Risk Insights leverages below two primary data sources for detecting user accounts:

• Third-party Identity Providers (IdPs) such as AAD, On-premises AD, Google, and Okta.
• Detection or telemetry logs from Trend products

Each of these data sources may carry different attributes defining user accounts, such as userDisplayName, userPrincipalName, email, samAccount, domain, among others. Insufficient key attributes could potentially lead to duplicate accounts. However, once we've collected all necessary attributes, our user discovery service will automatically merge these duplicate accounts.

Risk Insights identifies user accounts through two main data sources:

• Third-party Identity Providers (IdPs) such as AAD, On-premises AD, Google, and Okta.
• Detection or telemetry logs from Trend products

If the user accounts were detected from third-party sources, they can be manually deleted by customers directly from the respective IdP environment. The changes will then be automatically updated in Attack Surface Discovery. However, if the user accounts were identified through Trend products, there currently isn't a manual deletion option available for customers.

Attack Surface Discovery identifies the type of the account - whether it's a service or domain account - by utilizing the 'objectClass' in the data. Please refer to Object-Class attribute.
The account type is determined by the last entry of 'objectClass'. For example, if the 'objectClass' is ["top", "person", "organizationalPerson", "user"], then "user" would be identified as the account type.

Currently, we do not provide this function in the console. Kindly reach out to Trend Micro Technical Support for assistance to remove these devices directly from our backend system.

We recommend that you select devices and click Add to Exception List to add the devices to the exception list.

^{Click the image to enlarge.}