# Findings

IAM Risk Analyzer Findings ensures that the platform highlights actionable findings tailored to the organization’s unique requirements.

The Findings tab is the operational core of the IAM Risk Analyzer. It surfaces security issues detected across your connected application integrations - each finding representing a concrete identity risk condition such as privileged access without MFA, unused access held over extended periods, over-entitled identities, separation of duty violations, or personal email usage on active accounts. Findings are severity-rated (Critical, High, Medium, Low) and tied to the specific employees, entities, and application integrations where the condition was detected, giving security and identity teams a precise, auditable view of where exposure exists across the environment.&#x20;

<figure><img src="/files/wlEGPXj5TIVGN7fVQuTd" alt=""><figcaption></figcaption></figure>

In addition to the Findings page listing various findings, the main dashboard also has findings widgets that aggregate findings to help teams prioritize remediation by application, by user, and by department.

**Top Risky Applications, Users, and Departments**

Three ranked list widgets appear together on the dashboard, immediately above the Your Action Items section. Each widget surfaces the highest-risk entities in its category based on computed risk scores, using a color-coded severity bar to communicate the distribution of findings at a glance.

**Top Risky Applications** shows a ranked list of application integrations sorted by descending risk score. Each row displays the application logo, name, and instance label (for example, Prod or Code Repository), followed by a proportional severity bar segmented by finding severity (Critical in dark red, High in red, Medium in orange, Low in yellow), and a total findings count. Selecting a row navigates to that application integration's overview page.

**Top Risky Users** shows a ranked list of users sorted by descending risk score. Each row displays the user avatar or initials, full name, a severity-segmented risk bar, and a total findings count. Selecting a row navigates to that user's profile page.

**Top Risky Departments** shows a ranked list of departments sorted by descending aggregate risk score, computed by rolling up individual user risk scores across all members of each department. Each row displays the department's rank number, name, a severity-segmented risk bar, and the total findings count across all users in that department. Selecting a row navigates to the Users listing filtered by that department.

All three widgets display the top 6 entities by default, with a "View More" link to expand the list further.

<figure><img src="/files/R4ZCufM2ukuHdGeADiSg" alt=""><figcaption></figcaption></figure>

**Identity Findings Distribution (Doughnut Chart)**

This widget provides an at-a-glance breakdown of all identity findings detected across your connected applications, organized by finding type. Examples of finding categories include SOD Violations, Privileged Access, Terminated Users with Active Access, Over-entitled Users, MFA Missing, Identity Exposure, and Unused Access.

The chart uses a doughnut visualization to represent the relative distribution of findings across these categories. The legend displays the top 6 to 7 finding types by default; additional finding types beyond that threshold are accessible through a scrollable modal. Finding names in the legend are never truncated - longer names wrap across lines to preserve full readability.

Auto-generated insights are surfaced alongside the chart to help teams quickly interpret patterns in the finding distribution without manual analysis.

<figure><img src="/files/eOKhg8uVLwFDFWxV3d1l" alt=""><figcaption></figcaption></figure>

**Findings by Application (Stacked Bar Chart)**

This widget presents a stacked bar chart showing the total count of identity findings per finding type, broken down by application and severity. Each bar on the x-axis represents a specific finding type (such as Unused Access Over 90 Days or MFA Missing), and each colored stack within a bar corresponds to a connected application integration. Bars are sorted in descending order from left to right by total finding count.

Two filter controls govern the chart view:

* **Application filter:** A multi-select dropdown listing each application integration for which findings have been computed, with the application's chart color shown alongside its name. All qualifying applications are selected by default. Only applications that have at least one finding rule configured for display are included.
* **Severity filter:** A multi-select dropdown covering Critical, High, Medium, and Low. All severities are selected by default.

## Key Concepts

### 1. Insights

An Insight is a system or user-defined label that identifies a potential risk or characteristic associated with an entity.

* System-Generated Insights Examples:
  * Weak MFA
  * Over Entitled
  * Duplicate Connection
* User-Generated Insights Examples:
  * SoD Violation
  * Privileged

#### Details of an Insight:

* Insight Name: Descriptive name (e.g., Okta Weak MFA)
* Description: Context of the insight (e.g., “Identities with weak Okta MFA factors.”)
* Details: Additional information about the risk (e.g., “Weak MFA methods: SMS or call.”)
* Inherent Risk Rating: Pre-assigned risk level for the insight (Low, Medium, High).
* Proposed Mitigations: Steps to mitigate the risk (e.g., Enforce TOTP, biometric login).
* References: Links to external guidelines or frameworks (e.g., PCI DSS, MITRE).

### 2. Findings

A Finding aggregates multiple insights into an actionable risk alert. Findings provide a broader risk context and are used to trigger automated workflows.

* Example Finding:
  * Name: Weak MFA Okta User with SoD Violation
  * Description: “User has weak MFA on Okta and violates SoD policies by accessing finance applications.”
  * Risk Rating: High
  * Components:
    * Weak MFA Insight
    * SoD Violation Insight

### 3. Key Relationships

* Insights → Findings: Findings are built from one or more insights.
* Entities → Insights: Insights are associated with entities (e.g., users, connections).
* Finding Rules: Logical expressions that define how findings are generated from insights.

## Creating an Insight

**Step 1:** Define Insight

* Navigate to the Configure > Rules & Playbooks > Insights section.
* Click Create Insight and enter:
  * Name: A descriptive title (e.g., Okta Weak MFA).
  * Description: Explanation of the insight.
  * Details: Add specifics like weak MFA methods or resource details.
  * Risk Rating: Assign an inherent risk level.
  * Proposed Mitigations: Suggest actions to resolve the issue.
  * References: Add relevant links or frameworks for context.

**Step 2:** Select Entities

* Define the entities this insight applies to (e.g., users, connections).
* Apply entity filters to narrow the scope (e.g., MFA methods = SMS or call).

**Step 3:** Review and Save

* Verify the details of the insight and save it.

  <figure><img src="/files/gswMTbAbvRazXG54hVGh" alt=""><figcaption></figcaption></figure>

  <figure><img src="/files/pfRda1Q2V8x3NdMboAoT" alt=""><figcaption></figcaption></figure>

## Creating a Finding Rule

**Step 1:** Select Insights and Entities

* Navigate to Configure > Rules & Playbooks > Finding Rules section.
* Click Create Finding Rule and enter:
  * Name: Descriptive title (e.g., Weak MFA with SoD Violation).
  * Description: Explanation of the risk.
  * Select Insights: Choose insights to include in the rule.
  * Entity Filters: Add filters to refine the scope of the findings.

**Step 2:** Assign Risk Rating

* Assign a Finding Risk Rating to represent the combined risk level.

**Step 3:** Review and Save

* Confirm selections in a review modal and save the finding rule.

  <figure><img src="/files/P3w0SYSMh6I6ajkzV8mM" alt=""><figcaption></figcaption></figure>

  <figure><img src="/files/ZeI0MAdiqAPikvLPgxYs" alt=""><figcaption></figcaption></figure>

## Viewing Insights and Findings

* Navigate to the IAM Risk Analyzer dashboard > Findings section.
* Click on a finding to:
  * View the contributing insights and details.
  * Take user actions (e.g., Review Access, Notify, Execute a Playbook, Execute a Webhook).
* Use filters to view:
  * Insights: A list of all active insights with details.
  * Findings: Aggregated alerts with risk ratings.

{% embed url="<https://vimeo.com/1152731531>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.balkan.id/iam-risk-analyzer/findings.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.