Identity Profile

overview the identity profile is a central location for evaluating the exposure posture of monitored identities you can find the identity attributes, severity level indicators, exposure details, and blast radius the profile is accessible from the credentials browser details panel, the events details when they affect an identity, and the identifiers list an identity profile requires an authorized identity identifier attributes & data sources an identity can contain multiple attributes, to monitor for exposures of multiple email addresses, usernames pertaining to the same identity the following context information are currently collected from entra id last password change date sign in session validity date token validity date job title department user type account enabled severity level the severity level represents the risk level of an identity it is composed of current severity highlights what needs to be resolved right now it is determined by the highest severity level among non remediated events (info, low, medium, high, critical) this helps you focus on immediate threats that need resolution severity level timeline a visual timeline of the severity level to track the evolution of an identity's exposure level over time from there, you can easily spot when an identity's exposure level spiked or dropped due to remediation identity posture tags to give you better context during investigations, you will see identity posture tags on the profile these tags provide a snapshot of the identity's status gathered from the idp integrations and flare context, such as idp account status active, inactive, member, or guest vip status continuous evaluation the system continuously evaluates severity levels as new events (like leaked credentials or stealer logs) are detected for an identity integration with entra id if you have entra id integrated, the system automatically adjusts severity with this additional context for example if a leaked credential corresponds to an inactive entra id account, its severity will be automatically lowered if a leaked credential is tested as valid via entra id, its severity will be automatically increase vip status identities marked as "vip" in your flare configuration may trigger higher severity rules for better protection remediation workflow manual remediation when you remediate an event (e g , reset a password and mark the leak as remediated), the identity severity level will automatically recalculate, potentially dropping down to the level of the next highest non remediated event exposure summary these counts and tables provide an overview for these types of exposures passwords stealer logs pii information illicit network events open web events blast radius the blast radius shows the sprawl an attacker could reach with the user's entra id permissions and leaked credentials and cookies severity levels critical cookie or credential that matches a domain identifier or tied to a service that is designated as critical based on their popularity and prevalence online high cookie or credential that is tied to a service that is designated as high based on their popularity and prevalence online medium cookie or credential that is tied to a service that is designated as medium based on their popularity and prevalence online– these are more common low everything else info expired or tracking cookies