Account Intelligence Details

The Account Intelligence page displays connection and session information for each account in the workspace for the 30 days prior to the most recent event in Coordinated Universal Time (UTC) . Accounts with activity going back as far as 180 days are available.

Account Info

Account Info includes:

  • The account ID and email, if available. You can click either to copy.
  • The Last Seen event timestamp in UTC.
  • Any signals associated with the account within the past 30 days. A warning is displayed if a signal is logged more than 1,000 times.
  • If the account is part of a list, the list is displayed. If the account is in multiple lists, the lists are sorted by most recent.

Recent Activity

Recent Activity includes successes and failures for any event to date, as well as Anomalous Events (indicates an Anomaly Score ≥ 75, signaling highly unusual activity relative to the account’s history).

Click Show in Explorer to view events for this account for the 30 days prior to the most recent event. The Filter fields are populated with details from the account activity.

Location History

This displays a map of the locations from which the account was used in the 30 days prior to the most recent event.

Circadian Rhythm

Circadian rhythm shows the hourly activity of the account averaged over 30 days prior to the most recent event.

  • Bar length correlates with the number of events related to this account.
  • Typical Activity (grey bars) is relative to other accounts in the workspace. For example, this account is active between 1:00 and 2:00, with the greatest activity between 7:00 and 10:00. Other accounts in this workspace are also typically active at these times.
  • Outlier Activity (red bars) indicates unusual account activity relative to other accounts in this workspace. For example, this account has activity from 22:00 to 24:00. Other accounts in this workspace are typically not active at that time. Darker shades of red indicate more unusual activity compared to other accounts in the workspace.
  • A warning is displayed if the account has no activity for particular hours - and that is the Outlier Activity relative to other accounts in the workspace.

Connections

If other accounts are connected to this account over the last 30 days, they are listed as First, Second, or Third-level connections. You can sort by each connection type or click in the list to open an Account Details page for a connected account. A warning is displayed if the account has more than three levels of connections, which may indicate suspicious activity.

SignalPrint

SignalPrint displays the connections and print data for this account in the last 30 days. Click the arrow to open the SignalPrint graph focused on this account.

Rule Evaluations

If this account was detected in a rule evaluation, that rule is listed with evaluation details. Click Show in Explorer for more information.