AlienVault® USM Anywhere™

User Discovery

USM Anywhere automatically discovers users in your environment with the user discovery jobs you have configured. See Managing User Discovery Jobs in the Scheduler to learn about these jobs and how to configure them.

Users Discovered in Your Environment

USM Anywhere uses the user discovery jobs you have configured to extract and maintain an updated list of the users who are active in your environment.

To see a list of the users active in your environment and their accounts

  1. Go to Environment > Users.
    All of your discovered users are listed here.

Note: By default, inactive users are not shown. You can use this list's filters to view them.

  1. Click the name (or the chevron next to the name) of a user whose accounts you want to view, and then click Full User Details.
    This user's accounts are listed under the Accounts tab.
  2. Navigate to a UBA user's Full User Details page to see their details, accounts, alarms, and events.

Active and Inactive Users

In addition to detecting which users are active in a given environment, USM Anywhere carefully tracks users and user accounts that have become inactive. This enables USM Anywhere advanced threat detection capabilities which take a user's activity and account status into consideration in generating and prioritizing alarms.

While different user authentication mechanisms each approach users' active status differently, USM Anywhere normalizes all of those disparate approaches to present one unified and unambiguous reporting of the status of each user entity and all of its accounts.

Note: See Understanding User Status in the User Data Source to read more about how each user authentication mechanism handles users' statuses.

To view a user entity's or account's status, check the dot next to the username or account name. When the dot is green, the user or account it represents is active. If it is grey, the user or account it represents is in a status other than active.

A user's entity or account state is represented by a dot: green for "active" and grey for anything other than "active".

Possible User Entity and Account States
  State Description
User Entity Active If any of the user's accounts are active, the user is active.
Inactive If all of the user's accounts are in a status other than active, the user is inactive.
User Account Active A user account is active when it's validated and reported by the provider API.
Disabled When a user account is disabled by the provider but still reported by the provider API, that user account is considered disabled.
Retired

When a user account no longer exists in the provider system, that account is considered retired.

Note: Due to the information provided by AWS, AWS user accounts are marked "retired" when they have not appeared in any scans for 30 days.