can perform these actions: inspect, open in Lens, and add to a new or existing case.
Data tables
editBeneath the KPI charts are data tables, which are useful for viewing and investigating specific types of data. Select the relevant tab to view the following details:
-
Events: Ingested events that contain the
user.name
field. You can stack by theevent.action
,event.dataset
, orevent.module
field. To display alerts received from external monitoring tools, scroll down to the Events table and select Show only external alerts on the right. - All users: A chronological list of unique user names, when they were last active, and the associated domains.
- Authentications: A chronological list of user authentication events and associated details, such as the number of successes and failures, and the host name of the last successful destination.
- Anomalies: Unusual activity discovered by machine learning jobs that contain user data.
- User risk: The latest recorded user risk score for each user, and its user risk classification. This feature requires the Security Analytics Complete project feature and must be enabled to display the data. To learn more, refer to our entity risk scoring documentation.
The Events table includes inline actions and several customization options. To learn more about what you can do with the data in these tables, refer to Manage detection alerts.
User details page
editA user’s details page displays all relevant information for the selected user. To view a user’s details page, click its User name link from the All users table.
The user details page includes the following sections:
- Asset Criticality: This section displays the user’s current asset criticality level.
- Summary: Details such as the user ID, when the user was first and last seen, the associated IP address(es), and operating system. If the entity risk score feature is enabled, this section also displays user risk score data.
-
Alert metrics: The total number of alerts by severity, rule, and status (
Open
,Acknowledged
, orClosed
). - Data tables: The same data tables as on the main Users page, except with values for the selected user instead of for all users.
User details flyout
editIn addition to the user details page, relevant user information is also available in the user details flyout throughout the Elastic Security app. You can access this flyout from the following places:
- The Alerts page, by clicking on a user name in the Alerts table
- The Entity Analytics dashboard, by clicking on a user name in the User Risk Scores table
- The Events tab on the Users and user details pages, by clicking on a user name in the Events table
- The User risk tab on the user details page, by clicking on a user name in the Top risk score contributors table
- The Events tab on the Hosts and host details pages, by clicking on a user name in the Events table
- The Host risk tab on the host details page, by clicking on a user name in the Top risk score contributors table
The user details flyout includes the following sections:
- User risk summary, which displays user risk data and inputs.
- Asset Criticality, which allows you to view and assign asset criticality.
- Insights, which displays misconfiguration findings for the user.
- Observed data, which displays user details.
User risk summary
editRequirement
The User risk summary section is only available if the risk scoring engine is turned on.
The User risk summary section contains a risk summary visualization and table.
The risk summary visualization shows the user risk score and user risk level. Hover over the visualization to display the Options menu (). Use this menu to inspect the visualization’s queries, add it to a new or existing case, save it to your Visualize Library, or open it in Lens for customization.
The risk summary table shows the category, score, and number of risk inputs that determine the user risk score. Hover over the table to display the Inspect button (), which allows you to inspect the table’s queries.
To expand the User risk summary section, click View risk contributions. The left panel displays additional details about the user’s risk inputs:
- The asset criticality level and contribution score from the latest risk scoring calculation.
- The top 10 alerts that contributed to the latest risk scoring calculation, and each alert’s contribution score.
If more than 10 alerts contributed to the risk scoring calculation, the remaining alerts' aggregate contribution score is displayed below the Alerts table.
Asset Criticality
editThe Asset Criticality section displays the selected user’s asset criticality level. Asset criticality contributes to the overall user risk score. The criticality level defines how impactful the user is when calculating the risk score.
Click Assign to assign a criticality level to the selected user, or Change to change the currently assigned criticality level.
Insights
editThe Insights section displays Misconfiguration Findings for the user. Click Misconfigurations to expand the flyout and view this data.
Observed data
editThis section displays details such as the user ID, when the user was first and last seen, and the associated IP addresses and operating system.