You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/investigate-users.md
+7-8Lines changed: 7 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -86,12 +86,12 @@ Microsoft Defender for Identity pulls tags out of Active Directory to give you a
86
86
|-----|-------------|
87
87
|**New**| Indicates that the entity was created less than 30 days ago. |
88
88
|**Deleted**| Indicates that the entity was permanently deleted from Active Directory. |
89
-
|**Disabled**| Indicates that the entity is currently disabled in Active Directory. The *disabled* attribute is an Active Directory flag that's available for user accounts, computer accounts, and other objects to indicate that the object is not currently in use. <br><br>When an object is disabled, it can't be used to sign in or perform actions in the domain.|
89
+
|**Disabled**| Indicates that the entity is currently disabled in Active Directory. The *disabled* attribute is an Active Directory flag that's available for user accounts, computer accounts, and other objects to indicate that the object isn't currently in use. <br><br>When an object is disabled, it can't be used to sign in or perform actions in the domain.|
90
90
|**Enabled**| Indicates that the entity is currently enabled in Active Directory, indicating that the entity is currently in use, and can be used to sign in or perform actions in the domain. |
91
-
|**Expired**| Indicates that the entity is expired in Active Directory. When a user account is expired, the user is no longer able to log in to the domain or access any network resources. The expired account is essentially treated as if it were disabled, but with an explicit expiration date set. <br><br>Any services or applications that the user was authorized to access may also be affected, depending on how they are configured. |
91
+
|**Expired**| Indicates that the entity is expired in Active Directory. When a user account is expired, the user is no longer able to log in to the domain or access any network resources. The expired account is treated as if it were disabled, but with an explicit expiration date set. <br><br>Any services or applications that the user was authorized to access might also be affected, depending on how they're configured. |
92
92
|**Honeytoken**| Indicates that the entity is manually tagged as a honeytoken. |
93
93
|**Locked**| Indicates that the entity supplied the wrong password too many times, and is now locked. |
94
-
|**Partial**| Indicates that the user, device, or group is not in synch with the domain, and is partially resolved via a global catalog. In this case, some attributes aren't available. |
94
+
|**Partial**| Indicates that the user, device, or group isn't in synch with the domain, and is partially resolved via a global catalog. In this case, some attributes aren't available. |
95
95
|**Unresolved**| Indicates that the device doesn't resolve to a valid identity in the Active Directory forest. No directory information is available. |
96
96
|**Sensitive**| Indicates that the entity is considered as sensitive. |
97
97
@@ -148,9 +148,9 @@ For example:
148
148
149
149
:::image type="content" source="/defender/media/image.png" alt-text="Screenshot that shows how to choose time frame." lightbox="/defender/media/image.png":::
150
150
151
-
-**Timeline filters:** In order to improve your investigation experience, you can use the timeline filters: Type (Alerts and/or user's related activities), Alert severity, Activity type, App, Location, Protocol. Each filter depends on the others, and the options in each filter (drop-down) only contains the data that is relevant for the specific user.
151
+
-**Timeline filters:** In order to improve your investigation experience, you can use the timeline filters: Type (Alerts and/or user's related activities), Alert severity, Activity type, App, Location, Protocol. Each filter depends on the others, and the options in each filter (drop-down) only contains the data that's relevant for the specific user.
152
152
153
-
-**Export button:** You can export the timeline to a CSV file. Export is limited to the first 5000 records and contains the data as it displays in the UI (same filters and columns).
153
+
-**Export button:** You can export the timeline to a CSV file. Export is limited to the first 5,000 records and contains the data as it displays in the UI (same filters and columns).
154
154
155
155
-**Customized columns:** You can choose which columns to expose in the timeline by selecting the **Customize columns** button. For example:
156
156
@@ -186,11 +186,10 @@ For example:
186
186
:::image type="content" source="/defender/media/investigate-users/user-incident-timeline.png" alt-text="Screenshot of the Timeline tab." lightbox="/defender/media/investigate-users/user-incident-timeline.png":::
187
187
188
188
> [!NOTE]
189
-
> Microsoft Defender XDR can display date and time information using either your local time zone or UTC. The selected time zone will apply to all date and time information shown in the Identity timeline.
189
+
> Microsoft Defender XDR can display date and time information using either your local time zone or UTC. The selected time zone applies to all date and time information shown in the Identity timeline.
190
190
>
191
191
> To set the time zone for these features, go to **Settings**\>**Security center**\>**Time zone**.
192
192
193
-
194
193
## Security recommendations
195
194
196
195
This tab displays all active security posture assessments (ISPMs) associated with an identity account. It includes Defender for Identity recommendations across available identity providers such as Active Directory, Okta, and others. Selecting an ISPM pivots you to the recommendation page in Microsoft Secure Score for additional details.
@@ -201,7 +200,7 @@ This tab displays all active security posture assessments (ISPMs) associated wit
201
200
202
201
This tab provides visibility into potential attack paths leading to a critical identity or involving it within the path, helping assess security risks. For more information, see [Overview of attack path within Exposure Management.](/security-exposure-management/work-attack-paths-overview)
203
202
204
-
## Sentinel events
203
+
## Microsoft Sentinel events
205
204
206
205
If your organization onboarded Microsoft Sentinel to the Defender portal, this additional tab is on the user entity page. This tab imports the [Account entity page from Microsoft Sentinel](/azure/sentinel/entity-pages).
0 commit comments