- Elastic Cloud Serverless
- Elasticsearch
- Elastic Observability
- Get started
- Observability overview
- Elastic Observability Serverless billing dimensions
- Create an Observability project
- Quickstart: Monitor hosts with Elastic Agent
- Quickstart: Monitor your Kubernetes cluster with Elastic Agent
- Quickstart: Monitor hosts with OpenTelemetry
- Quickstart: Unified Kubernetes Observability with Elastic Distributions of OpenTelemetry (EDOT)
- Quickstart: Collect data with AWS Firehose
- Quickstart: Send data to the Elastic Cloud Managed OTLP Endpoint
- Get started with dashboards
- Applications and services
- Application performance monitoring (APM)
- Get started with traces and APM
- Learn about data types
- Collect application data
- View and analyze data
- Act on data
- Use APM securely
- Reduce storage
- Managed intake service event API
- Troubleshooting
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure a Synthetics project
- Multifactor Authentication for browser monitors
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Scale and architect a deployment
- Synthetics Encryption and Security
- Troubleshooting
- Visualize OTLP data
- Application performance monitoring (APM)
- Infrastructure and hosts
- Logs
- Inventory
- Incident management
- Data set quality
- Observability AI Assistant
- Machine learning
- Reference
- Get started
- Elastic Security
- Elastic Security overview
- Security billing dimensions
- Create a Security project
- Elastic Security requirements
- Elastic Security UI
- AI for Security
- Ingest data
- Configure endpoint protection with Elastic Defend
- Manage Elastic Defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic Defend
- Event capture and Elastic Defend
- Endpoint protection rules
- Identify antivirus software on your hosts
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
- Endpoint response actions
- Cloud Security
- Explore your data
- Dashboards
- Detection engine overview
- Rules
- Alerts
- Advanced Entity Analytics
- Investigation tools
- Asset management
- Manage settings
- Troubleshooting
- Manage your project
- Changelog
Users page
editUsers page
editThe Users page provides a comprehensive overview of user data to help you understand authentication and user behavior within your environment. Key performance indicator (KPI) charts, data tables, and interactive widgets let you view specific data and drill down for deeper insights.
The Users page has the following sections:
User KPI (key performance indicator) charts
editKPI charts show the total number of users and successful and failed user authentications within the time range specified in the date picker. Data in the KPI charts is visualized through linear and bar graphs.
Hover inside a KPI chart to display the actions menu (
), where you can perform these actions: inspect, open in Lens, and add to a new or existing case.
Data tables
editBeneath the KPI charts are data tables, which are useful for viewing and investigating specific types of data. Select the relevant tab to view the following details:
-
Events: Ingested events that contain the
user.namefield. You can stack by theevent.action,event.dataset, orevent.modulefield. To display alerts received from external monitoring tools, scroll down to the Events table and select Show only external alerts on the right. - All users: A chronological list of unique user names, when they were last active, and the associated domains.
- Authentications: A chronological list of user authentication events and associated details, such as the number of successes and failures, and the host name of the last successful destination.
- Anomalies: Unusual activity discovered by machine learning jobs that contain user data.
- User risk: The latest recorded user risk score for each user, and its user risk classification. This feature requires the Security Analytics Complete project feature and must be enabled to display the data. To learn more, refer to our entity risk scoring documentation.
The Events table includes inline actions and several customization options. To learn more about what you can do with the data in these tables, refer to Manage detection alerts.
User details page
editA user’s details page displays all relevant information for the selected user. To view a user’s details page, click its User name link from the All users table.
The user details page includes the following sections:
- Asset Criticality: This section displays the user’s current asset criticality level.
- Summary: Details such as the user ID, when the user was first and last seen, the associated IP address(es), and operating system. If the entity risk score feature is enabled, this section also displays user risk score data.
-
Alert metrics: The total number of alerts by severity, rule, and status (
Open,Acknowledged, orClosed). - Data tables: The same data tables as on the main Users page, except with values for the selected user instead of for all users.
User details flyout
editIn addition to the user details page, relevant user information is also available in the user details flyout throughout the Elastic Security app. You can access this flyout from the following places:
- The Alerts page, by clicking on a user name in the Alerts table
- The Entity Analytics dashboard, by clicking on a user name in the User Risk Scores table
- The Events tab on the Users and user details pages, by clicking on a user name in the Events table
- The User risk tab on the user details page, by clicking on a user name in the Top risk score contributors table
- The Events tab on the Hosts and host details pages, by clicking on a user name in the Events table
- The Host risk tab on the host details page, by clicking on a user name in the Top risk score contributors table
The user details flyout includes the following sections:
- User risk summary, which displays user risk data and inputs.
- Asset Criticality, which allows you to view and assign asset criticality.
- Insights, which displays misconfiguration findings for the user.
- Observed data, which displays user details.
User risk summary
editRequirement
The User risk summary section is only available if the risk scoring engine is turned on.
The User risk summary section contains a risk summary visualization and table.
The risk summary visualization shows the user risk score and user risk level. Hover over the visualization to display the Options menu (). Use this menu to inspect the visualization’s queries, add it to a new or existing case, save it to your Visualize Library, or open it in Lens for customization.
The risk summary table shows the category, score, and number of risk inputs that determine the user risk score. Hover over the table to display the Inspect button (
), which allows you to inspect the table’s queries.
To expand the User risk summary section, click View risk contributions. The left panel displays additional details about the user’s risk inputs:
- The asset criticality level and contribution score from the latest risk scoring calculation.
- The top 10 alerts that contributed to the latest risk scoring calculation, and each alert’s contribution score.
If more than 10 alerts contributed to the risk scoring calculation, the remaining alerts' aggregate contribution score is displayed below the Alerts table.
Asset Criticality
editThe Asset Criticality section displays the selected user’s asset criticality level. Asset criticality contributes to the overall user risk score. The criticality level defines how impactful the user is when calculating the risk score.
Click Assign to assign a criticality level to the selected user, or Change to change the currently assigned criticality level.
Insights
editThe Insights section displays Misconfiguration Findings for the user. Click Misconfigurations to expand the flyout and view this data.
Observed data
editThis section displays details such as the user ID, when the user was first and last seen, and the associated IP addresses and operating system.
On this page