
Under Inventory > Users, you see the users currently tracked in the network.

Users can only be tracked if they are allocated to an asset. If the user API is enabled, Threat Defender automatically maps users and assets. Otherwise, the allocation has to be done manually.

To manually add a new user to be tracked by Threat Defender, click the Add button above the information fields (see User Settings).

Click Create Report if you wish to create a downloadable PDF report on the users database. The report contains the entire users table.

The information fields show the total number of users by category:

  • Current - the total number of users currently stored in the database of Threat Defender.

  • Created - the number of users created in the past day.

  • Updated - the number of users updated in the past day.

  • Seen - the number of users seen by Threat Defender in the past day.

The table displays an overview of the available user information. The analytics_icon icon in last column allows you to directly access the reporting section under Analytics for the respective user. You can also view the user details, edit the user settings or delete the user.

User Details

To see further details about a user, click view_icon in the overview table or double-click its row. The details page displays the available information on the user in several tabs.

The buttons at the top of the page allow you to edit or delete the user. Click Create Full Report or Create Summary Report if you wish to create a downloadable PDF report on the user. The full report contains all information displayed in the details page, including the charts. The summary report contains only the data tables.


The User tab displays all information collected about the users when Threat Defender last saw them:




The displayed name of the user.


The internal login name of the user.


The domain assigned to the user.

Last Login At

The date when the user last logged in to the network.

Last Login From

The IP address used when the user last logged in to the network.

Last Logout At

The date when the user last logged out of the network.

Last Logout From

The IP address used when the user last logged out of the network.

Seen At

The date and time when the user was last active in the network.

Created At

The date and time when the user was created in Threat Defender.

Updated At

The date and time when the user was last updated in Threat Defender.


The Assets tab shows the assets associated with the user.

To manage multiple assets at once, mark their checkboxes in the first table column or click SELECT ALL to select all visible assets. You can then perform the following List Actions:

  • settings_icon Operations: Add tags to the selected assets or remove tags from them. You can also merge several assets into one Primary Asset.

  • delete_icon Delete: Delete the selected assets from the database.

  • delete_icon Reset Last Seen: Delete the metadata currently stored in the Last Seen section of the selected assets.

The Static Assets table displays the assets that were manually assigned to this user:



Created At

The date when the asset was created in Threat Defender.


The name of the asset.


The user associated to the asset.


The icon in this column indicates whether the asset is a gateway (indicator_yes_icon) or not (indicator_no_icon). For gateways, the IP addresses are not tracked.


The tags assigned to the asset.

MAC Addresses

The MAC addresses tracked for the asset.

IP Addresses

The IP addresses tracked for the asset.

Last Seen

The metadata collected for the asset when Threat Defender last saw it. Click plus_icon to show additional information and minus_icon to show less information.

The icons in last table column allow you to view, edit or delete the respective asset. You can also access the reporting sections for its outbound (ascending_icon) and inbound (descending_icon) traffic under Analytics by clicking the respective icon.

The Auto connected assets via last seen table displays the assets automatically allocated to this user.



Last Seen

The date and time when Threat Defender last saw the asset.


The name of the asset.

The delete_icon icon in the last table column allows you to delete the asset.

IP Addresses

The IP Addresses tab displays the IP addresses automatically allocated to this user at login.



Last Seen

The date and time when Threat Defender last saw the IP address.

IP Address

The assigned IP address.

The delete_icon icon in the last table column allows you to delete the IP address.


The Incidents tab displays an extract from the incident logs that contains the incidents involving the user:



Created At

The date and time the incident was created in Threat Defender.


The severity logged for the incident.


The rule action logged for the incident. Actions are allow, reject and drop.


The type of the reported incident; IPS, IOC, or Policy hit.


The detected threat indicator.


The applications and/or protocols involved in the event.


The source and destination assets involved in the incident.

IP Addresses

The source and destination IP addresses involved in the incident.


The source and destination ports involved in the incident.


The source and destination countries of the flow involved in the incident. If a private IP range is used, the country is displayed as Unknown or invalid territory.

Click the view_icon in the last table column to go to the log entry under Threats > Incident Logs.


The Events tab displays log events involving the user:



Created At

The date and time the event was created in Threat Defender.


The state of the logged event, i.e. whether it was successful or failed.


The tag assigns the event to a certain log.


The logged action.


A message describing the event.


The login name of the user involved in the event.

User IP Address

The IP address of the user involved in the event.

If you click view_icon in the last table column or double-click a log entry, you will be taken directly to the respective page in the Audit Logs.


The Analytics tab shows charts that visualize the traffic information available for the user. They are grouped in tabs by reporting period (last day, last week, last month).

User Settings

When you manually add a new user to be tracked or edit an existing one, the settings screen is displayed with the following options:



Associated Asset

If applicable, the assets associated to this user are displayed with their names and a link to their details pages.


Enter the name to be displayed for the user.


Enter the login name of the user.


Optional: Assign a domain to the user.


Optional: Add a short description of the user.

The buttons at the bottom of the screen allow you to store your changes (SAVE) or to discard them (CANCEL).