USM Anywhere automatically discovers users in your environment with the user discovery jobs you have configured. See Scheduling User Discovery Jobs from the Job Scheduler Page to learn about these jobs and how to configure them.
Users Discovered in Your Environment
USM Anywhere uses the user discovery jobs you have configured to extract and maintain an updated list of the users who are active in your environment. User accounts are discovered and matched by comparing specific fields from your environment, that differ between user authentication mechanisms. This means that the fields USM Anywhere uses to detect and resolve discovered users in Amazon Web Services (AWS) will differ from the fields used in Google Cloud Platform (GCP) or Okta. The following table outlines which fields are used in each user source.
|User Source||User Account Data|
|AWS||SOURCE_USERNAME and SOURCE_ACCOUNT|
SOURCE_USERNAME and SOURCE_NTDOMAIN
DESTINATION_USERNAME and DESTINATION_NTDOMAIN
|Azure AD and Office 365||
|G Suite and GCP||
To see a list of the users active in your environment and their accounts
- Go to Environment > Users.
All of your discovered users are listed here.
Note: By default, inactive users are not shown. You can use this list's filters to view them.
- Click the name (or the chevron next to the name) of a user whose accounts you want to view, and then click Full User Details.
This user's accounts are listed under the Accounts tab.
Active and Inactive Users
In addition to detecting which users are active in each environment, USM Anywhere carefully tracks users and user accounts that have become inactive. This enables USM Anywhere advanced threat detection capabilities, which take a user's activity and account status into consideration in generating and prioritizing alarms.
While different user authentication mechanisms each approach users' active status differently, USM Anywhere normalizes all of those disparate approaches to present one unified and unambiguous reporting of the status of each user entity and all of its accounts.
Note: See Understanding User Status in the User Data Source to read more about how each user authentication mechanism handles users' statuses.
To view a user entity's or account's status, check the dot next to the username or account name. When the dot is green, the user or account it represents is active. If it is gray, the user or account it represents is in a status other than active.
|User Entity||Active||If any of the user's accounts are active, the user is active.|
|Inactive||If all of the user's accounts are in a status other than active, the user is inactive.|
|User Account||Active||A user account is active when it's validated and reported by the provider API.|
|Disabled||When a user account is disabled by the provider but still reported by the provider API, that user account is considered disabled.|
When a user account no longer exists in the provider system, that account is considered retired.
Note: Due to the information provided by AWS, AWS user accounts are marked "retired" when they have not appeared in any scans for 30 days.