Identifying high impact users, endpoints, and groups

Identify the users, groups, and endpoints that have the highest potential impact in your organization if compromised, based on the impact rating.

Overview

The Impact Overview page includes three tables to show you the users, groups, and endpoints that have the highest potential impact.

The Metrics ribbon shows a high-level overview of the data used for analysis in Impact: Total Endpoints, Total Users, and Total Groups. This ribbon also shows the total number of assets with each impact rating: Critical, High, Medium, and Low.

Impact rating

Impact analyzes the data from synchronized domains and calculates an impact rating for each user, group, or endpoint. The impact rating is influenced by the following factors:

  • Potential inbound impact by users
  • Potential inbound impact by endpoints
  • Potential outbound impact by users
  • Potential outbound impact by endpoints

For additional details about the impact rating calculation, see Impact Rating.

Before you begin

Configure a connection to one or more Active Directory domains. For more information, see Tanium Directory Query User Guide: Managing connections to directory servers.

Impact analyzes data from domain-joined, Tanium-managed Windows endpoints with a domain that is configured in Directory Query and synchronized within Impact.

Explore the users with the highest impact rating

The Users with Highest Impact table shows the top 1,000 users that have the highest impact rating in the domains that are synchronized with Impact.

This table contains eight columns:

  • Name: Name and domain of the user.
  • Direct Ctrl: Number of endpoints on which this user has administrative rights through a direct entry in the local Administrators object, not through an Active Directory group membership.
  • Indirect Ctrl: Number of endpoints on which the user has administrative rights through an Active Directory group or nested group that has an entry in the local Administrators object.
  • Inbound: Sum of the endpoints and users that an attacker can use to move laterally to compromise the user credentials.
  • Outbound: Sum of the endpoints and users that an attacker can reach by moving laterally using the compromised credentials.
  • Sessions: Number of sessions in the last 72 hours that the user has opened on computers. After 72 hours, Impact continues to count a session until the computer is rebooted.
  • Criticality: Criticality level for the user: Critical, High, Medium, or Low.
  • Impact: Impact rating for the user: Critical, High, Medium, or Low.

The default sort order for the Users with Highest Impact table is Impact, Criticality, Indirect Ctrl, Direct Ctrl, Outbound, and Sessions.

To sort a table, click a column or Shift+click multiple columns. To reset the sort order, click a column multiple times, until the sort order arrow disappears.

To customize the columns in the table, click Customize Columns and then select which columns to keep or click and drag a column to change the column order.

Click an entry in a column to open a graph with additional details about that value. For more information, see Analyzing the impact.

Explore the groups with the highest impact rating

The Groups with Highest Impact table shows the top 1,000 groups that have the highest impact rating in the domains that are synchronized with Impact.

This table contains ten columns:

  • Name: Name and domain of the group.
  • Direct Members: Number of users in the group with a direct entry in the group, who are not a member due to group nesting.
  • Indirect Members: Number of users in the group who are a member due to a nested group.
  • Direct Ctrl: Number of endpoints on which this group has administrative rights through a direct entry in the local Administrators object, not through a nested group.
  • Indirect Ctrl: Number of endpoints on which the group has administrative rights through a nested group.
  • Inbound: Sum of the endpoints and users that an attacker can use to move laterally to compromise this group.
  • Outbound: Sum of the endpoints and users that an attacker can reach by moving laterally using this group.
  • Sessions: Number of sessions in the last 72 hours that used membership in this group to access the endpoint. After 72 hours, Impact continues to count a session until the computer is rebooted.
  • Criticality: Criticality level for the group: Critical, High, Medium, or Low.
  • Impact: Impact rating for the group: Critical, High, Medium, or Low.

The default sort order for the Groups with Highest Impact table is Impact, Criticality, Direct Members, and Outbound.

To sort a table, click a column or Shift+click multiple columns. To reset the sort order, click a column multiple times, until the sort order arrow disappears.

To customize the columns in the table, click Customize Columns and then select which columns to keep or click and drag a column to change the column order.

Click an entry in a column to open a graph with additional details about that value. For more information, see Analyzing the impact.

Explore the endpoints with the highest impact rating

The Endpoints with Highest Impact table shows the top 1,000 endpoints that have the highest impact rating in the domains that are synchronized with Impact.

This table contains eight columns:

  • Name: Name and domain of the endpoint.
  • Direct Ctrl: Number of users that have administrative rights to this endpoint through a direct entry in the local Administrators object, not through an Active Directory group membership.
  • Indirect Ctrl: Number of users that have administrative rights to this endpoint through an Active Directory group or nested group that has an entry in the local Administrators object.
  • Inbound: Sum of the endpoints and users that an attacker can use to move laterally to compromise this endpoint.
  • Outbound: Sum of the endpoints and users that an attacker can reach by moving laterally starting from this endpoint.
  • Sessions: Number of sessions in the last 72 hours for this endpoint, which shows the number of users currently logged in to the endpoint, with those credentials stored in memory on the endpoint. After 72 hours, Impact continues to count a session until the computer is rebooted.
  • Criticality: Criticality level for the user: Critical, High, Medium, or Low.
  • Impact: Impact rating for the endpoint: Critical, High, Medium, or Low.

The default sort order for the Endpoints with Highest Impact table is Impact, Criticality, Indirect Ctrl, Direct Ctrl, Outbound, and Sessions.

To sort a table, click a column or Shift+click multiple columns. To reset the sort order, click a column multiple times, until the sort order arrow disappears.

To customize the columns in the table, click Customize Columns and then select which columns to keep or click and drag a column to change the column order.

Click an entry in a column to open a graph with additional details about that value. For more information, see Analyzing the impact.

Exporting tables

You can export each of these tables to a CSV file that contains the data for each entry in the table, including column headings. To export a table, click Export in the table heading.