English

Deutsch

English

Deutsch

Appearance

Group Details

The Group Details page provides a comprehensive view of a specific security group, distribution list, or role group discovered by Hydden. This page displays group membership details, including both direct and expanded (nested) members, along with authentication activity for all members. Group Details pages are essential for access reviews, privilege audits, and understanding nested group relationships.

Overview

Group Details pages provide critical information for understanding access permissions and group-based authorization:

  • Group Attributes: Name, display name, platform, data source, description
  • Membership Counts: Direct member count vs. expanded (nested) member count
  • Member Inventory: Complete list of accounts with group membership
  • Membership Type: Direct membership vs. inherited membership from nested groups
  • Activity Tracking: Login history for all group members
  • Privileged Access: Identification of privileged groups and their members

This page type is crucial for access reviews, compliance audits, and privilege management, particularly for highly privileged groups like Domain Admins, Global Administrators, or custom administrative groups.

Key Concepts

Group Types

Groups are categorized based on their purpose and platform:

Group TypeDescriptionCommon Examples
SecurityUsed for access control and permission assignmentDomain Admins, Security Admins, App Admins
DistributionUsed for email distribution listsMarketing Team, All Employees
Microsoft 365Cloud-based groups for collaboration and accessTeams groups, SharePoint groups
RoleCloud IAM roles treated as groupsAWS IAM Groups, Azure AD roles
ApplicationApplication-specific groupsSalesforce groups, Workday groups

Direct vs. Expanded Membership

Understanding membership types is critical for accurate access reviews:

Direct Membership:

  • Accounts explicitly added to the group
  • isDirect = true in the membership data
  • Visible as Direct Member Count on the Group Details page

Expanded Membership (Nested Groups):

  • Accounts that are members of nested groups within this group
  • Includes direct members plus members from all nested groups
  • isDirect = false for inherited memberships
  • Visible as Expanded Member Count (also called Total Member Count)

Example:

Group: Domain Admins
├─ Direct Members: alice@company.com, bob@company.com (Direct Member Count = 2)
└─ Nested Group: IT Admins
   └─ Members: charlie@company.com, dana@company.com

Total Expanded Member Count = 4 (2 direct + 2 from nested group)

Privileged Groups

Groups with elevated permissions are flagged as privileged:

  • Highly Privileged Groups: Groups with administrative access (Domain Admins, Enterprise Admins, Global Administrators)
  • Privileged Flag: isPrivileged field on the group entity indicates privilege level (0-10 scale)
  • Risk Indicator: Membership in privileged groups contributes to account threat scores

For more information on privilege detection, see Threat Detection Rules.

Group Nesting

Groups can contain other groups, creating nested hierarchies:

  • Single-level nesting: Group A contains Group B
  • Multi-level nesting: Group A → Group B → Group C
  • Circular references: Detected and flagged as potential configuration issues
  • Privilege escalation: Nested groups can inadvertently grant elevated access

Understanding nested group relationships is essential for:

  • Identifying hidden privilege escalation paths
  • Compliance audits (who really has access?)
  • Access cleanup (removing unnecessary nested groups)

Data Tiles

The Group Details page displays information tiles with key group attributes:

Group Information Tile

FieldDescription
Group NamePrimary group identifier as established in the directory service
Group Display NameFriendly name for the group (if different from Group Name)
PlatformSystem platform where the group was discovered (Azure AD, Active Directory, Okta, AWS, etc.)
Data SourceCollector module that retrieved the group data
DomainDomain or tenant where the group exists
DescriptionGroup description (if provided in the directory)
Is PrivilegedPrivilege level indicator (0-10 scale)
Group TypeGroup classification (Security, Distribution, Microsoft 365, Role, Application)

Membership Information Tile

FieldDescription
Direct Member CountNumber of accounts explicitly added to the group
Expanded Member CountTotal members including direct members plus members from nested groups
Nested Group CountNumber of groups nested within this group (if any)

The difference between Direct Member Count and Expanded Member Count reveals the extent of nested group usage. Large discrepancies indicate complex nesting that should be reviewed.

Data Tabs

Group Membership Tab

Complete inventory of all accounts with membership in this group, showing both direct and expanded members.

Default Columns:

ColumnDescription
Account NameName of the account with group membership
Display NameFriendly display name of the account
PlatformAccount platform
Data SourceData source where account was discovered
Membership TypeDirect (explicitly added) or Expanded (inherited from nested group)
Account TypeUser, Service, Federated, etc.
StatusAccount status (Enabled, Disabled, Locked, Expired)
Last LogonMost recent successful authentication
Is PrivilegedPrivilege level of the account (0-10 scale)

Use Cases:

  • Access Review: Verify all members should have group access
  • Privilege Audit: Identify who has privileged access via this group
  • Nested Group Analysis: Filter by Membership Type to see inherited members
  • Inactive Member Identification: Sort by Last Logon to find dormant accounts
  • Compliance Auditing: Generate evidence for access certification
  • Cleanup Planning: Identify accounts for removal

Filtering and Analysis:

  • Filter by Membership Type = Direct: See only explicitly added members
  • Filter by Membership Type = Expanded: See only nested group members
  • Filter by Status = Disabled: Find accounts that should be removed
  • Sort by Last Logon (oldest first): Identify stale memberships
  • Filter by Is Privileged > 5: Focus on high-privilege accounts

Actions:

  • Click any account to open Account Details
  • Export member list for access review documentation
  • Use Action button to request access reviews or generate reports

Login History Tab

Authentication activity for all group members (direct and expanded), providing visibility into group usage patterns.

Default Columns:

ColumnDescription
Login Date/TimeTimestamp of authentication event
Account NameAccount that authenticated
PlatformSystem where authentication occurred
Login StatusSuccess or Failed
Membership TypeDirect or Expanded (shows how the account is a member)
Source IP AddressIP address of login attempt (if available)
Login TypeInteractive, Network, Service, etc.
GeolocationGeographic location of login (if available)

Use Cases:

  • Activity Verification: Confirm group members are actively using their access
  • Dormant Member Detection: Identify members with no recent logins (candidates for removal)
  • Security Investigations: Investigate suspicious authentication patterns for group members
  • Compliance Auditing: Document access usage for audit trails
  • Pattern Analysis: Understand how group access is being used (interactive vs. service accounts)

Analysis Tips:

  • Sort by Login Date/Time (oldest first): Find accounts with no recent activity
  • Filter by Login Status = Failed: Identify potential security issues
  • Filter by Membership Type: Separate direct member activity from nested member activity
  • Group by Account Name: See activity per member
  • Look for anomalies: Unusual login times, locations, or frequencies

Example Insights:

  • No logins in 90+ days: Member may not need access (candidate for removal)
  • Service account with interactive logins: Potential security concern
  • Failed login spikes: Possible brute force attempt or compromised credentials
  • Geographically distributed logins: Unusual for groups with localized access

Share via Action

On tenants with the Integrate Action Providers and Workflows feature enabled, the Action button provides workflow automation options.

Available Actions

Email Notification:

  • Send group membership list to group owners or managers
  • Alert security team about privileged group changes
  • Request access review for group members
  • Escalate security findings for high-risk groups
  • Notify stakeholders of group membership changes

Create Ticket:

  • Generate ServiceNow incident/request tickets for access reviews
  • Create JIRA issues for group cleanup
  • Automated ticketing for policy violations (e.g., too many privileged members)
  • Track access certification workflows
  • Document access review completion

Custom Workflows:

  • Execute organization-specific automation
  • Trigger integration with identity governance platforms
  • Initiate access removal workflows for inactive members
  • Custom compliance reporting
  • Automated privilege review processes

Common Workflows

Privileged Group Access Review

  1. Navigate to Group Details for privileged group (e.g., Domain Admins)
  2. Review Membership Information Tile to understand direct vs. expanded members
  3. Open Group Membership Tab to see all members
  4. Filter by Membership Type = Expanded to identify nested group members
  5. Sort by Last Logon to identify inactive members
  6. Verify business justification for each member's access
  7. Check Login History Tab to confirm members are using their access
  8. Document findings for compliance
  9. Use Action button to request removal of inappropriate members
  10. Schedule follow-up review (quarterly for highly privileged groups)

Nested Group Investigation

  1. Open Group Details for the parent group
  2. Note the difference between Direct Member Count and Expanded Member Count
  3. Open Group Membership Tab
  4. Filter by Membership Type = Expanded to see inherited members
  5. For each expanded member, identify the nested group providing access
  6. Assess whether nested groups are appropriate or create security risks
  7. Check for privilege escalation: Does a nested group grant more access than intended?
  8. Document nested group relationships for governance
  9. Recommend flattening nested groups if they create complexity or risk

Inactive Member Cleanup

  1. Access Group Details for the target group
  2. Open Login History Tab
  3. Sort by Login Date/Time (oldest first) to find stale accounts
  4. Identify accounts with no logins in the past 90+ days
  5. Filter Group Membership Tab by these accounts
  6. Verify accounts are truly inactive (not service accounts with alternate authentication)
  7. Check account status (Disabled accounts should be removed from groups)
  8. Use Action button to request access removal
  9. Document cleanup for audit trail
  10. Schedule recurring reviews to prevent future accumulation

Compliance Audit (Group-Level)

  1. Select high-value or regulated groups for audit
  2. Review Group Membership Tab for all members
  3. Export member list for auditor review
  4. Verify separation of duties (no conflicting group memberships)
  5. Check for terminated employees (filter by account status)
  6. Review Login History for usage evidence
  7. Verify privileged access justification for each member
  8. Document review completion with timestamps and findings
  9. Store evidence for compliance records
  10. Schedule next review cycle per compliance requirements

Understanding Group Membership

Membership Type Indicator

The Membership Type column in the Group Membership Tab shows how accounts became members:

Membership TypeDescriptionisDirect Value
DirectAccount explicitly added to this grouptrue
ExpandedAccount inherited membership from a nested groupfalse

Why This Matters:

  • Access reviews: You need to know where access comes from to remove it properly
  • Privilege analysis: Nested groups can create hidden privilege escalation paths
  • Compliance: Auditors require understanding of all access paths
  • Cleanup: Removing a nested group affects all its members' expanded memberships

Nested Group Visibility

When a group contains other groups:

  • Parent group shows Expanded Member Count including nested members
  • Each nested group member appears with Membership Type = Expanded
  • To find the nested group providing access, check the member's Account Details → Group Membership Tab

Example:

Group: "All IT Staff"
- Direct Member Count: 5 (5 individuals explicitly added)
- Expanded Member Count: 25 (5 direct + 20 from nested groups)

Nested groups within "All IT Staff":
  ├─ "IT Support" (10 members)
  ├─ "IT Engineering" (8 members)
  └─ "IT Management" (2 members)

Privileged Group Flag

Groups flagged as privileged (Is Privileged > 0) have elevated permissions:

  • Administrative access: Can manage systems, users, or security settings
  • Sensitive data access: Can access confidential or regulated data
  • Elevated privileges: Can perform actions beyond standard users

Common Privileged Groups:

  • Active Directory: Domain Admins, Enterprise Admins, Schema Admins, Account Operators
  • Azure AD: Global Administrators, Privileged Role Administrator, Security Administrator
  • AWS: AdministratorAccess, PowerUserAccess
  • Okta: Super Admins, Read-Only Admins

Membership in privileged groups contributes to account threat scores via threat detection rules.

Troubleshooting

IssueSolution
Direct Member Count doesn't match expected numberVerify group sync from data source; check collector permissions; review last collection timestamp
Expanded Member Count missing or incorrectEnsure nested group resolution is enabled; check for circular group references; verify collector configuration
Missing members in Group Membership TabVerify account discovery is complete; check if accounts are disabled/deleted; review account mapping rules
Login history incompleteEnsure authentication logging is enabled on platforms; verify collector configuration for login data; check date range filters
Nested groups not resolvedVerify collector has permission to read nested groups; check for group nesting depth limits; review group expansion settings
Privileged flag incorrectReview threat detection rules for privilege identification; verify group name matching patterns
Membership Type always shows as DirectCheck if collector supports nested group membership tracking; verify isDirect field is being populated

Hydden Documentation and Training Hub

Copyright © 2026 Hydden