Users pageedit

The Users page provides a comprehensive overview of user data to help you understand authentication and user behavior within your environment. Key performance indicator (KPI) charts, data tables, and interactive widgets let you view specific data and drill down for deeper insights.

User’s page

The Users page has the following sections:

User KPI (key performance indicator) chartsedit

KPI charts show the total number of users and successful and failed user authentications within the time range specified in the date picker. Data in the KPI charts is visualized through linear and bar graphs.

Hover inside a KPI chart to display the actions menu (…​), where you can perform these actions: inspect, open in Lens, and add to a new or existing case.

Data tablesedit

Beneath the KPI charts are data tables, which are useful for viewing and investigating specific types of data. Select the relevant tab to view the following details:

  • Events: Ingested events that contain the user.name field. You can stack by the event.action, event.dataset, or event.module field. To display alerts received from external monitoring tools, scroll down to the Events table and select Show only external alerts on the right.
  • All users: A chronological list of unique user names, when they were last active, and the associated domains.
  • Authentications: A chronological list of user authentication events and associated details, such as the number of successes and failures, and the host name of the last successful destination.
  • Anomalies: Unusual activity discovered by machine learning jobs that contain user data.
  • User risk: The latest recorded user risk score for each user, and its user risk classification. This feature requires a Platinum subscription or higher and must be enabled to display the data. Click Enable on the User risk tab to get started. To learn more, refer to our user risk score documentation.

The Events table includes inline actions and several customization options. To learn more about what you can do with the data in these tables, refer to Manage detection alerts.

User details pageedit

A user’s details page displays all relevant information for the selected user. To view a user’s details page, click its User name link from the All users table.

The user details page includes the following sections:

  • Asset Criticality: If the securitySolution:enableAssetCriticality advanced setting is on, this section displays the user’s current asset criticality level.
  • Summary: Details such as the user ID, when the user was first and last seen, the associated IP address(es), and operating system. If the user risk score feature is enabled, this section also displays user risk score data.
  • Alert metrics: The total number of alerts by severity, rule, and status (Open, Acknowledged, or Closed).
  • Data tables: The same data tables as on the main Users page, except with values for the selected user instead of for all users.
User details page

User details flyoutedit

In addition to the user details page, relevant user information is also available in the user details flyout throughout the Elastic Security app. You can access this flyout from the following places:

  • The Alerts page, by clicking on a user name in the Alerts table
  • The Events tab on the Users and user details pages, by clicking on a user name in the Events table
  • The User risk tab on the user details page, by clicking on a user name in the Top risk score contributors table
  • The Events tab on the Hosts and host details pages, by clicking on a user name in the Events table
  • The Host risk tab on the host details page, by clicking on a user name in the Top risk score contributors table

The user details flyout includes the following sections:

User details flyout

User risk summaryedit

The User risk summary section contains a risk summary visualization and table.

The risk summary visualization shows the user risk score and user risk level. Hover over the visualization to display the Options menu. Use this menu to inspect the visualization’s queries, add it to a new or existing case, save it to your Visualize Library, or open it in Lens for customization.

The risk summary table shows the category, score, and number of risk inputs that determine the user risk score. Hover over the table to display the Inspect button, which allows you to inspect the table’s queries.

To expand the User risk summary section, click View risk contributions. The left panel displays additional details about the user’s risk inputs.

User risk inputs

Asset Criticalityedit

The Asset Criticality section displays the selected user’s asset criticality level. Asset criticality contributes to the overall user risk score. The criticality level defines how impactful the user is when calculating the risk score.

Asset criticality

Click Assign to assign a criticality level to the selected user, or Change to change the currently assigned criticality level.

Observed dataedit

This section displays details such as the user ID, when the user was first and last seen, and the associated IP addresses and operating system.

User observed data