What is IdentityGraph™?
IdentityGraph™ is Elisity's asset identity engine developed to address the challenges faced by modern network administrators in managing and understanding asset identities. IdentityGraph™ has been engineered to process, refine, and present identity data in a manner that provides a holistic and clear view of all network assets.
In contemporary network infrastructures, organizations are often using a variety of identity tools to assist in discovering and identifying assets on their network. These assets may be managed by different departments, with varying levels of data maintained that is often fragmented or even conflicting across different identity sources.
For instance, one source might identify a device based on its MAC address and vendor type, while another provides data regarding its operating system or its last known user. Combining these disparate pieces of data into a single source of truth is crucial when it comes time to enforce identity-based policy for assets dispersed throughout your network. The problem is, creating this single source of truth isn't just tedious; it's often not feasible given the dynamic nature of modern networks where new assets are connecting to the network and new data is available every hour.
IdentityGraph™ provides value to network administrators by automating the process of data reconciliation and providing a single, reliable source of truth for asset identities. This reliability ensures that when policies are enforced or assets are tracked, decisions are based on accurate, consolidated data. As a result, organizations can be confident in knowing that their assets are classified correctly, and therefore the correct network policy is being applied.
How IdentityGraph™ Works
Discovery, Enrichment, and Triangulation of Accuracy
The initial step for IdentityGraph™ is device discovery. As assets connect to the network, various data sources are used to glean identifying data about these devices such as DHCP, IPDT, Radius, CDP/LLDP, to name a few. This data is collected via carefully filtered ERSPAN, and API integration with onboarded switches. IdentityGraph™ uses this data to then query all available connectors and Identity enrichment sources. This involves harnessing data from Elisity's Native Identity Database, Active Directory, Claroty, Medigate, CrowdStrike, Armis, and your CMDB, among many others, and aggregating all this data into a single source. The goal here is to cast a wide net, ensuring that no relevant data is overlooked.
You can see much of the high level device data above the IdentityGraph section. Here you can see:
1. Device Information
Basic network identifiers like IP and MAC address, and current device status. These identifiers are retained regardless of whether the device is online or offline. For offline devices, the IP Address of the device will be identified as "Last Known IP" as seen below. This IP address is still used for device identification, searching, and filtering, and can still be used for Subnet PG matches.
Possible Device Statuses Include:
- Online - Device is connected and active, meaning we have observed attaches or traffic in the last 61 minutes.
- Offline - Device is not connected, meaning we have not observed attach events or traffic in 61 minutes.
- Suppressed - rapid attach/detach events (aka. flapping) will cause a device to be suppressed as to not overwhelm logging and alerting functions. The cooldown time for device suppression is 31 minutes if flapping ceases.
2. Location Information
Virtual Edge and Virtual Edge Node from which the device was discovered, as well as Site Label association.
3. Policy Details
Policy Group and Policy Set association, including Distribution Zone location of the Policy Enforcement Point (Virtual Edge Node)
Device Category and Consistency Score (Triangulation of Accuracy)
The Device Category field provides a standardized classification for devices across the network. Device category is primarily derived from Device Type and Vendor information, which is processed by Elisity Intelligent Identity to categorize devices into one of the predefined options, as seen below. This field offers a more precise and reliable categorization, supporting accurate Policy Group classification based on device category.
The predefined list includes the following categories:
- Audio Video
- Building Management
- Collaboration
- Consumer Mobile
- Industrial Automation
- Medical Device
- Miscellaneous IoT
- Networking Equipment
- PC
- Physical Security System
- Printer
- Server Appliance and Storage
- WiFi AP and Controller
- Unclassified
Device Category and Consistency Score Details
1. Connector-Specific Categorization
Device Category is determined independently for each data source or connector integrated into the Elisity platform. Each connector—such as ServiceNow, Medigate, or Armis— has it's own Category field determined by Elisity using device attributes from each connector, contributing a unique perspective on the device's role. These connector-specific categories provide granular insights, allowing the platform to capture diverse viewpoints for each device.
2. Consistency Score
The Consistency Score is calculated based on the alignment of Category attributes for different connectors. A higher Consistency Score reflects greater agreement across data sources, giving administrators a quick measure of confidence in the assigned Device Category. For example, if multiple connectors classify a device as a "Medical Device," the Consistency Score will be higher, indicating a more reliable classification.
3. Visibility Across CCC
Device Category appears throughout the Cloud Control Center (CCC), including in device profiles, the Device Table, and exportable reports. This consistent display enables a unified view of each device’s role, helping administrators understand and manage the device landscape effectively.
4. Policy Application Based on Device Category
Device Category is available as a match criterion in policy configurations, allowing administrators to apply specific security and access policies to different device types. This flexibility supports granular control, enabling the application of distinct policies to categories like medical devices, IoT, or traditional IT equipment, which strengthens microsegmentation efforts.
By assigning Device Categories per connector and calculating a Consistency Score, Elisity enhances administrators' ability to make informed, data-driven policy decisions, ultimately improving network security and control.
Data Sources and Prioritization for IdentityGraph™
The main categories within IdentityGraph™ are the following:
Elisity Natively Discovered Attributes
Attributes in this category are derived directly from Elisity's native detection and identification mechanisms. They represent information that Elisity has been able to ascertain on its own, without relying on external platforms or manual input. Elisity Native attributes such as VLAN, Virtual Edge Node association, custom Device Labels, and more can be used as match criteria in Policy Group Definitions.
Elisity Native Identity is constantly evolving and improving. To learn more about our native identity engine and keep up with any updates, see our Elisity Native Identity article.
Manually Configured Attributes
These are attributes that have been manually set or adjusted by administrators or users. They represent a level of customization and might override or augment the data gathered through automated processes. Typically, manually configured attributes will take precedence over attributes gleaned from other sources.
- Examples: Hostname, Genre, Class, Model, Operating System, Last Update, Label.
Audit comments can be enforced for any manually configured attribute, requiring Cloud Control Center admins to include an audit comment along with any changes made to the attributes of a device.
Shared Services
In certain scenarios, customers may want to ignore Active Directory login events for a specific device. Generally, when a user logs in to a device, we will see this login event and associate a user identity to said device. This is often the desired behavior as this allows for identity-based policies for these assets based on user identities. For example, you may want to define network segmentation based on user groups. Radiologists and Pediatricians may work at the same hospital, but they don't need access to the same systems.
Clicking "Shared Services" on any asset will disable user-based identity for the asset. Elisity will ignore AD User login events for the device, causing the asset to be classified purely based on device data in IdentityGraph. This is ideal for applications where user login is required to use a machine, but user identity is not relevant to the segmentation strategy.
To enabled "Shared Services, go to the device and click edit. Click the check box next to "Shared Service" and click save changes.
Connector-Based Tiles and Trust Attributes
Alongside the core categories, any connector from which data has been derived will also manifest as its distinct subsection within the IdentityGraph™. These connector-specific subsections represent specialized sources of information and will display attributes specific to that connector. By examining these subsections, users can gain insights into the diverse data sources contributing to an asset's identity, ensuring a multi-faceted understanding of its profile. Each connector-based subsection serves as a testament to the integrative capabilities of the system, seamlessly pulling and centralizing data from a variety of platforms and systems.
Examples: Active Directory (AD), Claroty, ServiceNow, Tenable, Medigate, Palo Alto Networks IoT Security.
See our list of connectors and integrations for full details.
Once these attributes are defined, they can be seamlessly integrated into Policy Groups. By doing so, organizations can enforce network policies based on the refined data offered by IdentityGraph™, ensuring that policies are both precise and effective.
IdentityGraph data enriched by connectors are refreshed periodically however if the operator wishes to refresh the data immediately simply click the refresh button next to each connector tile.
The icon represents attributes that have been mapped to the Core Effective Attribute layer.
View Connectors in Devices Page
Quickly view and filter which devices have enriched data in IdentityGraph on the devices page. Export filtered device pages by "Known In" Connector attributes that can be used to generate reports and improve device classification accuracy.
Trust Attributes
These attributes indicate the reliability and credibility of a device's identity based on its association with various platforms or systems. It provides a measure of how well-known and verifiable the device's identity is within the network and linked systems.
Usage: Trust Attributes can be leveraged to apply differentiated policies based on the trustworthiness of devices. For example, devices with the trust attribute "Known in ServiceNow" can have more lenient access policies compared to "Unverified" devices. Trust attributes are typically leveraged alongside other identifying match criteria, enabling elevated security posture for a subset of devices.
See the following article for information on how to use Trust Attributes in Policy Group definitions:
Leveraging Trust Attributes for Policy Group Definition
- Examples: Known in AD, Known in Claroty, Known in ServiceNow, Known in CrowdStrike, Manually Verified, Unverified.
Core Effective Attributes
Core Effective Attributes use an order of precedence for each connector that is established by the customer in order to rank and aggregate the most accurate and relevant data about assets from all available sources. Core Effective Attributes include identity data about the device such as Type, Genre, OS, and much more, as well as risk data and authorization status.
Given that different sources can offer varying (and sometimes conflicting) data about a single asset, IdentityGraph™ enables customers to select an order of precendence for which connector data should be used in Core Effective Attributes for attributes where multiple sources might contain conflicting data. This ranking mechanism ensures that the most accurate data is given precedence, culminating in the formation of "Core Effective Attributes."
Here is an example of Core Effective Attributes within IdentityGraph:
These attributes represent the essence of the device, giving a clear and immediate understanding of its nature and function.
- Examples: Hostname, FQDN, Genre, Class, Vendor, Type, Model, Operating System, Label.
- Note: Hostname is a normalized field for consistent formatting as PG match criteria. Customers can also use the Fully Qualified Domain Name (FQDN) as match criteria if this has been discovered natively or via connector enrichment.
Core Effective Attributes serve as the primary match criteria when creating Policy Groups, offering a consolidated, accurate identity for each device or endpoint. This does not mean, however, that you MUST match on Core Effective Attributes. As seen in the image above, administrators in Cloud Control Center have complete visibility into all attributes that have been gleaned for any given device.
Each attribute that Elisity has collected will be categorized, and shown on the asset details view for any device.
Last Seen and Last Update Attributes for Enrichment Sources
In IdentityGraph, the attributes Last Seen and Last Update provide crucial insights into device activity across all enrichment sources. Last Seen indicates the most recent time a device was detected in a given identity connector when queried, reflecting its last known presence in that system. This helps administrators understand whether a device is actively recognized by an integration. Last Update, on the other hand, represents the most recent change to the enrichment data retrieved from a connector, highlighting when any attribute modifications—such as status updates, policy assignments, or metadata changes—were last recorded. Together, these attributes enable more informed decision-making by providing visibility into device consistency and the freshness of identity information across integrations.
Using IdentityGraph™
Attributes learned from IdentityGraph™ are immediately usable in Policy Group definitions. To use any attribute, create a new Policy Group and scroll down to the attribute type. They will be categorized according to how they appear in IdentityGraph™. As you can see, you can select attributes from "Core Effective Attributes" or "Active Directory Attributes." Scrolling down will reveal any additional categories and their associated attributes.
Benefits of IdentityGraph™
Streamline Asset Management for Efficiency and Savings
Leverage the consolidated view of IdentityGraph™ to effortlessly overcome the hurdles posed by decentralized asset databases. By centralizing asset management, you're not only simplifying the process but also driving down operational costs. Dive into the structured methods of updating, categorizing, and managing with IdentityGraph™, ensuring that your network assets remain a strategic advantage rather than an operational challenge.
Fortify Your Security with Precise Asset Identification
A robust security posture begins with knowing exactly what's on your network. With the IdentityGraph™, you can elevate your security protocols through high-fidelity identification. The 'core effective attributes' feature works tirelessly behind the scenes, gathering and consolidating data from various layers. This results in a comprehensive, accurate representation of each asset. The outcome? A fortified security shield, ready to tackle sophisticated threats.
Ensure Accurate Policy Enforcement Across Your Network
The efficacy of your network policies hinges on the clarity of your asset identification. By utilizing these meticulous identification methods, you're creating an environment where policies are crafted with precision. More importantly, you can move forward with the confidence that these policies, once enacted, target the right assets, ensuring that your network's integrity remains not compromised.
Ongoing Reconciliation and Updates
IdentityGraph™ serves as a continuous, dynamic identity engine. As assets evolve and network dynamics change, the service continually updates its data repository. This ensures that the identity information remains current, and any changes or anomalies are rapidly identified and reconciled. Whether it's a software update on a device, a change in its operational status, or a new device entering the network, IdentityGraph™ ensures that its data remains a reflection of the network's current state.