Documentation

Detections

Suggest Edits

What is the Detections page?

The Detections page summarizes areas of potential risk or compromised entities, including suspicious login failures, missing multi-factor authentication, and stale or dormant accounts.

By default, new and in-progress detections display in order of severity and discovery date. You can click any individual detection to display additional information about the identified risk and its importance or severity.

ℹ️

Note

You can export the Detections page as a .csv using the Download button.

How is it useful?

Detections include the source system and entity type by default, allowing at-a-glance views into potentially compromised services, applications, or accounts.

Detection capabilities

Identity Security Insights leverages multiple methods to detect malicious and anomalous activity.

  • Tactics, Techniques, and Procedures (TTP), Indicators of Compromise (IOC), and Indicators of Attack (IOA) represent activity that is strongly associated with attackers. Identity Security Insights updates regularly with the latest in known attack strategies to ensure you are provided a comprehensive picture of identity-related risk. TTP, IOC, and IOA detections include areas of risk, like logins without MFA, dormant account activity, and new Identity Provider enrollment. The detection shows the reason for the concern and an example of how to address the threat.

  • Anomaly-based detections use AI-backed methods to report on unusual and specific account activity. This activity may not represent an attack signature, but instead detect novel and suspicious activity outside of recognized methods of compromise. Anomaly-based detections report on risks such as:

    • Infrastructure changes following suspicious MFA events could indicate a compromised account.
    • Changes to Azure service principals which seem unusual compared to other environments, can indicate a breach.
    • Excessive Secret Safe read events, which may represent suspicious access within PasswordSafe.

The details for these detections describe how to determine if they are malicious.

Additional detections exist around integrated BeyondTrust products, allowing you to receive detections on anomalous activity and malicious IP access within your organization.

Search and filter your grouped detections

Grouped detections include all accounts that share a specific detection.

  1. On the Detections page, click the Grouped tab.

  2. To search for a:

    • detection: Enter a Detection Name and, optionally, select a filter.Filters include is equal to, is not equal to, Contains, Starts with, Ends with, and Does not contain.
    • severity: Select a Severity from the drop-down list.
    • provider: Enter or select a provider name in the Providers list.
    • account: Enter a digit in the Accounts field and, optionally, select a filter.Filters include is equal to, is not equal to, Is greater than, Is greater than or equal to, Is less than, and Is less than or equal to.

Search and filter your ungrouped detections

Ungrouped detections include all detections. On the Detections page, search results display automatically as you add search terms and select options.

Use a Saved filter

Select a Saved filter from the drop-down list.

Create your own filter

  1. Click Add Filter.
    The Filter Detections dialog box displays.
  2. Select And or Or to determine how you want the saved filter to refine the first data set you're entering.
  3. Optionally, click Add Filter to add a new set of filtering criteria, and select your criteria from the drop-down menus.
  4. Optionally, click Add Group to add a group of additional filters to further refine your filtered criteria.
  5. Click Apply Filter.

Use the columns

Not all columns display by default. Use the columns to search for a(n):

  • detection: Enter a Detection Name and, optionally, select a filter.Filters include is equal to, is not equal to, Contains, Starts with, Ends with, and Does not contain.
  • severity: Select a Severity from the drop-down list.
  • provider: Enter or select a provider name in the Providers list.
  • location: Enter the Location name.
  • account: Enter a digit in the Accounts field and, optionally, select a filter.Filters include is equal to, is not equal to, Is greater than, Is greater than or equal to, Is less than, and Is less than or equal to.
  • label: Enter or select a label name in the Labels list.
  • direct privilege: Enter or select a Direct Privilege. Direct privileges are the inherent rights of an account. This column is hidden by default. Use the Column icon to select the column to display.
  • True Privilege: Enter or select a True Privilege. True Privilege is the full scope of access an account could potentially gain. A True Privilege score shows what detections and recommendations put highly privileged accounts at risk.
  • detection date: Use the calendar to select a date and, optionally, select a filter. Filters include is equal to, is after or equal to, Is after, Is before or equal to, and Is before.

Customize your detection display

Select which columns to view in your results list via the Columns icon and reorder your results by column:

  1. Click the column header to activate it.
  2. Click the arrow icon that displays to sort alphabetically or numerically.

Change or add a comment to a status

Authorized users can change the status of a detection, and they can include an optional comment to describe the nature of the update or change. The status change and comment history are viewable on the Detection Details page.

  1. Locate the status you want to update.
  2. Click Update Status.
  3. Optionally, select a new status from the drop-down menu. Options include New, In Progress, Resolved, False Positive, or Ignored.
  4. Optionally, add a comment.
  5. Click Update Status.
    Your status change and comment saves.

Updated about 1 month ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.