Entity types and analysis
The four entity types
Modern environments produce four broad categories of identities. Each one has its own normal patterns, its own ways of being abused, and its own analysis priorities.
π€ User accounts
Standard users, administrators, service accounts, external partners. Identity verification and access monitoring drive the analysis.
π» Endpoints
Physical and virtual devices: workstations, servers, mobile, IoT, network infrastructure. The host is the address where activity actually happens.
βοΈ Applications and services
Business applications, dev tools, automation pipelines, cloud functions. Non-human identities with predictable but consequential behavior.
π Network identifiers
IPs, domains, protocols, MAC addresses, certificates. Not identities in the strict sense, but the markers the system uses to route trust.
π€ User accounts
User An individual who interacts with a system, network, or application. accounts produce the earliest and most actionable indicators of compromise. The analystβs job is to evaluate the activity against the accountβs expected pattern and lifecycle.
Creation and provisioning
Cross-reference account creation against HR onboarding and approved automation. Accounts that appear without a matching workflow are the classic backdoor pattern.
Modification events
Privilege grants, group memberships, role changes. Each is a moment where an attacker could be establishing or expanding their access.
Dormancy
Accounts inactive for 30+ days without being deprovisioned are a known soft target. They are credentials with no human watching them.
Termination
Off-boarded users should lose access across every integrated system within hours of HRβs record being updated. Orphaned credentials are how former employees become external attackers.
Password resets
Resets outside the normal rotation policy, especially from unexpected locations, can indicate social engineering or account-recovery abuse.
Subtypes of user accounts
Standard users
Predictable patterns tied to business hours and job function. Most volume, least permission.
Service accounts
Non-interactive by design. Highly predictable behavior. Interactive logins from a service account are a near-canonical compromise signal.
Administrative accounts
High impact if abused. Should be used through privileged access management, not for routine work. Watch for admin accounts doing user-tier activities.
External accounts
Contractors, partners, vendor logins. Limited organizational visibility, broader attack surface. Compensating controls (time-bound access, narrow scope) are essential.
Shared accounts
Single credentials used by multiple people. Attribution becomes impossible. Treat any shared-account activity as a documentation risk before treating it as a security one.
Break-glass / emergency accounts
Reserved for cases where standard controls (PAM, MFA) are unavailable. Any usage must be logged, time-bound, and retroactively justified. Unscheduled activity should escalate immediately.
π» Endpoints
Each Endpoint A device that initiates network connections and runs user-facing software: laptop, desktop, server, phone, tablet. Endpoints are where most adversary tradecraft eventually shows up, which is why EDR exists. is a place where activity happens and a window into the broader environment.
Workstations
Standard user productivity machines. Compare current activity against the userβs historical pattern on this specific device.
Servers
Mostly service-account driven, predictable workloads, narrow user-interactive activity. Interactive logins on production servers deserve a closer look.
Mobile devices
Personal and managed. MDM telemetry, MAM data, EMM enrollment status. Off-network activity may be invisible to corporate logging.
IoT and OT
Limited instrumentation. Often legacy. Trust boundaries depend on segmentation rather than endpoint detection.
Cloud workloads
EC2 instances, Kubernetes pods, serverless functions. Short lifetimes mean baselines are statistical, not per-instance.
Network infrastructure
Routers, switches, firewalls. Compromise here is rare but high impact. Configuration drift is the most common signal.
Virtual desktops
VDI sessions, often accessed via thin clients or BYOD. Attribution is harder because sessions are ephemeral. Watch clipboard transfers, drive mapping, and process execution outside normal user hours.
Developer workstations
Run compilers, IDEs, repository tools. Broad internal access by design. Behavior that would alarm on a standard endpoint (scripting, sandbox bypass, dynamic loaders) is part of the job. Apply tighter baselines on the developerβs history rather than the environment-wide norm.
βοΈ Applications and services
Applications and services are non-human identities that act on behalf of (or alongside) human users.
Business applications
ERP, HR, finance, CRM. Sensitive data, predictable workflows, regulatory exposure.
Development tools
Source control, CI/CD pipelines, package registries. Often have credentials that can deploy code into production.
System utilities
Backup agents, monitoring tools, configuration management. Run continuously, touch many systems, easy to overlook.
Cloud services
Managed cloud functions, container orchestration, service meshes. The identity boundary is often a cloud role rather than a credential.
π Network identifiers
Network identifiers are how systems decide who is who when they cannot ask a person directly. Each identifier carries different forensic weight.
IP addresses
Source and destination locators for traffic. Internal IPs map to assets via the inventory; external IPs map to reputation via threat intelligence. Track geolocation, WHOIS ownership, and prior association with malware infrastructure.
Domain names
Higher-level naming abstraction often used by attackers to mask infrastructure (typosquatting, fast-flux, DGA). Assess domain age, registrar patterns, resolution frequency, and passive DNS history.
Protocols and ports
Unusual ports often indicate tunneling or evasion. Validate that traffic conforms to RFC standards for the claimed protocol; encrypted traffic on uncommon ports (SSH over 443, DNS over arbitrary ports) is the classic bypass pattern.
MAC addresses
Lower in the stack but useful for tracking hardware across DHCP changes. MAC randomization, spoofing, or OUI changes over time can indicate NAC evasion or device impersonation.
BGP ASN
Group IPs by upstream provider. Anomalies include traffic from ASNs linked to bulletproof hosting, rapid ASN reassignment, or geolocation/ASN mismatches that suggest infrastructure churn.
FQDN patterns
Algorithmically generated subdomains, excessive subdomain depth, wildcard DNS abuse, or staged-malware delivery domains. Subdomain entropy is one of the strongest cheap signals.
SSL/TLS certificates
Examine issuer, validity period, key length, subject common name. Self-signed certs on production hosts, mismatched domains, or very short-lived certificates are classic C2 patterns.
DNS query behavior
Queries to external resolvers, uncommon record types (TXT, NULL), unusually high query rates, or high entropy in queried domains can signal covert data exfiltration via DNS.
JA3 / JA3S fingerprints
Hashes of TLS handshake parameters. Detect malicious clients or C2 infrastructure even when IPs and domains rotate. Flag JA3 fingerprints that deviate from enterprise baselines.
URI / URL structures
Path depth, encoded parameters, file extensions. Flag unusual paths (e.g., /api/config.zip) or base64-encoded parameters that may indicate phishing kits, staged payloads, or HTTP-based tunneling.
API keys and tokens
Persistent identifiers granted to services. Track by issuance date, last-use date, scope, and the originator. Tokens that re-emerge after long silence often indicate compromise.
Next up
Behavioral framework
Pattern recognition, baseline development, anomaly detection. The toolkit for separating normal from suspicious at the Subject level.
Read behavioral framework