Identity Protection Insights _ Investigation _ Identity Protection and MFA _ Documentation _ Support and resources _ Falcon

Prévia do material em texto

<p>04/05/2023, 13:49 Identity Protection Insights | Investigation | Identity Protection and MFA | Documentation | Support and resources | Falcon</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/identity-protection-insights 1/23</p><p>Insights de proteção de identidade</p><p>Ultima atualização: 4 de abril de 2023</p><p>A página Visão geral fornece as ferramentas necessárias para avaliar melhor os riscos e ameaças aos quais sua rede está exposta, aprimorando a postura de</p><p>segurança organizacional.</p><p>Conteúdo:</p><p>Visão geral</p><p>Meta</p><p>Escopo</p><p>Pontuação de risco</p><p>Tendência de Pontuação</p><p>Matriz de Risco</p><p>Entidades</p><p>Risco</p><p>Monitore insights por categoria</p><p>Entenda as diferentes categorias</p><p>identidades privilegiadas</p><p>Usuários</p><p>Terminais</p><p>Análise de risco</p><p>Análise de eventos</p><p>Use filtros de insights personalizados</p><p>Gerenciar e visualizar entidades</p><p>Guia Visão geral</p><p>Aba Sobre</p><p>Guia Ativos</p><p>Aba Atividade</p><p>Aba Risco</p><p>Guia Linha do tempo</p><p>Ações da entidade</p><p>https://falcon.us-2.crowdstrike.com/identity-protection/insights</p><p>04/05/2023, 13:49 Identity Protection Insights | Investigation | Identity Protection and MFA | Documentation | Support and resources | Falcon</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/identity-protection-insights 2/23</p><p>Ele fornece uma visão geral do seu ambiente e indica se ele segue as melhores práticas de segurança.</p><p>Por exemplo, você pode ver quantos usuários privilegiados existem e como esse número mudou ao longo do tempo, se você está usando endpoints não gerenciados,</p><p>quantos usuários comprometeram ou senhas GPO expostas e muito mais.</p><p>Visão geral</p><p>Estabelecendo as bases para uma melhor segurança de rede, os executivos da empresa e os membros da equipe operacional podem obter uma visão imediata dos</p><p>riscos gerais do domínio com base em um objetivo específico. Vá para Proteção de identidade > Monitorar > Visão geral da segurança de domínio para compreender</p><p>rapidamente o nível de risco e as prioridades enfrentadas por sua organização do ponto de vista da superfície de ataque, para que você possa implementar etapas de</p><p>mitigação eficientes em tempo hábil.</p><p>Meta</p><p>You can address different goals, each characterized by the specific risks. Whether you are preparing for pen testing or working on an AD Hygiene project, select the</p><p>corresponding option from the Goal list to align the overview page to the specific requirements. The following goals are available:</p><p>Goal Description</p><p>AD Hygiene</p><p>Assesses the risks related to AD management and auditing: password vulnerabilities, suspicious privilege modifications, and</p><p>stealthy privileges.</p><p>Pen Testing Evaluates the security of your network by performing a simulated cyber attack, known as penetration test or pen test for short.</p><p>https://falcon.us-2.crowdstrike.com/identity-protection/insights/Overview</p><p>04/05/2023, 13:49 Identity Protection Insights | Investigation | Identity Protection and MFA | Documentation | Support and resources | Falcon</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/identity-protection-insights 3/23</p><p>Goal Description</p><p>Privileged Users</p><p>Management</p><p>Assesses the risks related to the management of privileged user accounts on critical devices and applications.</p><p>Reduce Attack Surface</p><p>Warns you about the different attack vectors that can be exploited in an attempt to enter data to or extract data from your</p><p>network environment.</p><p>Scope</p><p>This option allows you to limit the scope of the security assessment by one of the network domains monitored by Identity Protection.</p><p>Risk Score</p><p>This is an overall security risk score, with 10 being maximum risk, for the currently selected domain.</p><p>The issues that contributed to the risk score are listed below in descending order of severity. This allows you to identify the most critical issues of the greatest</p><p>consequence and focus on their remediation.</p><p>Score Trend</p><p>This graph shows the general direction of changes in the risk score during the last few weeks, helping you to measure the security enhancement progress.</p><p>04/05/2023, 13:49 Identity Protection Insights | Investigation | Identity Protection and MFA | Documentation | Support and resources | Falcon</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/identity-protection-insights 4/23</p><p>Clicking a date in the graph shows the risk score, and the risks for the selected date.</p><p>Risk Matrix</p><p>The matrix shows the risks rated by likelihood and consequences:</p><p>Likelihood is based on the Identity Protection research team’s extensive knowledge and reflects the easiness of exploiting a vulnerability in combination with</p><p>commonly known attack vectors. The degrees of likelihood are: Unlikely, Possible, and Likely.</p><p>Consequences denote the severity of a specific event’s impact on the organization’s security posture. The consequences might range from the attacker</p><p>taking over a specific account to moving laterally in the network or taking over the entire domain, and in each case the vulnerability is rated accordingly. The</p><p>consequences can be: Minor, Moderate, and Major.</p><p>The various risk levels are color-coded as follows:</p><p>Red: Indicates high risks that present the most serious and far-reaching threats. To improve the organization's security posture, these risks must be targeted</p><p>without delay.</p><p>Orange: Indicates medium risks that must be closely monitored and investigated and resolved or mitigated at the earliest.</p><p>Green: Indicates low risks that must be resolved at the earliest convenience.</p><p>The number inside the shape denotes the current number of risks of the same likelihood and impact.</p><p>For example, according to the following example matrix, there are, among others, one Likely high risk item with major consequences and 1 Possible high risk item with</p><p>Major consequences:</p><p>Entities</p><p>This pane contains the most up-to-date information about the current number of accounts, users, endpoints, and privileged users in the domain or tenant.</p><p>Note: This pane only displays if the current date is selected in the Score Trend graph.</p><p>Risk</p><p>These are the different factors that negatively affect the security assessment score.</p><p>04/05/2023, 13:49 Identity Protection Insights | Investigation | Identity Protection and MFA | Documentation | Support and resources | Falcon</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/identity-protection-insights 5/23</p><p>You can expand each of the risks contributing to the currently displayed risk score and learn about its nature and how it can be reduced or neutralized.</p><p>To view the entities involved in the risk or affected by it, click Show Related Entities. This opens a side panel with the list of entities that can be investigated</p><p>individually, saved as a CSV file, or as a Custom Insight.</p><p>Monitor insights by category</p><p>You can monitor the information by using the category tabs at the top of the page:</p><p>Privileged</p><p>Users</p><p>Endpoints</p><p>Risk Analysis</p><p>Events Analysis</p><p>Understand different categories</p><p>Category pages each provide the following functionality:</p><p>Use the Interval drop-down to limit the results to this from the Last Day, Last Week, Last Month, or a custom timeframe.</p><p>Use the subcategory tiles to choose the type of data to display. These tiles, which are different for each category, show the number of entities in the</p><p>subcategory and the change in that number during the selected interval.</p><p>Tip: You can scroll through the tiles using arrows at each end of the row.</p><p>The Trend graph shows how the number of entities in the selected subcategory has changed during the selected interval.</p><p>Use the Filter button to define filters on the displayed entities and display exactly the cross section of data you require, save a filter as a Custom</p><p>Insight, or apply a saved Custom Insight.</p><p>The Entity table lists all the entities in the selected subcategory, with some additional data about them, and the option to select an entity and perform an</p><p>action on it.</p><p>Tip: Click an entity name to see its summary panel. Click the name again in the summary panel to view all of the details on the Entity page.</p><p>If you click CSV from the Save as drop-down menu,</p><p>a CSV file of the data displayed in the Entity Table is downloaded to your workstation.</p><p>If you click PDF from the Save as drop-down menu, a PDF file showing the data displayed in the Trend and in the Entity Table is generated and</p><p>downloaded to your workstation.</p><p>04/05/2023, 13:49 Identity Protection Insights | Investigation | Identity Protection and MFA | Documentation | Support and resources | Falcon</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/identity-protection-insights 6/23</p><p>On the Privileged, Users, Endpoints and Custom Insights pages, if you click Custom Report from the Save as drop-down menu, the New Custom Report</p><p>dialog opens so that you can define the details for saving and distributing the data displayed in the Entity Table as a Custom Report. The report is saved as</p><p>per your selections and added to the Saved Reports list on the Reports page.</p><p>Trend graph</p><p>The figure above is an example of the Trend graph of privileged user entities detected during the last week.</p><p>If you click a point in the graph, the number of entities is displayed in the box that is opened at the point, and the net change is displayed in the summary statistics</p><p>below.</p><p>Entity table</p><p>The Entity table lists the entities satisfying the criteria defined by the Category, Interval and selected subcategory, or by a filter or Custom Insight, together with</p><p>additional data about them.</p><p>The Entity table includes these columns:</p><p>Column Description</p><p>Type</p><p>Icons indicate one of these types:</p><p>Human user</p><p>Programmatic user</p><p>Azure service principal</p><p>Endpoint</p><p>Group</p><p>Primary Name From the entity’s account.</p><p>https://falcon.us-2.crowdstrike.com/documentation/174/identity-protection-reports</p><p>04/05/2023, 13:49 Identity Protection Insights | Investigation | Identity Protection and MFA | Documentation | Support and resources | Falcon</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/identity-protection-insights 7/23</p><p>Column Description</p><p>Secondary Name</p><p>Used to uniquely identify an entity, using a format depending on the entity type.</p><p>For example, an AD managed user entity might use the format DOMAIN/sAMAccountname .</p><p>Department From the entity’s account.</p><p>Org Unit From the entity’s account.</p><p>Attributes</p><p>Icons that indicate entity attributes. Hover the pointer over an icon to see a description:</p><p>Score The entity’s risk score.</p><p>Actions menu (⋮) Allows you to perform an action on the relevant entity. See Entity actions.</p><p>Entity actions</p><p>In addition to the entity actions described in the Entities section, there are additional actions available for entities within the table.</p><p>Action Description</p><p>Exclude From</p><p>Insight</p><p>This entity is not displayed in this specific Insight. For example, Disaster Recovery accounts which are stale by definition. To view excluded</p><p>accounts, click the Excluded counter above the list.</p><p>Include in Insight Reverse the Exclude From Insight action.</p><p>You can also perform actions on multiple lines or on all lines by selecting the checkboxes to the left of each line or to select all lines, by selecting the checkbox to the</p><p>left of the heading label Type. As soon as you select a checkbox, a drop-down action menu appears on the right, from which you can select an action to perform on all</p><p>the selected entities.</p><p>Privileged identities</p><p>04/05/2023, 13:49 Identity Protection Insights | Investigation | Identity Protection and MFA | Documentation | Support and resources | Falcon</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/identity-protection-insights 8/23</p><p>A user is considered privileged if they match any one of the following conditions:</p><p>The user belongs to a protected group or a nested group inside a protected group. Within Active Directory, a default set of highly privileged accounts and</p><p>groups are considered protected accounts and groups.</p><p>A user is considered stealthy if their rights are granted using a direct delegation of the ACL and not through group membership.</p><p>Custom configuration of Identity Protection through the Business Privileges function. A user or a group is added manually with privileges by assigning the</p><p>group or user to the Business Privileges and signaling to the system that the users or group members are privileged beyond the AD management. To</p><p>configure business privileges, go to Identity protection > Configure > Settings.</p><p>The user is a Local Administrator on an excessive number of endpoints:</p><p>Identity Protection considers greater than 5% of total endpoints to be excessive</p><p>VDI endpoints are capped at contributing 3% of the 5% threshold, and each VDI endpoint is considered to be one-tenth of a physical endpoint when</p><p>performing the calculation.</p><p>These are the Insights menu subcategories when the Category is Privileged Users:</p><p>Subcategory Description</p><p>Privileged</p><p>Shows all privileged users and the change in their number during the selected interval.</p><p>Best practice: Minimize the number of privileged users.</p><p>Stealthy</p><p>Shows a list of accounts that have privileges that were not obtained through AD protected groups. In some cases, those privileges might</p><p>have been granted by mistake. Attackers might target such accounts because they are not as well protected as built-in privileged</p><p>accounts.</p><p>Using Unmanaged</p><p>Endpoints</p><p>Shows the privileged users who are using unmanaged endpoints, which are endpoints not registered in the domain and on which Group</p><p>Policies are not running. Unmanaged endpoints are considered to be at greater risk of exposure to viruses and other malicious software,</p><p>so privileged users put themselves and the organization at greater risk by using them.</p><p>Best practice: Ensure that privileged users are not using unmanaged endpoints.</p><p>Stale</p><p>A stale user is one whose account has been dormant or inactive for more than three months. Stale users pose a risk because they are</p><p>unlikely to be monitoring their email and can remain unaware of suspicious activity conducted in their accounts. A programmatic stale</p><p>privileged user (a process or service rather than a human) poses the risk of a broken or out-of-date process with excessive privileges that</p><p>can be leveraged by attackers.</p><p>Best practice: Periodically (every 90 days) monitor stale users and delete or disable any that are found. For on-premises and hybrid</p><p>accounts, you can do this directly from the Entity Table in this window by using the Actions menu.</p><p>Password Never</p><p>Expires</p><p>While it might be acceptable in restricted contexts for some programmatic users to have passwords that never expire, it is considered</p><p>unacceptable for human users because it affords attackers an unlimited time frame to eventually guess passwords by brute-force attacks.</p><p>Also, this might be an indication that the human user is running scripts, which should be done only from accounts dedicated to that</p><p>purpose.</p><p>Best practice: Enforce a policy that users must periodically change their passwords.</p><p>Compromised</p><p>Password</p><p>Compromised passwords are vulnerable to being guessed using dictionary attacks. Identity Protection evaluates the strength of user</p><p>passwords and marks as compromised those it finds as vulnerable.</p><p>Best practice: Require as a policy that users use strong passwords.</p><p>https://falcon.us-2.crowdstrike.com/identity-protection/administration/settings</p><p>04/05/2023, 13:49 Identity Protection Insights | Investigation | Identity Protection and MFA | Documentation | Support and resources | Falcon</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/identity-protection-insights 9/23</p><p>Subcategory Description</p><p>High Risk</p><p>Privileged users with risk scores greater than 7.5 are labeled High Risk. You can define a Custom Insight to define high-risk privileged</p><p>users using other criteria.</p><p>GPO Exposed</p><p>Password</p><p>A GPO exposed password is one that is likely to become known, or might have already become known, to persons to whom it should not</p><p>be known, for example a password found in Group Policy Preference objects. A privileged user with a GPO exposed password poses an</p><p>exceptional risk, more so than a nonprivileged user.</p><p>Best practice:</p><p>Review the Group Policy and ensure that GPO Exposed Passwords are not used.</p><p>Shared A privileged user who logs in from multiple locations.</p><p>Users</p><p>These are the Insights menu subcategories when the Category is All Users:</p><p>Subcategory Description</p><p>High Risk Users with risk scores greater than 7.5 are labeled High Risk. You can define a Custom Insight to define high-risk users using other criteria.</p><p>Password Never</p><p>Expires</p><p>It is considered unacceptable for human users to have passwords that never expire because it affords attackers an unlimited time frame to</p><p>eventually guess passwords by brute-force attacks. Also, this might be an indication that the human user is running scripts, which should</p><p>be done only from accounts dedicated to that purpose.</p><p>Best practice: Require as a policy that users must periodically change their passwords.</p><p>Compromised</p><p>Password</p><p>Compromised passwords are vulnerable to being guessed using dictionary attacks. Identity Protection evaluates the strength of user</p><p>passwords and marks as compromised those it finds are vulnerable.</p><p>Best practice: Require as a policy that users use strong passwords.</p><p>GPO Exposed</p><p>Password</p><p>A GPO exposed password is one that is likely to become known, or might have already become known, to persons to whom it should not be</p><p>known, for example a password found in Group Policy Preference objects.</p><p>Best practice: Review the Group Policy and ensure that GPO Exposed Passwords are not used.</p><p>Shared A user who logs in from multiple locations.</p><p>Stale</p><p>A stale user is one whose account has been dormant or inactive for more than three months. Stale users pose a risk because they are</p><p>unlikely to be monitoring their email and can remain unaware of suspicious activity conducted in their accounts.</p><p>Best practice: Periodically (every 90 days) monitor stale users and delete or disable any that are found.</p><p>Marked Users</p><p>A marked user is one whom security analysts have singled out for special attention so that they can easily identify them throughout the</p><p>Falcon console. A user remains marked for 48 hours by default.</p><p>04/05/2023, 13:49 Identity Protection Insights | Investigation | Identity Protection and MFA | Documentation | Support and resources | Falcon</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/identity-protection-insights 10/23</p><p>Subcategory Description</p><p>Watched Users</p><p>A watched user is one to whom security administrators should pay special attention, for example, users under notice or who have resigned</p><p>or who for whatever reason are believed to be motivated to cause harm to the organization.</p><p>Honeytoken</p><p>An account flagged as honeytoken is used to deceive an attacker to use those accounts. Account activities or changes will trigger a</p><p>dedicated detection that indicates potential malicious activities in the network. For more information, see the Knowledge Base article, What</p><p>are the best practices for setting up honeytoken accounts in Falcon Identity Protection?</p><p>Endpoints</p><p>These are the Insights menu subcategories when the Category is Endpoints:</p><p>Subcategory Description</p><p>High Risk</p><p>Endpoints with risk scores greater than 7.5 are labeled High Risk. You can define a Custom Insight to identify high-risk endpoints</p><p>using other criteria.</p><p>Unmanaged An unmanaged endpoint is one not registered in the domain, and on which Group Policies are not running.</p><p>Shared Endpoints from which multiple users log in, for example, a kiosk.</p><p>Unmanaged Used by</p><p>Privileged Users</p><p>Unmanaged endpoints from which privileged users log in.</p><p>Shared Used by</p><p>Privileged Users</p><p>Shared endpoints from which privileged users log in. These represent a risk because attackers or malware on the shared endpoint</p><p>might be able to locate traces of an administrator’s password that remain even after the administrator has logged out.</p><p>Stale A stale endpoint is one that has not been used for more than three months.</p><p>Risk analysis</p><p>These are the Insights menu subcategories when the Category is Risk Analysis:</p><p>Subcategory Description</p><p>Membership by</p><p>Severity</p><p>A bar graph showing the distribution of risk score by severity across OUs or Departments (depending on your selection) is displayed along</p><p>with a detailed breakdown for each OU or Department.</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/supportportal.crowdstrike.com/s/article/ka16T000001MfykQAC</p><p>04/05/2023, 13:49 Identity Protection Insights | Investigation | Identity Protection and MFA | Documentation | Support and resources | Falcon</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/identity-protection-insights 11/23</p><p>Subcategory Description</p><p>Membership by</p><p>Impact</p><p>A bar graph showing the distribution of risk score by impact across OUs or Departments (depending on your selection) is displayed along</p><p>with a detailed breakdown for each OU or Department.</p><p>The Risk Analysis - Membership by Impact page displays a four-quadrant graph. The X-axis plots the OU’s or Department’s risk scores and</p><p>the Y-axis plots the impact of the scores, which indicates the potential damage the OU or Department poses to the enterprise. For example,</p><p>OUs with a high risk score whose users have limited access privileges pose a lesser risk than OUs with the same high risk score whose users</p><p>have extensive access privileges.</p><p>Outliers</p><p>The Risk Analysis page displays a four-quadrant graph by users. The X-axis plots the user’s risk scores and the Y-axis plots the impact of</p><p>the user’s risk score, which indicates the potential damage the user poses to the enterprise. For example, users with a high-risk score and</p><p>limited access privileges pose a lesser risk than users with the same high-risk score but with extensive access privileges.</p><p>Note: Identity Protection considers the following factors when assessing impact: the user’s business role, privileges, exchange delegations,</p><p>and similar users.</p><p>Each of the quadrants in the graph represents a different combination of risk score and impact. Each bubble represents the number of users</p><p>in a region of the graph (a given combination of risk score and impact). The larger the bubble, the greater the number of users in that</p><p>region. Users in the upper-right quadrant (high impact, high risk score) are of the greatest concern, and you should investigate those as a</p><p>priority. Users in the other quadrants pose less of a danger to the enterprise.</p><p>Hover over a bubble to view information about the users it represents.</p><p>Drag a rectangle over a bubble to zoom in and see its component bubbles (if there are any).</p><p>To reset the zoom factor to the default, click Reset zoom.</p><p>Event analysis</p><p>Note: Identity Protection includes Identity-Based Event Analysis dashboards, using the same customizable widget experience as other modules in the</p><p>Falcon platform, to ease the investigation process. To view the dashboards, go to Identity Protection > Explore > Event analysis dashboard.</p><p>The table below lists the Insights menu subcategories when the Category is Events Analysis.</p><p>Subcategory Description</p><p>Top Users Accounts Lockouts Shows the number of top users by account lockouts.</p><p>Password Changes Shows the number of password changes every day.</p><p>Account Modified Shows the number of accounts modified every day.</p><p>https://falcon.us-2.crowdstrike.com/identity-protection/event-analysis</p><p>04/05/2023, 13:49 Identity Protection Insights | Investigation | Identity Protection and MFA | Documentation | Support and resources | Falcon</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/identity-protection-insights 12/23</p><p>Subcategory Description</p><p>New User Accounts Shows the number of new user accounts created every day.</p><p>Disabled User Accounts Shows the number of accounts disabled every day.</p><p>Top Users Logon Failures Shows the number of top users with failed logins.</p><p>Logon Failures by Reason Shows details of the reasons for logon failures.</p><p>Top Active Users by Service Access Shows details of the top users by service access events.</p><p>Logon Failures by Department Shows details of the login failures by department.</p><p>User Logons by Type Shows the number</p><p>of user logins by type, such as SSO, VPN, or Domain.</p><p>Click the button for each subcategory to show the total number of events for that subcategory that happened in your domain over the selected time period. The</p><p>information is shown in either a logarithmic or linear bar chart. Click an event in the bar chart or in the list to view a detailed list of events on the Threat Hunter page.</p><p>Use custom insight filters</p><p>Custom insights are insights you can create with a custom filter and save for future use.</p><p>Filters enable you to display any cross-section of the entities in the Entity Table. You can define a filter to search for the relevant data and save it as a Custom Insight</p><p>so that you can reuse it later.</p><p>When you define a filter, apply a custom insight, or change and save it, the Trend and Entity Table data changes accordingly.</p><p>To apply a custom insight filter, select it from the list.</p><p>To delete a custom insight filter, click the delete icon (X) in the upper-right corner, and then click Yes, Continue.</p><p>Caution: You cannot undo a deletion.</p><p>To define a custom insight filter:</p><p>�. Click New Custom Insight.</p><p>�. On the filter page, specify any of these applicable parameters:</p><p>Tip: To reset all fields to the default values, click the menu icon, and then click Reset.</p><p>Entity Name: The full or partial name of an entity.</p><p>Endpoint Classification: Select the endpoint classification in the network. The available classifications include, but are not limited to, application</p><p>server, DNS server, domain controller, Exchange Server, File Server, VDI (Virtual Desktop Infrastructure) endpoint, workstation, and more.</p><p>Group: Select or enter any Group that exists in the monitored domains.</p><p>Azure AD Role: Select or enter any Azure AD Role that exists in the monitored tenant.</p><p>Risk Factors: Limit the search by any of the risk factors detected and prevented by Identity Protection.</p><p>Privileges: Select from the privileges assigned to the entity.</p><p>Has Incidents: To search for the entities with reported incidents, select Yes. To ignore whether the entity has reported incidents, select Any Or</p><p>None.</p><p>04/05/2023, 13:49 Identity Protection Insights | Investigation | Identity Protection and MFA | Documentation | Support and resources | Falcon</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/identity-protection-insights 13/23</p><p>Attributes: Select the entity’s attributes.</p><p>Domain / Tenant: Select any or all domains or tenants monitored by Identity Protection.</p><p>Organization Unit: This list contains the entire Organization Unit (OU) tree for every domain monitored by Identity Protection. To limit the</p><p>search by an OU, select it in the list.</p><p>Department: Select from a list of all departments available in Active Directory.</p><p>Account Type: Select the entity’s account type: Any User, Endpoint, Group, Human, Programmatic or Role.</p><p>Business Privileges: Select from all available business roles.</p><p>Risk Severity: Specify a range of the entity’s risk severity values by dragging and dropping the ends of the scale.</p><p>Subscription Assigned Roles: Find entities that have the specified assigned role in any subscription.</p><p>Subscription Name: Find entities that have an assigned role in the specified subscription.</p><p>�. To see the results of the filter in the Trend and the Entities table, click Apply.</p><p>�. To save the filter as a custom insight:</p><p>�. Click the menu icon, and then click Save As Custom Insight.</p><p>�. Provide a title, and then click Save.</p><p>Manage and view entities</p><p>An Entity encapsulates and summarizes all the system information about an organizational or network entity. The most common entities are users and endpoints, but</p><p>there are also entities representing Azure Service Principals and entity groups, such as Active Directory groups.</p><p>Entity objects are usually derived from external data sources. For instance, all user accounts in an Active Directory domain covered by Falcon Identity Protection are</p><p>represented as entities.</p><p>Moreover, entities do not always represent a single account. An LDAP user, for example, might be correlated with an IDaaS account, resulting in a single, unified entity.</p><p>These hybrid and cloud-only entities are created when Identity Protection extracts data from either an on-premises Active Directory Domain or an Azure AD Tenant.</p><p>We refer to Hybrid entities as those which exist on both the on-premises Active Directory Domain and the Azure AD Tenant. Whereas we refer to Cloud-only entities</p><p>as those which only exist on the Azure AD Tenant.</p><p>Click an entity’s name to open the entity profile overview panel. Click the entity name again or click More beside any pane name to open the full Entity page.</p><p>04/05/2023, 13:49 Identity Protection Insights | Investigation | Identity Protection and MFA | Documentation | Support and resources | Falcon</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/identity-protection-insights 14/23</p><p>When the Entity page is fully expanded, you can navigate it by selecting any of the following tabs:</p><p>Overview</p><p>About</p><p>Assets</p><p>Activity</p><p>Risk</p><p>Timeline</p><p>Overview tab</p><p>The Overview tab provides a high-level summary of an entity's profile. The top section shows the entity name, their current risk score, their attributes represented as</p><p>icons, and the time of their latest detected activity in the network and on the cloud or other SSO sources.</p><p>In addition, the top section includes a vertical ellipsis icon (⋮) that opens the Actions menu.</p><p>The rest of the Overview tab is made up of a number of panes, each corresponding to another tab—About, Activity, Assets, and Risk—and containing a subset of</p><p>fields from the respective tab.</p><p>This unified view allows you to evaluate at a glance whether the user requires special attention. To delve into any particular set of user-related details, click More</p><p>beside the respective pane name and the corresponding tab opens. When the Entity page is fully extended, the link More changes to the Show more bar below the</p><p>pane.</p><p>About tab</p><p>This is a comprehensive set of data pertaining to each user or endpoint in the domain. It is comprised of the following categories, depending on the entity type, each</p><p>represented in a separate card:</p><p>Business Card (Users and Groups) / Endpoint Information (Endpoints)</p><p>04/05/2023, 13:49 Identity Protection Insights | Investigation | Identity Protection and MFA | Documentation | Support and resources | Falcon</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/identity-protection-insights 15/23</p><p>Privileges</p><p>Local Administrators</p><p>Roles</p><p>Groups</p><p>Business card / endpoint information</p><p>This section contains information about users, groups, Azure Service Principals, or endpoints. Some of the data is gathered from identity providers such as Active</p><p>Directory or Azure AD.</p><p>Item Description Entity Type</p><p>Organizational</p><p>Unit</p><p>A subdivision within an on-premises Active Directory to which the account belongs. This field shows the entire</p><p>hierarchy, starting from the top organizational unit.</p><p>User, Endpoint,</p><p>Group</p><p>Created The date and time the account was created. All</p><p>Account type</p><p>The account type of the entity. One of:</p><p>User,</p><p>Endpoint</p><p>Azure Service Principal</p><p>Group</p><p>Azure AD role</p><p>Note:  accounts flagged as honeytoken will have this information displayed next to their account type.</p><p>All</p><p>Domain / Tenant A list of the AD domains and tenants in which the account exists.</p><p>User, Group,</p><p>Azure Service</p><p>Principal</p><p>Title The account owner’s title in the organizational structure. User</p><p>Department The department to which the account belongs. User</p><p>Managed by The account’s direct manager, as specified in an on-premises Active Directory. User</p><p>Description Entity description</p><p>User, Endpoint,</p><p>Group</p><p>Email address The account’s primary email address User</p><p>04/05/2023, 13:49 Identity Protection Insights | Investigation | Identity Protection and MFA | Documentation | Support and resources | Falcon</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/identity-protection-insights 16/23</p><p>Item Description Entity Type</p><p>Classification</p><p>Identity Protection</p><p>learns accounts over time and classifies them as Human, Programmatic, or Executive.</p><p>To assist with classification, Identity Protection uses information such as:</p><p>the display name of the account</p><p>whether it has a phone number</p><p>whether it is used in scripts</p><p>whether the majority of authentications are interactive</p><p>If Identity Protection incorrectly classifies an account, you can alter it by clicking Classify As... and selecting the</p><p>correct option.</p><p>During the learning period, the account is classified as Unknown.</p><p>User, Endpoint</p><p>ZTA Score</p><p>The Zero Trust Assessment (ZTA) score given to the endpoint. ZTA scores are between 1 (insecure) and 100</p><p>(secure).</p><p>Endpoint</p><p>Last password</p><p>change</p><p>A relative period when the latest account password change occurred, for example, a month ago. To see the exact time,</p><p>hover over the relative time value.</p><p>User</p><p>Password policy</p><p>strength</p><p>An evaluation of the password policy applied to the account. The evaluation considers both password length and</p><p>complexity. Clicking See details displays the Password Policy (group or fine-grained) and its configuration parameters.</p><p>User</p><p>Distinguished</p><p>name</p><p>An attribute used by Active Directory to uniquely reference the entity. It is often referred to as DN or FDN. It is a fully</p><p>qualified path of the names that traces the entry back to the root of the tree. For example the distinguished name of a</p><p>group entity called Partners could be: cn=silvapartners, ou=distribution, dc=silvalaw.com</p><p>Endpoint,</p><p>Group</p><p>Enabled for users</p><p>to sign-in</p><p>Specifies whether the service principal account is enabled, or not.</p><p>One of:</p><p>Yes (enabled)</p><p>No (disabled)</p><p>Azure Service</p><p>Principal</p><p>Supported</p><p>account types</p><p>The Microsoft accounts that are supported for the current application. Comes from the signInAudience property of</p><p>Azure service principals.</p><p>One of:</p><p>Single tenant ( AzureADMyOrg )</p><p>Multiple tenants ( AzureADMultipleOrgs )</p><p>Personal accounts and multiple tenants ( AzureADandPersonalMicrosoftAccount )</p><p>Personal accounts ( PersonalMicrosoftAccount )</p><p>Azure Service</p><p>Principal</p><p>Service principal</p><p>object ID</p><p>The unique identifier of the service principal in Azure.</p><p>Azure Service</p><p>Principal</p><p>04/05/2023, 13:49 Identity Protection Insights | Investigation | Identity Protection and MFA | Documentation | Support and resources | Falcon</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/identity-protection-insights 17/23</p><p>Item Description Entity Type</p><p>Registered</p><p>tenant ID</p><p>Specifies the type and ID of the tenant where the application is registered</p><p>One of:</p><p>External ( <tenant ID> )</p><p>External (Microsoft) ( <tenant ID> )</p><p>Registered App ( <tenant name> ) ( <tenant ID> )</p><p>Managed Identity ( <tenant ID> )</p><p>Azure Service</p><p>Principal</p><p>Owners</p><p>The users who are configured in Azure as owners, and therefore have control over the application associated with the</p><p>service principal.</p><p>Note: Shown if the service principal AND associated app are both in the same tenant</p><p>Azure Service</p><p>Principal</p><p>Application ID The unique identifier of the application associated with the service principal.</p><p>Azure Service</p><p>Principal</p><p>App registration</p><p>object ID</p><p>The Azure unique identifier of the app registration object associated with the app and service principal.</p><p>Note: Shown if the service principal AND associated app are both in the same tenant</p><p>Azure Service</p><p>Principal</p><p>SPNs</p><p>The Service Principal Names (SPN) attribute of the user or endpoint.</p><p>Tip: Hover over an SPN and then click the Show Related Events icon to open Threat Hunter and see actual service</p><p>usage:</p><p>This can be a good starting point for additional investigations.</p><p>User, Endpoint</p><p>SID</p><p>The Security IDentifier (SID), is a unique ID number that a computer or domain controller uses to identify an entity. It is</p><p>a string of alphanumeric characters assigned to each user on a Windows computer, or to each user, group, and</p><p>computer on an on-premises domain-controlled network.</p><p>User, Endpoint,</p><p>Group</p><p>Scope</p><p>Defines what types of objects can belong to the group, what types of groups the group can be a member of and the</p><p>scope of objects that security groups can be given access to. Active Directory Domain Services defines three group</p><p>scopes: Universal, Global and Domain Local.</p><p>Group</p><p>Type Indicates whether a group is defined as a Security group, Distribution group, or Microsoft 365 group. Group</p><p>04/05/2023, 13:49 Identity Protection Insights | Investigation | Identity Protection and MFA | Documentation | Support and resources | Falcon</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/identity-protection-insights 18/23</p><p>Item Description Entity Type</p><p>Default AD group Indicates whether the group is a built-in Active Directory group. Group</p><p>Membership</p><p>Type</p><p>Indicates Azure AD membership type of Assigned or Dynamic. Group</p><p>AD Roles</p><p>Enabled</p><p>Indicates if roles can be assigned to a cloud group in Azure AD. Group</p><p>Operating</p><p>system</p><p>Operating System name. For example, Windows 7 Enterprise 6.1. Endpoint</p><p>Privileges</p><p>This pane of the About tab is available only for Privileged accounts. It shows you the reasons why the account is classified as such. Privileged entities belong to</p><p>protected groups or a nested group inside a protected group. For example, within Active Directory, a default set of highly privileged accounts and groups are</p><p>considered protected accounts and groups.</p><p>An entity can become privileged for a number of reasons. For example, the entity has an Azure AD privileged role, belongs to a group with privileged role, or belongs</p><p>to a nested group inside a privileged group.</p><p>Local administrators</p><p>Local Administrator is a user account that is allowed to perform any action on a local computer, but is unable to modify information in Active Directory for other</p><p>computers and other users.</p><p>Important: Local administrator information requires the existence of a Falcon sensor on the endpoint.</p><p>Local administrators are commonly used as a starting point for penetrating the network and exploiting this breach to move laterally, gradually expanding the attack</p><p>surface. This threat, however, usually remains siloed and can be detected only in the aftermath. Identity Protection retrieves information about local administrators</p><p>based on deployed Falcon sensors.</p><p>In user accounts, the Local Administrators section contains the list of endpoints where the user has Local Administrator privileges as a domain group</p><p>member, a domain user, or a local user.</p><p>In group accounts, the Local Administrators section contains the list of endpoints where the domain group members have Local Administrator privileges.</p><p>In endpoint accounts, the Local Administrators section contains the list of users that have Local Administrator privileges on this endpoint. To see when the</p><p>latest query was performed, hover over the Information button adjacent to the section name.</p><p>The indication that a user account is also a Local Administrator on an endpoint appears in the user account's Assets tab.</p><p>A special case of the local administrator is a local account that controls access to a single endpoint, where local account credentials are stored. Local accounts can be</p><p>duplicated if machines are created from the same image and inherit the same local administrator username and password. By compromising one of these machines,</p><p>an attacker can extract the credentials from the local Security Account Manager (SAM) database and move laterally to other machines. This is why duplicated local</p><p>accounts are considered a risk factor that will be detected during a security assessment. A local account defined on an endpoint is shown in the Local Administrators</p><p>section of the endpoint's About tab. If this local account is duplicated on more than one machine, it will appear as: Local account (shared on X endpoints), where the</p><p>number of endpoints is a link opening the list of endpoints in a side panel.</p><p>If no information is displayed in the Local Administrators section of an endpoint account, it might be due to any of the following reasons:</p><p>The endpoint is not a Windows machine.</p><p>Local administrators cannot be defined on a non-Windows machine, therefore, no local administrator information can</p><p>be retrieved from it.</p><p>The endpoint is a Domain Controller. Local administrators cannot be defined on a Domain Controller, therefore, no local administrator information can be</p><p>retrieved from it.</p><p>A Falcon sensor isn’t detected on this endpoint. This could be because it is not yet installed or the Identity Protection subscription doesn’t exist for this CID.</p><p>04/05/2023, 13:49 Identity Protection Insights | Investigation | Identity Protection and MFA | Documentation | Support and resources | Falcon</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/identity-protection-insights 19/23</p><p>Note: It might take up to 24 hours after sensor deployment for a value to appear here.</p><p>The endpoint is not joined to the domain and is not covered by the local administrator’s query.</p><p>Users or groups that have a significant footprint as local administrators present a greater security risk and must be watched more closely.</p><p>Identity Protection considers being an administrator on greater than 5% of total endpoints to be excessive</p><p>VDI endpoints are capped at contributing 3% of the 5% threshold, and each VDI endpoint is considered to be one-tenth of a physical endpoint when</p><p>performing the calculation.</p><p>Such accounts are classified as Extensive Local Administrators, which allows you to apply filters and create custom insights to monitor them.</p><p>Roles</p><p>The Roles pane of the About tab displays information retrieved from Azure Active Directory. The Roles pane lists Azure Administrative Roles that the account holds</p><p>in the tenant that is configured using the Azure IDAAS connector. Click a role to display a pane that lists the Role members and their attributes.</p><p>You can access roles:</p><p>From an entities About page</p><p>By searching for them by name in the Search bar</p><p>By opening them from any point in the application in which they appear</p><p>About roles</p><p>Click a role to open the role overview page and view the role's members and a selection of their attributes.</p><p>Click a role's name or icon to:</p><p>View the privileges granted to that role.</p><p>See a link to the description of the role.</p><p>Role privileges</p><p>These privileges can be granted based on role:</p><p>Privileges Description Granted by these Azure AD Roles</p><p>Azure Global</p><p>Privileges</p><p>Full control over the tenant Global Administrator / Company Administrator, Privileged Role Administrator</p><p>Azure Credentials</p><p>Privileges</p><p>Control over user</p><p>credentials</p><p>Authentication Administrator, Privileged Authentication Administrator, Helpdesk Administrator,</p><p>Password Administrator, User Administrator, Authentication Policy Administrator</p><p>Azure Access</p><p>Privileges</p><p>Manage access settings to</p><p>the tenant</p><p>Conditional Access Administrator, External Identity Provider Administrator</p><p>Azure Application</p><p>Privileges</p><p>Control over cloud</p><p>applications</p><p>Application Administrator, Cloud Application Administrator, Exchange Administrator</p><p>Azure Security</p><p>Privileges</p><p>Manage security-related</p><p>features in Azure</p><p>Security Administrator, Security Operator</p><p>04/05/2023, 13:49 Identity Protection Insights | Investigation | Identity Protection and MFA | Documentation | Support and resources | Falcon</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/identity-protection-insights 20/23</p><p>Viewing a role’s members</p><p>When you view a role's members the default view shows you all the entities that have the applicable role.</p><p>Exporting role members</p><p>You can export a list of a role's members and their attributes as a CSV file by clicking Export CSV located above the members list.</p><p>Groups</p><p>Groups display information retrieved from Active Directory and Azure AD that provides you with the context and scope within which the group operates, such as the</p><p>group type, its members, and their connection to other entities.</p><p>You can access groups:</p><p>From an entity’s About page.</p><p>By searching for them by name in the Search bar.</p><p>By opening them from any point in the application in which they appear.</p><p>An entity’s About page lists the groups for which the entity is a member. A group that is marked with a crown icon indicates that the group is a privileged group, and</p><p>that its members are privileged.</p><p>About groups</p><p>Click a group to open the group overview page and view the group's members, a selection of their attributes, and their risk score.</p><p>Click a group's name or icon to:</p><p>Drill down to view the group’s details as displayed in the group’s business card.</p><p>See if a group is nested within another group.</p><p>View the privileges of that group.</p><p>Viewing a group’s members</p><p>One characteristic of a group is that they can be nested. When you view a group's members the default view shows you all the entities that belong to the group and</p><p>its subgroups.</p><p>To view members that only belong to the selected group, click Show direct members only.</p><p>Exporting group members</p><p>You can export a list of a group's members and their attributes as a CSV file by clicking Export CSV located above the members list.</p><p>Assets tab</p><p>This tab includes the endpoints, applications, and top destinations that the user accesses often, which makes them part of their behavioral baseline. This information</p><p>is available after the initial learning period is over and is used to detect anomalous activity and to define policy rules using the Baseline condition.</p><p>The tab contains the following sections:</p><p>Endpoints</p><p>This section lists the endpoints that the user regularly accesses. Each entry contains:</p><p>Endpoint name</p><p>IP</p><p>Last login time</p><p>04/05/2023, 13:49 Identity Protection Insights | Investigation | Identity Protection and MFA | Documentation | Support and resources | Falcon</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/identity-protection-insights 21/23</p><p>Owner: this tag is added if this is the only user using this endpoint</p><p>Local administrator: this tag is added if the user is a local administrator of the endpoint.</p><p>Applications</p><p>This section lists applications that have been regularly accessed. Each entry contains:</p><p>Application Name</p><p>Last login time</p><p>Top destinations</p><p>This section contains a list of the servers the user RDPs to on a regular basis. Each entry contains:</p><p>Endpoint name</p><p>IP</p><p>Last login time</p><p>Local administrator: this tag is added if the user is a local administrator of the endpoint.</p><p>Assigned subscriptions</p><p>This section lists the assigned built-in roles for subscriptions an entity has in Azure. Each entry contains:</p><p>Subscription Name</p><p>Subscription ID</p><p>List of assigned built-in roles</p><p>Click the three-dot menu icon in an entry to:</p><p>View all users assigned to the subscription</p><p>View the subscription details in Azure</p><p>Activity tab</p><p>This tab contains comprehensive information about the user's recent and current network activity.</p><p>These sections show info in the Activity tab:</p><p>Section Description</p><p>Login History</p><p>The history of the user's logins for the last 90 days, including the type of connection, the endpoint from which the login originated, its type</p><p>and IP address, and the login date and time (to see the exact time, hover over the date). The connections shown here comprise, among others,</p><p>LDAP, Kerberos, and Cloud SSO logins. The login geolocation is indicated on the map. Regular, unusual, and forbidden locations are color-</p><p>coded, allowing you to quickly detect any anomaly. Clicking an endpoint in the table opens its profile in a side panel.</p><p>Logged On</p><p>The endpoints on which the user was recently active. This is determined by examining the LDAP GPO Searches performed in the last 4 hours.</p><p>The information includes the endpoint type, its primary and secondary names, the department and organizational unit to which the endpoint</p><p>belongs, its attributes (for example, Server, Privileged, and so on), its risk score, and the login date and time. Clicking an endpoint in the table</p><p>opens its profile in a side panel.</p><p>04/05/2023, 13:49 Identity Protection Insights | Investigation | Identity Protection and MFA | Documentation | Support and resources | Falcon</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/identity-protection-insights</p><p>22/23</p><p>Section Description</p><p>Application</p><p>Usage</p><p>This section contains the details about the user's access to cloud applications, including the application name, the type and IP address of the</p><p>device used, and the access date and time (to see the exact time, hover over the date).</p><p>User sign-ins</p><p>Shows details about the users who have signed into an application that is associated with a service principal, including:</p><p>Primary: the Primary name of the user</p><p>Secondary: an alternative identifier assigned to the user by Identity Protection</p><p>Device type: details of the device used to perform the sign in</p><p>IP Address: IP of the device used to perform the sign in</p><p>Time: when the sign in occurred</p><p>On-Prem</p><p>Service</p><p>Access</p><p>This section contains the details about the user's access to services, including the originating endpoint, the service type, the destination, and</p><p>the access date and time (to see the exact time, hover over the date).</p><p>Risk tab</p><p>This section shows the user's risk trend for the last 30 days and the main risk factors. Hovering over a date in the trend diagram shows the risk score on this</p><p>particular date and its difference from the previous risk score.</p><p>Timeline tab</p><p>The Timeline is a chronologically presented series of events related to an account. The categories of events shown in the timeline include:</p><p>Alerts. These are the main components of incidents relating to the account.</p><p>Changes to the account. For example, the account name changed, it was disabled or deleted, or its authorizers were modified.</p><p>Changes in the state of the account. These state changes include the account becoming stale or inactive, or a compromised password was detected.</p><p>Policy rule matches. The account has matched the criteria for an existing Identity Protection policy.</p><p>Entity actions</p><p>These actions are available from the Entity actions menu. The actions menu differs according to the entity type and its attributes. For example, whether the entity is a</p><p>user or an endpoint, on the watch list or not on the watch list, is Cloud Only or Hybrid, and other attributes.</p><p>Action Description</p><p>Mark entity Mark the entity so that it can be easily identified elsewhere in the Falcon console. An entity remains marked for 48 hours by default.</p><p>Unmark entity Unmark the entity. This action is only available for marked entities.</p><p>Add to watchlist Add the entity to the watch list. This action also increases the entity’s risk score.</p><p>Remove from</p><p>watchlist</p><p>Remove the entity from the watched list. This option appears only for watched entities.</p><p>04/05/2023, 13:49 Identity Protection Insights | Investigation | Identity Protection and MFA | Documentation | Support and resources | Falcon</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/identity-protection-insights 23/23</p><p>Action Description</p><p>Set classification</p><p>Override automatic classification. For example, the analyst can specify that an endpoint classified as a server is a workstation, or that a</p><p>human user is actually an executive, or an unclassified user account is a programmatic account.</p><p>This is valuable when the user wants to override classification or speed up classification. Identity Protection does not change the</p><p>analyst’s classification even if it determines that the entity should be classified otherwise.</p><p>Also, Identity Protection uses the analyst’s classification as input for its own classifications, for example, for determining similar users.</p><p>Note: Classifying an endpoint as an impersonator server causes Credential scanning or Password brute force attack detections from it</p><p>to have a lower severity or be completely filtered out of detection results in some cases. Classifying an endpoint as an impersonation</p><p>server causes Unusual login to an endpoint detections to be completely filtered out of detection results in all cases.</p><p>Manage authorizers</p><p>Specify a user, multiple users, or groups, who will authenticate other accounts when a policy requires authentication or verification.</p><p>Notifications that appear as Authorizers Changed are: authorizers added, authorizers removed, or the combination of both authorizers</p><p>added and authorizers removed.</p><p>Set authorizer</p><p>Especifique um usuário humano que autenticará contas não humanas (programáticas) quando uma política exigir autenticação ou</p><p>verificação.</p><p>Sinalizar como</p><p>honeytoken</p><p>Sinalize uma entidade específica como honeytoken. As atividades ou alterações da conta acionarão uma detecção dedicada. Para obter</p><p>mais informações, consulte o artigo da Base de conhecimento, Quais são as práticas recomendadas para configurar contas honeytoken</p><p>no Falcon Identity Protection?</p><p>Remover sinalizador</p><p>de token de mel</p><p>Remova o sinalizador honeytoken da entidade. Esta opção aparece apenas para entidades sinalizadas como honeytokens.</p><p>Mostrar eventos</p><p>recentes</p><p>Exibe uma lista de eventos recentes para o usuário selecionado.</p><p>https://falcon.us-2.crowdstrike.com/documentation/169/supportportal.crowdstrike.com/s/article/ka16T000001MfykQAC</p>