Users (Network)
The Users page displays a list of active users observed on network traffic and provides activity data such as which devices the user recently accessed and whether the user was a participant in a detection. To view the Users page, click Assets from the top navigation menu and then click Users in the left pane.
| Note: | These network users are not associated with user accounts for the ExtraHop system. |
You can refine results in the Users table by adding search filter criteria in the Find Users section.
The Users table displays the following details for each user observed during the selected time interval.
| User Detail | Description |
|---|---|
| Username | The username that is extracted from observed network traffic or an authentication protocol or application, such as LDAP or Active Directory. |
| Protocol | The protocols observed on devices that the user has accessed. |
| Recent Devices | The devices that the user has accessed, ordered by the most recent
first. Tip: You can find devices associated with a specific user by adding the Username filter to a device search. |
| Detections | The number of detections in which the user was directly observed in
the detection traffic as a participant. Participant usernames are pulled from the protocol associated with the detection and can only be observed in the following protocols: FTP, Kerberos, LDAP, NTLM, RDP, RPC, and SMB. |
| Last Seen | Timestamp when the user was last observed on the network. |
Click a user in the table to open the Details pane and display several links that enable you to investigate any devices or detections associated with the user .
- Click Devices to filter devices by the username and view results on the Devices page.
- Click Detections to filter detections by the username and view results on the Detections page.
Thank you for your feedback. Can we contact you to ask follow up questions?