You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/investigate-users.md
+12-14Lines changed: 12 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -120,33 +120,33 @@ When an incident or alert is selected, a fly-out appears. You can manage the inc
120
120
121
121
To see a full page view of an incident or alert, select its title.
122
122
123
-
:::image type="content" source="/defender/media/investigate-users/user-incident-alertstab.png" alt-text="Screenshot of the user account's related alerts seen in the Alerts tab in the Microsoft Defender portal" lightbox="/defender/media/investigate-users/user-incident-alertstab.png":::
123
+
:::image type="content" source="/defender/media/investigate-users/user-incident-alertstab.png" alt-text="Screenshot of the user account's related alerts seen in the Alerts tab in the Microsoft Defender portal." lightbox="/defender/media/investigate-users/user-incident-alertstab.png":::
124
124
125
125
## Observed in organization
126
126
127
-
-**Devices**: this section shows all the devices the user entity signed into in the prior 180 days, indicating the most and least used.
127
+
-**Devices**: This section shows all the devices the user entity signed into in the prior 180 days, indicating the most and least used.
128
128
129
-
-**Locations**: this section shows all the observed locations for the user entity in the last 30 days.
129
+
-**Locations**: This section shows all the observed locations for the user entity in the last 30 days.
130
130
131
-
-**Groups**: this section shows all observed on-premises groups for the user entity, as reported by Microsoft Defender for Identity.
131
+
-**Groups**: This section shows all observed on-premises groups for the user entity, as reported by Microsoft Defender for Identity.
132
132
133
-
-**Accounts**: this section shows all observed accounts for the identity entity, as reported by Microsoft Defender for Identity.
133
+
-**Accounts**: This section shows all observed accounts for the identity entity, as reported by Microsoft Defender for Identity.
134
134
135
-
-**Lateral movement paths**: this section shows all profiled lateral movement paths from the on-premises environment, as detected by Defender for Identity.
135
+
-**Lateral movement paths**: This section shows all profiled lateral movement paths from the on-premises environment, as detected by Defender for Identity.
136
136
137
137
The **Accounts** tab displays all accounts linked to a specific identity across connected systems. It consolidates manual and automatic correlations into a single table, giving you a centralized view of the identity’s footprint.
138
138
139
139
The table shows the following fields:
140
140
141
-
-****Linkage type**:**shows how the account was linked to the identity (manual, StrongIDs, API, or rule).
141
+
-**Linkage type**: Shows how the account was linked to the identity (manual, StrongIDs, API, or rule).
142
142
143
-
-**Date of last linkage:**records the most recent date an account was linked to the identity.
143
+
-**Date of last linkage:**Records the most recent date an account was linked to the identity.
144
144
145
-
-**Linked by:**identifies who created the link (StrongIDs, user ID, or rule name).
145
+
-**Linked by:**Identifies who created the link (StrongIDs, user ID, or rule name).
146
146
147
-
-**Linkage comment:**provides a short description that explains why the accounts were linked. The comment is limited to 25 characters.
147
+
-**Linkage comment:**Provides a short description that explains why the accounts were linked. The comment is limited to 25 characters.
148
148
149
-
-**Primary account:**indicates whether the system designates this account as the primary one for the identity.
149
+
-**Primary account:**Indicates whether the system designates this account as the primary one for the identity.
150
150
151
151
152
152
> [!NOTE]
@@ -271,7 +271,7 @@ The insights are based on the following data sources:
271
271
272
272
If you want to further explore any of the insights in this panel, select the link accompanying the insight. The link takes you to the **Advanced hunting** page, where it displays the query underlying the insight, along with its raw results. You can modify the query or drill down into the results to expand your investigation or just satisfy your curiosity.
273
273
274
-
:::image type="content" source="/defender/media/investigate-users/insights-advanced-hunting.png" alt-text="Screenshot of Advanced hunting screen with insight query.":::
274
+
:::image type="content" source="/defender/media/investigate-users/insights-advanced-hunting.png" alt-text="Screenshot of the Advanced hunting screen with insight query.":::
275
275
276
276
## Remediation actions
277
277
@@ -283,8 +283,6 @@ From the Overview page, you can perform these actions:
283
283
284
284
285
285
286
-
287
-
288
286
For more information, see [Remediation actions in Microsoft Defender for Identity](/defender-for-identity/remediation-actions).
0 commit comments