Identifying high impact users, endpoints, and groups

Identify the users, groups, and endpoints that have the highest potential impact in your organization if compromised, based on the impact rating.

Overview

The Impact Home page includes three tables to show you the users, groups, and endpoints that have the highest potential impact.

The Metrics ribbon displays a high-level overview of the data used for analysis in Impact: Total Endpoints, Total Users, and Total Groups.

Impact rating

Impact analyzes the data from synchronized domains and calculates an impact rating for each user, group, or endpoint. The impact rating is influenced by the following factors:

  • Potential inbound impact by users
  • Potential inbound impact by endpoints
  • Potential outbound impact by users
  • Potential outbound impact by endpoints

For additional details about the impact rating calculation, see Impact rating.

Explore the users with the highest impact rating

The Users with Highest Impact table displays the top 1,000 users that have the highest impact rating in the domains that are synchronized with Impact.

This table contains six columns:

  • Direct Control: Number of endpoints on which this user has administrative rights through a direct entry in the local Administrators object, not through an Active Directory group membership.
  • Indirect Control: Number of endpoints on which the user has administrative rights through an Active Directory group or nested group that has an entry in the local Administrators object.
  • Inbound: Sum of the endpoints and users that an attacker can use to move laterally to compromise the user credentials.
  • Outbound: Sum of the endpoints and users that an attacker can reach by moving laterally using the compromised credentials.
  • Impact: Impact rating for the group: Critical, High, Medium, or Low.

Click an entry in a column to open a graph with additional details about that value. For more information, see Analyzing the impact.

Explore the groups with the highest impact rating

The Groups with Highest Impact table displays the top 1,000 groups that have the highest impact rating in the domains that are synchronized with Impact.

This table contains eight columns:

  • Direct Members: Number of users in the group with a direct entry in the group, who are not a member due to group nesting.
  • Indirect Members: Number of users in the group who are a member due to a nested group.
  • Direct Control: Number of endpoints on which this group has administrative rights through a direct entry in the local Administrators object, not through a nested group.
  • Indirect Control: Number of endpoints on which the group has administrative rights through a nested group.
  • Inbound: Sum of the endpoints and users that an attacker can use to move laterally to compromise this group.
  • Outbound: Sum of the endpoints and users that an attacker can reach by moving laterally using this group.
  • Sessions: Number of open sessions using membership in this group to access the endpoint.
  • Impact: Impact rating for the group: Critical, High, Medium, or Low.

Click an entry in a column to open a graph with additional details about that value. For more information, see Analyzing the impact.

Explore the endpoints with the highest impact rating

The Endpoints with Highest Impact table displays the top 1,000 endpoints that have the highest impact rating in the domains that are synchronized with Impact.

This table contains six columns:

  • Direct Control: Number of users that have administrative rights to this endpoint through a direct entry in the local Administrators object, not through an Active Directory group membership.
  • Indirect Control: Number of users that have administrative rights to this endpoint through an Active Directory group or nested group that has an entry in the local Administrators object.
  • Inbound: Sum of the endpoints and users that an attacker can use to move laterally to compromise this endpoint.
  • Outbound: Sum of the endpoints and users that an attacker can reach by moving laterally starting from this endpoint.
  • Sessions: Number of open sessions for this endpoint, which shows the number of users currently logged in to the endpoint, with those credentials stored in memory on the endpoint.
  • Impact: Impact rating for the endpoint: Critical, High, Medium, or Low.

Click an entry in a column to open a graph with additional details about that value. For more information, see Analyzing the impact.

Exporting tables

You can export each of these tables to a CSV file that contains the data for each entry in the table, including column headings. To export a table, click Export in the table heading.