Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=identity-detection-details

Identity Details

Identity Details pages show pertinent information about the identity based on the data collected from your identity provider.

To view Identity Details, click a Display Name from the My Environment Identities view. For more information, see My Environment.

Summary tab

The Summary tab shows identity information organized in sections.

Identity details Summary tab.

Details

The Details section contains details about the identity as available from your Microsoft Entra ID environment. This includes information about their role, department, status, country, and region. Details of when their account was created and updated, the last password change time, and other related email addresses associated with the user are also shown.

Assets

The Assets section shows Intune devices that are associated with the user in Microsoft Entra ID.

MFA

The MFA section shows details about the user's MFA (Multi-factor Authentication) configuration, such as the MFA provider, primary MFA method, and other MFA types configured.

Recent Detections

The Recent Detections section contains tabs with the following information:

  • Open Detections: Open detections for the identity within the past seven days.
  • Closed Detections: Closed detections for the identity within the past 30 days.

Click View All in Recent Detections to go to the Insights tab.

Commonly Used Entities

The Commonly Used Entities section provides insights into some of the attributes related to successful authentications over the last 30 days. This helps you understand the profile of the user and what is common or uncommon. The following graphs show when we have relevant data for the user:

  • IP Addresses: The IP addresses that we've observed the user successfully authenticating from.
  • Browser: The user agents that we've observed the user successfully authenticating from.
  • Asset Name: The types of assets that we've observed the user successfully authenticating from.
  • OS Version: The operating system version that we've observed the user successfully authenticating from.

Organization

The Organization section provides a snapshot of the identity's reporting structure. This allows you to see who the individual reports to and whether or not they also have direct reports. This is useful when investigating threats or formulating a risk assessment of the user and their related activity. Click the organization chart to open other users in a new tab.

Activity Log tab

The Activity Log tab shows tables of events across any configured data sources related to the identity. Click an event type above the table to switch between the types and click an event summary in the table to view more details.

Findings tab

The Findings tab shows a table of findings related to the specific identity, sorted by risk. For more information, see Findings.

Hover over the Recommendation field to view the full recommendation.

Click the finding name to open the finding details.

Insights tab

The Insights tab shows the following information:

  • Open Detections: Open detections for the identity within a default period of the past seven days; use the date picker at the top of this section to change the period.
  • Closed Detections: Closed detections within the past 30 days for the identity.

Group Membership tab

The Group Membership tab shows the list of groups the user is part of. Use the search field to search for groups and click the Group Name field to open the group in a new page to view other members.

Credential Compromise tab

The Credential Compromise tab shows a list of breaches to which the identity is linked. Click the link from the Breach Source field to view additional details about the breach record. For more information, see Credential Compromise.