Users

The users dashboard displays an overview of the users currently tracked in the network.

To manually add a new user to be tracked by Threat Defender, click the Add button above the overview panels (see User Settings).

Click Create Report if you wish to create a downloadable PDF report on the users database. The report contains the entire users table.

The overview panels show the total number of users by category:

  • Current - the total number of users currently stored in the database of Threat Defender.

  • Created - the number of users created in the last day as well as the percentage of increase or decrease.

  • Updated - the number of users updated in the last day as well as the percentage of increase or decrease.

  • Seen - the number of users seen by Threat Defender in the last day as well as the percentage of increase or decrease.

The table displays an overview of the available user information. The analytics_icon icon in last column allows you to directly access the reporting section under Analytics for the respective user. You can also view the user details, edit the user settings or delete the user.

User Details

To see further details about a user, click view_icon in the overview table or double-click its row. The details page displays the available information on the user in several tabs.

The buttons at the top of the page allow you to edit or delete the user. Click CREATE FULL REPORT or CREATE SUMMARY REPORT if you wish to create a downloadable PDF report on the user. The full report contains all information displayed in the details page, including the charts. The summary report contains only the data tables.

User

The User tab displays all information collected about the users when Threat Defender last saw them, i.e. when they were last connected to the network:

Field

Description

Name

The displayed name of the user.

Username

The internal login name of the user.

Domain

The domain assigned to the user.

Last Login At

The date when the user last logged in to the network.

Last Login From

The IP address used when the user last logged in to the network.

Last Logout At

The date when the user last logged out of the network.

Last Logout From

The IP address used when the user last logged out of the network.

Seen At

The date when the user last connected to the network.

Created At

The date when the user was created in Threat Defender.

Updated At

The date when the user was last updated in Threat Defender.

Assets

The Assets tab shows the assets associated with the user.

To manage multiple assets at once, mark their checkboxes in the first table column. You can then perform the following List Actions:

  • settings_icon Operations: Add tags to the selected assets or remove tags from them. You can also merge several assets into one Primary Asset.

  • delete_icon Delete: Delete the selected assets from the database.

  • delete_icon Reset Last Seen: Delete the metadata currently stored in the Last Seen section of the selected assets.

The Static Assets table displays the assets that were manually assigned to this user:

Field

Description

Created At

The date when asset was created in Threat Defender.

Name

The name of the asset.

User

The user associated to the asset.

Gateway

The icon in this column indicates whether the asset is a gateway (indicator_yes_icon) or not (indicator_no_icon). For gateways, the IP addresses are not tracked.

Tags

The tags assigned to the asset.

MAC Addresses

The MAC addresses tracked for the asset.

IP Addresses

The IP addresses tracked for the asset.

Last Seen

The metadata collected for the asset when Threat Defender last saw it. Click plus_icon to show additional information and minus_icon to show less information.

The icons in last table column allow you to view, edit or delete the respective asset. You can also access the reporting sections for its outbound (ascending_icon) and inbound (descending_icon) traffic under Analytics by clicking the respective icon.

The Auto connected assets via last seen table displays the assets automatically allocated to this user.

Field

Description

Last Seen

The date and time when Threat Defender last saw the asset.

Name

The name of the asset.

The delete_icon icon in the last table column allows you to delete the asset.

IP Addresses

The IP Addresses tab displays the IP addesses automatically allocated to this user at login.

Field

Description

Last Seen

The date and time when Threat Defender last saw the IP address.

IP Address

The assigned IP address.

The delete_icon icon in the last table column allows you to delete the IP address.

Incidents

The Incidents tab displays an extract from the threat intelligence incident log that contains the incidents involving the user:

Field

Description

Created At

The date and time the incident was created in Threat Defender.

Severity

The severity logged for the incident.

Action

The rule action logged for the incident. Actions are allow, reject and drop.

Rule

The name of the policy rule that logged the incident.

Indicator

The detected threat intelligence indicator.

Classification

The applications and/or protocols involved in the event.

Assets

The source and destination assets involved in the incident.

IP Addresses

The source and destination IP addresses involved in the incident.

Ports

The source and destination ports involved in the incident.

Countries

The source and destination countries of the flow involved in the incident. If a private IP range is used, the country is displayed as Unknown or invalid territory.

Click view_icon in the last table column to go to the respective entry in the Incident Logs under Threats > Incident Logs.

Events

The Events tab displays log events involving the user:

Field

Description

Created At

The date and time the event was created in Threat Defender.

State

The state of the logged event, i.e. whether it was successful or failed.

Tag

The tag assigns the event to a certain log.

Action

The action logged for the user.

Message

A message describing the event.

Username

The login name of the user involved in the event.

User IP Address

The IP address of the user involved in the event.

If you click view_icon in the last table column or double-click a log entry, you will be taken directly to the respective page in the Audit Logs.

Analytics

The Analytics tab shows charts that visualize the traffic information available for the user. They are grouped in tabs by reporting period (last day, last week, last month).

User Settings

When you manually add a new user to be tracked or edit an existing one, the settings screen is displayed with the following options:

Field

Description

Associated Asset

If applicable, the assets associated to this user are displayed with their names and a link to their details pages.

Name

Enter the name to be displayed for the user.

Username

Enter the login name of the user.

Domain

Optional: Assign a domain to the user.

Note

Optional: Add a short description of the user.

The buttons at the bottom of the screen allow you to store your changes (SAVE) or to discard them (CANCEL).