Identity Findings

The Identity Findings page provides a detailed, filterable, and sortable list of all discovered identity-related issues across your cloud environment. It helps security teams investigate specific findings, understand their context, and prioritize remediation actions to enforce least privilege and improve identity hygiene.

This documentation reflects the Identity Findings page as it appears with Advanced CIEM enabled. If you’re using Basic CIEM, columns that rely on observed entitlement usage will not be available.

Understand Identity Findings

The Identity Findings page provides a detailed, table-based view of all identity-related issues detected across your cloud infrastructure. It is designed for security analysts and engineers to drill down into specific findings, understand their context, and take remediation actions.

Each row in the table represents a unique identity finding. The columns displayed will vary depending on the selected grouping.

Filtering Findings

Use the filters at the top of the page to narrow the results and focus on the most relevant issues. You can apply a range of identity-specific filters.

Default Filters

These filters are available by default:

Search: Filter findings by resource name.
Zone: Filter by one or more Zones, logical groupings such as accounts, clusters, or applications.
Severity: Filter findings by severity: Critical, High, Medium, Low, or Informational.
Observed > 90 Days: Focuses results on identities that have been observed for at least 90 days. This helps ensure that least privilege recommendations are based on a meaningful period of activity.
Finding Name: Filter by specific checks, such as “Multiple Access Keys Active,” “Access Keys Not Rotated,” or “No MFA.”

Additional Filters

Click + Add to apply more granular filters, or use filters automatically applied when drilling down from the Identity Overview dashboard:

Account: Cloud account, subscription, or project ID where the resource resides.
Highest Access: Filter by the identity’s maximum level of access: Admin, Write, or Read.
Platform: Filter by cloud provider (AWS, Azure, GCP).
Resource Family: Filter by IAM resource type group: User, Group, Role, Access Policy, or Service Account.
Resource Type: Further narrow by resource sub-type within the family.
Unused Permission Criticality: Filter by the criticality of unused permissions (Critical, High, Medium, or Low). This is based on the most severe permission the identity is entitled to—even if unused.

Grouping Findings

You can group findings to change how data is presented:

None (Flat List): Displays individual findings line by line.
Resource: Groups findings by affected resource or identity, aggregating all findings for that entity into a single row.

Findings Table Columns

Column definitions vary depending on how the data is grouped.

When Grouping by “None” (Flat List)

Column	Description
Finding Name	Type of issue (e.g., “Multiple Access Keys Active,” “Access Keys Not Rotated,” “Inactive,” “Unused Permissions”).
Severity	Severity of the finding.
Resource	Affected IAM entity (e.g., `sysdig-user-1 (User)`, `DevTeam-Admins (Group)`).
Acct/Subs/Proj	Cloud account, subscription, or project ID.
Zones	Relevant Sysdig Zones.
Platform	Cloud provider (AWS, Azure, GCP).
Unused Permission Criticality	Maximum impact of unused permissions associated with the identity.
% Unused Permissions	Percent of entitled permissions not observed in use.
Highest Access	The identity’s highest access level: Admin, Write, or Read.
First Seen	When the finding was first detected for the identity.

When Grouping by “Resource”

Column	Description
Resource	Affected IAM entity.
Platform	Cloud provider (AWS, Azure, GCP).
Zones	Relevant Sysdig Zones.
Acct/Subs/Proj	Cloud account, subscription, or project ID.
Findings	Total number of findings affecting the identity.
Days Inactive	For inactive identities, the number of days since last observed activity.
Unused Permission Criticality	Highest unused permission criticality for this identity.
% Unused Permissions	Aggregate percentage of unused permissions.
Highest Access	Maximum access level assigned.
Membership	(Groups only) Number of members in the group.
First Seen	When the identity was first observed by Sysdig.

Reviewing Findings in Detail

Each row is clickable and opens a contextual side panel, based on the current grouping:

Flat List (No Grouping):
Opens the Findings Detail panel, which includes:
- Details about the affected identity.
- Finding specifics: description, severity, and impacted permissions.
- Remediation guidance.
Grouped by Resource:
Opens the Identity Resource panel, which includes:
- All findings associated with the identity.
- Relationships (e.g., policies, groups, roles).
- Remediation options.

These detailed views provide full context for prioritizing and resolving issues, supporting effective enforcement of least privilege across your cloud environment.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.