Account Details
The Account Details page provides a comprehensive view of a specific account discovered by Hydden, including security posture, authentication methods, group memberships, and activity history. This page is essential for account-level security investigations, privilege reviews, and compliance audits.
Overview
Account Details pages aggregate data from multiple sources to provide a complete picture of an individual account's:
- Identity Attributes: Name, type, classification, status
- Security Posture: Threat scores, applicable security rules, risk factors
- Authentication: MFA configuration, password status, SSH keys, tokens
- Access: Group memberships, role assignments, privilege level
- Activity: Login history, failed authentication attempts, usage patterns
Key Concepts
Account Types
Accounts are classified into several types based on their purpose and origin:
| Type | Description | Common Use Cases |
|---|---|---|
| User | Standard user account for an individual person | Employee accounts, contractor accounts |
| Service | Account used by applications or services | API accounts, daemon accounts, application identities |
| Federated | Accounts from federated identity providers | SSO accounts, OAuth accounts, external identities |
| Discovered | Accounts found but not yet classified | Unmanaged accounts, orphaned accounts |
| Vaulted | Accounts managed by password vault systems | Privileged accounts in CyberArk, BeyondTrust |
Account Status Values
| Status | Description | Security Implications |
|---|---|---|
| Enabled | Account is active and can authenticate | Normal operational state |
| Disabled | Account is deactivated | Cannot authenticate; may indicate terminated user |
| Locked | Account is locked due to failed login attempts | Possible brute force attack |
| Expired | Account or password has expired | Requires reactivation or password reset |
Classification
Account classification is determined by classification rules and helps identify:
- Service accounts vs. user accounts
- Privileged vs. standard accounts
- Shared vs. individual accounts
- Production vs. test accounts
Data Tiles
The Account Details page displays information tiles organized by functional area:
Account Information Tile
| Field | Description | Platforms |
|---|---|---|
| Account Name | Primary account identifier | All |
| Display Name | Friendly name (typically FirstName LastName) | All |
| Type | Account type (User, Service, Federated, etc.) | All |
| Classification | Classification from rules (if configured) | All |
| Status | Account status (Enabled, Disabled, Locked, Expired) | All |
| Mapped To | Owner identity the account is mapped to (clickable link) | All |
| Primary email address | All | |
| User Principal Name (UPN) | UPN identifier | Active Directory, Azure AD, Okta |
| Description | Account description | Active Directory, Windows, Linux |
Account Source Tile
| Field | Description |
|---|---|
| Platform | System platform (Azure AD, Active Directory, Okta, AWS, etc.) |
| Data Source Platform | Platform type |
| Data Source Name | Specific data source configured in Hydden |
| Domain | Account domain |
| Provider | Identity provider name |
Risk Level Tile
| Field | Description |
|---|---|
| Total Threat Score | Aggregated risk score from all applicable threat rules |
| Risk Level | Visual indicator (Critical, Moderate, Low) |
| Threat Rule Count | Number of threat rules triggered by this account |
Multi-Factor Authentication Tile
| Field | Description |
|---|---|
| MFA Status | MFA configuration status (Enabled, Not Enabled, N/A, Pending) |
| MFA Count | Number of registered MFA devices/methods |
| Pending MFA Count | Number of pending MFA registrations |
Last Logon Tile
| Field | Description |
|---|---|
| Last Logon | Date and time of last successful authentication |
| Last Logon Age | Time since last logon (days/hours) |
| Last Failed Logon | Date and time of last failed authentication (if available) |
| Failed Logon Count | Number of consecutive failed login attempts |
Password Information Tile
| Field | Description |
|---|---|
| Password Changed | Date when password was last changed |
| Password Age | Time since password was last changed (days) |
| Password Expired | Whether password has expired (Yes/No) |
| Password Never Set | Indicates if password was never configured (Yes/No) |
Additional Tiles (Platform-Specific)
Employee Information (Active Directory, Azure AD, Okta):
- Job Title, Department, Manager
- Employee ID, Hire Date, Termination Date
- Office Location, Phone, Mobile
Cloud Information (Azure, AWS, GCP):
- Immutable ID, Object ID, ARN
- Usage Location, Tenant ID
- Sign-in Activity, Refresh Tokens Valid From
Unix Information (Linux):
- User ID (UID), Group ID (GID)
- Home Directory, Login Shell
- SSH Key Created Date
Data Tabs
Account Threat Information Tab
Displays all threat detection rules that apply to this account and contribute to the risk score.
Default Columns:
- Threat Rule Name
- Severity Level
- Description
- Triggered Date
- Rule Category
Common Threat Rules:
- Privileged Account
- Password 90+/180+ Days
- Password Never Set
- MFA Not Enabled
- Stale Account (90+/180+/365+ days)
- Failed Login Attempts (5+/10+/20+/25+)
- Breached Account (HIBP)
- Group(s) 500+
- No Owner / Shared Account
- Highly Privileged Groups/Roles
Use Cases:
- Understand specific security risks for the account
- Prioritize remediation actions
- Generate compliance evidence
- Track risk over time
Group Membership Tab
Lists all groups the account belongs to, both direct and expanded (nested) memberships.
Default Columns:
- Group Name
- Group Platform
- Data Source
- Membership Type (Direct / Expanded)
- Group Type
- Is Privileged
Use Cases:
- Privilege review and audit
- Access certification
- Nested group membership analysis
- Privilege escalation path investigation
Login History Tab
Complete authentication history for the account showing successful and failed login attempts.
Default Columns:
- Login Date/Time
- Platform
- Login Status (Success / Failed)
- Source IP Address (if available)
- Login Type (Interactive, Network, Service, etc.)
- Geolocation (if available)
Use Cases:
- Investigate suspicious authentication patterns
- Verify account activity for access reviews
- Identify dormant or stale accounts
- Security incident investigation
- Compliance audit trails
MFA Devices Tab
Inventory of multi-factor authentication devices and methods registered for the account.
Default Columns:
- Provider (Okta, Azure MFA, Duo, Google Authenticator, etc.)
- MFA Type (SMS, Authenticator App, Hardware Token, Biometric, etc.)
- MFA Status (Active, Inactive, Pending)
- Device Name / Description
- Registered Date
- Last Verified Date
Use Cases:
- MFA coverage analysis
- Authentication method inventory
- Device management and cleanup
- Compliance verification (MFA requirements)
SSH (Public) Keys Tab
Details of authorized SSH public keys discovered for the account.
Default Columns:
| Column | Description |
|---|---|
| Source Account | Account that owns the public key (e.g., root, operator) |
| Source SSH Host | System where the public key was collected |
| Source Platform | Platform/OS (Linux, Unix) |
| Source Account Type | Account type (User, Service, etc.) |
| Algorithm | Encryption algorithm (RSA, ED25519, ECDSA, DSA) |
| Fingerprint | Unique key fingerprint |
| Restriction | IP address or subnet restrictions (if configured) |
| Usage | Key usage (Authentication, Signing) |
Use Cases:
- SSH access audits
- Authorized key inventory
- Key rotation planning
- Access review for SSH-based access
- Compliance (key management policies)
SSH (Private) Keys Tab
Details of private SSH keys discovered on systems.
Default Columns:
| Column | Description |
|---|---|
| Target Account | Account with the private key |
| Target SSH User | SSH user for the private key |
| Target SSH Host | System where the private key is stored |
| Target Platform | Platform/OS |
| Target Account Type | Account type |
| Algorithm | Encryption algorithm |
| Fingerprint | Unique key fingerprint |
| Key Description | Comment or description from key file |
Use Cases:
- Private key discovery and inventory
- Security risk assessment (exposed private keys)
- Key rotation and lifecycle management
- Compliance (private key storage policies)
Role Membership Tab
Lists all roles assigned to this account. Role membership data is collected from platforms that support role-based access control, such as SailPoint, Dayforce, and other IGA systems.
Default Columns:
- Role Name
- Display Name
- Data Source
- Platform
- Role Type
Use Cases:
- Role-based access reviews and certification
- Privilege analysis beyond group memberships
- Compliance auditing for role assignments
- Identify excessive or conflicting role grants
- Support for separation of duties analysis
Click a role name to navigate to Role Details for the selected role.
Tokens Tab
Authentication tokens and credentials associated with the account (if collected).
Default Columns:
- Token Type
- Provider
- Status
- Created Date
- Expiration Date
- Scope/Permissions
Use Cases:
- Token inventory
- Credential management
- Security review (long-lived tokens)
Share via Action
On tenants with the Integrate Action Providers and Workflows feature enabled, the Action button provides workflow automation options.
Available Actions
Email Notification:
- Send account details to stakeholders
- Alert security team about high-risk accounts
- Request access review from account owner
- Escalate security findings
Create Ticket:
- Generate ServiceNow incident/request tickets
- Create JIRA issues for remediation
- Automated ticketing for policy violations
- Track remediation workflows
Add to Vault (for privileged accounts):
- Onboard accounts to CyberArk
- Add accounts to BeyondTrust discovery
- Initiate vault enrollment workflows
- Track vaulting status
Custom Workflows:
- Execute organization-specific automation
- Trigger integration with SIEM systems
- Initiate provisioning/deprovisioning workflows
- Custom remediation actions
Common Workflows
Account Security Investigation
- Review Account Information Tile to understand account type and status
- Check Risk Level Tile to see overall threat score
- Open Account Threat Information Tab to identify specific security risks
- Review Login History for suspicious authentication patterns
- Check MFA Status and devices for authentication posture
- Investigate Group Memberships for excessive privileges
- Use Action button to escalate or remediate findings
Privilege Review
- Verify Account Type and Classification
- Review Group Membership Tab for privileged groups
- Check Is Privileged score (0-10 scale)
- Examine threat rules for privilege-related risks
- Validate business justification for elevated access
- Document findings for access certification
- Use workflows to request access review or removal
Compliance Audit
- Check MFA Status and Devices for authentication compliance
- Review Password Information for password policy compliance
- Examine SSH Keys for key management compliance
- Verify account status (no orphaned/dormant accounts)
- Check owner mapping (all accounts mapped to identities)
- Export data for compliance evidence
- Generate reports from filtered views
SSH Key Management
- Open SSH (Public) Keys Tab to see authorized keys
- Review Algorithm column for weak algorithms (DSA, RSA <2048 bits)
- Check Key Age (via created date) for rotation requirements
- Identify unused keys for cleanup
- Open SSH (Private) Keys Tab to find exposed private keys
- Assess risk of private key exposure
- Initiate key rotation or revocation via workflows
Understanding Mapped To
The Mapped To field shows which Owner identity the account is associated with. Click the owner name to navigate to the Owner Details page.
Mapping Scenarios:
- Mapped to Owner: Account successfully linked to an identity (normal state)
- No Owner: Account not mapped to any identity (orphaned account - security risk)
- Shared Account: Account mapped to multiple owners (potential policy violation)
- Shared Account+: Account mapped to 3+ owners (high-risk sharing)
For more information on account mapping, see Account Mapping Rules and Map To documentation.
Troubleshooting
| Issue | Solution |
|---|---|
| Missing MFA information | Verify data source supports MFA collection; check collector permissions |
| No login history | Ensure authentication logging is enabled on platform; verify collector configuration |
| Incorrect threat score | Review applicable threat rules; verify rule thresholds; check for rule conflicts |
| SSH keys not showing | Verify collector has permission to read SSH directories; check file permissions on target systems |
| Owner mapping incorrect | Review account mapping rules; verify email/UPN matching |
Related Topics
- Entity Details Overview - Overview of all entity detail pages
- Owner Details - Identity-level aggregated view
- Group Details - Group membership details
- Global Search - Search interface
- Global Search Default Columns - Column reference
- Threat Detection - Understanding threat rules
- Account Classification - Classification rules
- Account Mapping - Mapping rules
- Map To - Understanding entity mapping
- Automation Workflows - Action workflows