Skip to content

Identity Findings🔗

Identity Findings

Identity Findings displays a table of all findings, sorted by risk. Findings are the output of the posture checks that are run against your identity infrastructure. Each finding has one of the following statuses, an assigned risk level, and category:

Findings Status🔗

The status of new findings is set to Open and can be adjusted from finding details as you triage and mitigate issues. The status can be:

  • Open — The finding has not yet been addressed or still exists in the environment.
  • Resolved — The finding has been addressed or mitigated.
  • Dismissed — The finding is expected and does not need to be addressed.

Findings Risk Level🔗

Each finding is assigned one of the following risk levels based on the underlying check and the potential security risk that it poses to your organization:

  • Critical — Finding should be addressed immediately as it poses a significant risk.
  • High — Finding should be addressed immediately.
  • Medium — Finding should be addressed, but it does not pose a significant risk.
  • Low — Finding poses a minor risk.
  • Info — Finding poses little to no risk, but should be reviewed as time allows.

Identity Risk Levels

Findings Category🔗

Findings are categorized based on the type of check that has been performed and is aligned to the MITRE ATT&CK framework where applicable:

MITRE ATT&CK Mapping:

  • User Behavior
  • Configuration
  • Entra Conditional Access Gaps
  • Dormant Resources
  • Lateral Movement
  • Credential Compromise
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Exfiltration

Triage Findings🔗

Identity findings should be triaged by addressing the ones with the highest risk level first, as that will have the biggest impact on reducing your identity attack surface and improving your posture score. Each finding should be evaluated based on your business needs, your unique environment, your risk tolerance, and your ability to address the finding. This is important, as configuration changes could have an adverse impact on users, applications, and access.

Note

It may not be feasible to remediate all findings, as there may be issues outside of your control, such as third-party applications that require elevated permissions or only support weaker authentication mechanisms; however, these still represent a potential risk to your organization that you should be aware of and continue to monitor.

Once the finding has been evaluated, you have a few potential options:

  • Resolve the finding by remediating the issue within the Identity system that it was identified in, which will remove it from your overall risk score when it is next calculated (every 24 hours).
  • Dismiss the finding, which will suppress future instances of this finding for the object in question (e.g., application_abc has weak authentication) and exclude it from your overall risk score. The finding will continue to be available in the findings table, but will not be included in the dashboard.
  • Leave the finding open to track findings that cannot be addressed, which will continue to contribute to your overall risk score.

Identity Findings Table🔗

The Identity Findings table includes the following controls to sort, filter, and arrange data. Use the collapsible filter menu at the left of the table to narrow down the list of findings.

  • As you select filters, the table and URL update dynamically to reflect your choices. You can share the URL with colleagues or save it to see a specific list of findings.
  • Selected filters appear above the table. Select the X to remove a single filter or Clear All to remove all filters and display all findings.

Filter Findings🔗

Filter the Identity Findings table using a combination of filters such as:

  • Risk — Risk level of the finding

  • Status — The status of the finding:

    • Open
    • Resolved
    • Dismissed

  • Reference Type — The type of object that the finding relates to:

    • User Object
    • Application/Service Principal Object
    • Group Object
    • Device Object
    • Tenant Configuration

  • Category — Category of the finding

  • Is New — Findings with a first_seen_date within the last seven days.
  • Finding — Title of the finding
  • First Seen — When the finding was first seen
  • Last Seen — When the finding was last seen

Column Menu🔗

Open the menu for available columns in the table by selecting the menu icon to the right of the column name.

Choose one of the following options:

  • Pin Column — Pin a column to the left or right of the table.
  • Autosize This Column — Adjust the size of only the selected column to show obscured information.
  • Autosize All Columns — Adjust the size of all visible columns to show obscured information.
  • Reset Columns — Reset all columns to their default size and ordering.

Choose Columns to Display🔗

Choose which columns you want to appear in the table by opening a column menu, selecting the columns icon, and checking or unchecking the desired columns.

Use the text box to quickly filter for column names.

Arrange Columns🔗

Drag and drop columns by the header to rearrange them.

Sort by Column🔗

Select a column header to change the sort, when available. There are three toggle states:

  • Initial — Default sort
  • Ascending — Sorts by the column content in ascending order
  • Descending — Sorts by the column content in descending order

You can apply sorting to one column at a time.

Export Findings🔗

Select Export All from above the table to export a CSV file of all findings currently included in the table. To export only a subset of findings, use the filters at the left of the table first and choose Export Filtered Results.

Export Findings

View Findings Details🔗

Select a finding link from the Findings column to view the details, such as its primary reference, other references, risk, first seen timestamp, last seen timestamp, last modified timestamp, and recommendation.

  • Finding Details — Finding summary including risk level, status, comments, timestamps, and tags
  • Description — A description of the finding
  • Recommendation — Secureworks recommendations for mitigating the finding
  • Definition — Information about the associated Identity Check and references

Finding Details Panel

Tip

Click the Primary or Other References to navigate directly to the object within the Azure Portal.

Update Finding Status🔗

Update the status of a finding by selecting the Status drop-down menu and choosing the desired status:

  • Open — The finding has not yet been addressed or still exists in the environment.
  • Dismissed — The finding is expected and does not need to be addressed. New findings for this issue will not be generated.
  • Resolved — The finding has been addressed or mitigated.

Note

Findings can either be resolved manually or by the system when it no longer appears. Findings that are resolved by the system will include a comment indicating that it was automatically resolved. Once a finding is labeled as Resolved or Dismissed, it is no longer considered a risk to your environment. If a finding is resolved manually and we see it again, the finding will be re-opened by the system. Ensure the necessary mitigation actions or closure tasks have been completed.

Result Tab🔗

The Result tab contains the raw output in JSON format from the check that was performed. Use this to see additional details about the finding that was generated.

History Tab🔗

The History tab provides previous actions taken on the finding. A View Diff function provides the exact change details.

Finding History

Notifications for Critical and High Findings🔗

The Critical and High Identity Finding notification rule available in Notification Configurations allows you to assign an Escalation Policy so that the users you choose are notified whenever a critical or high finding is created or re-opened.

Alert Enrichment🔗

Alerts with applicable identity information are now correlated and enriched with user information collected with the IDR module.

Identity Enrichment for Alerts