USM Anywhere™

User Discovery

Role Availability Read-Only Analyst   Manager

USM Anywhere automatically discovers users in your environment with the user discovery jobs you have configured. See Scheduling User Discovery Jobs from the Job Scheduler Page to learn about these jobs and how to configure them.

Users Discovered in Your Environment

USM Anywhere uses the user discovery jobs you have configured to extract and maintain an updated list of the users who are active in your environment. User accounts are discovered and matched by comparing specific fields from your environment, that differ between user authentication mechanisms. This means that the fields USM Anywhere uses to detect and resolve discovered users in Amazon Web Services (AWS) will differ from the fields used in Google Cloud Platform (GCP) or Okta. The following table outlines which fields are used in each user source.

Possible User Entity and Account States
User Source User Account Data
AWS SOURCE_USERNAME and SOURCE_ACCOUNT
AD

SOURCE_USERNAME

DESTINATION_USERNAME

SOURCE_USERNAME and SOURCE_NTDOMAIN

DESTINATION_USERNAME and DESTINATION_NTDOMAIN

Azure AD and Office 365

SOURCE_USERNAME

DESTINATION_USERNAME

Okta

SOURCE_USERNAME

DESTINATION_USERNAME

G Suite and GCP

SOURCE_USERNAME

SOURCE_USER_EMAIL

DESTINATION_USERNAME

DESTINATION_USER_EMAIL

To see a list of the users active in your environment and their accounts

  1. Go to Environment > Users.
    All of your discovered users are listed here.

Note: By default, inactive users are not shown. You can use this list's filters to view them.

  1. Click the name (or the chevron next to the name) of a user whose accounts you want to view, and then click Full User Details.
    This user's accounts are listed under the Accounts tab.

    Navigate to a UBA user's Full User Details page to see their details, accounts, alarms, and events.

Active and Inactive Users

In addition to detecting which users are active in each environment, USM Anywhere carefully tracks users and user accounts that have become inactive. This enables USM Anywhere advanced threat detection capabilities, which take a user's activity and account status into consideration in generating and prioritizing alarms.

While different user authentication mechanisms each approach users' active status differently, USM Anywhere normalizes all of those disparate approaches to present one unified and unambiguous reporting of the status of each user entity and all of its accounts.

Note: See Understanding User Status in the User Data Source to read more about how each user authentication mechanism handles users' statuses.

To view a user entity's or account's status, check the dot next to the username or account name. When the dot is green, the user or account it represents is active. If it is gray, the user or account it represents is in a status other than active.

A user's entity or account state is represented by a dot: green for "active" and grey for anything other than "active".

Possible User Entity and Account States
  State Description
User Entity Active If any of the user's accounts are active, the user is active.
Inactive If all of the user's accounts are in a status other than active, the user is inactive.
User Account Active A user account is active when it's validated and reported by the provider API.
Disabled When a user account is disabled by the provider but still reported by the provider API, that user account is considered disabled.
Retired

When a user account no longer exists in the provider system, that account is considered retired.

Note: Due to the information provided by AWS, AWS user accounts are marked "retired" when they have not appeared in any scans for 30 days.