1. Elisity
  2. Identity
  3. Elisity Native Identity

IdentityGraph™

Avatar
Taylor Colwell

What is IdentityGraph™?

IdentityGraph™ is Elisity's device identity enrichment engine that aggregates data from multiple identity sources (e.g., Active Directory, Okta, ServiceNow, CrowdStrike, and other connectors) to build a comprehensive profile for each device on your network. It continuously enriches devices with attributes such as user identity, device type, operating system, security posture, compliance status, and location.

This enriched identity data powers Elisity's dynamic policy groups, which allow you to create policies based on real-time device attributes rather than static IP addresses or VLANs. As device attributes change (e.g., a laptop moves from trusted to untrusted status in CrowdStrike), policy assignments automatically update without manual intervention.

Connector Overview

Connectors are integrations with third-party identity sources that provide device and user attributes to IdentityGraph™. Each connector type has specific configuration requirements and enrichment capabilities. Elisity supports two categories of connectors:

  • Pre-built Connectors: Native integrations with common identity sources (Active Directory, Okta, ServiceNow, CrowdStrike, etc.) that require minimal configuration
  • Custom Connectors: Flexible REST API-based integrations that allow you to connect any identity source via custom queries

For detailed information about each connector type, including configuration steps and supported attributes, see the individual connector articles in the Integrations section.

How IdentityGraph™ Enriches Devices

When a device appears on your network, IdentityGraph™ follows this enrichment workflow:

  1. Device Discovery: The Virtual Edge Node (VEN) detects the device via network traffic (DHCP, DNS, ARP, NetFlow, or other protocols)
  2. Initial Identity: The device is created in the Cloud Control Center (CCC) with basic network attributes (IP address, MAC address, hostname if available)
  3. Connector Enrichment: Each configured connector queries its identity source to find matching records for the device
  4. Attribute Aggregation: Attributes from all connectors are merged into a single device profile in IdentityGraph™
  5. Policy Evaluation: Dynamic policy groups evaluate the enriched attributes to determine policy assignments
  6. Continuous Updates: As connectors sync updated data, device attributes and policy assignments automatically update

Connector Configuration

All connectors are configured in the Cloud Control Center under Settings > IdentityGraph > Connectors. Each connector requires:

  • Connection credentials: API keys, service account credentials, or authentication tokens for the identity source
  • Sync schedule: How often the connector queries the identity source for updated data (default: every 5 minutes)
  • Attribute mapping: Which attributes from the identity source should be imported into IdentityGraph™
  • Match criteria: How the connector matches devices in the identity source to devices in IdentityGraph™ (typically by IP address, MAC address, or hostname)

For step-by-step configuration instructions, see the individual connector articles in the Integrations section.

Viewing Enriched Device Attributes

You can view enriched device attributes in several locations in the Cloud Control Center:

  • Devices Table: The main devices list (Dashboard > Devices) shows key attributes in columns and allows filtering by any enriched attribute
  • Device Details Page: Click any device to see all enriched attributes organized by connector source
  • Policy Group Preview: When creating or editing a dynamic policy group, the preview shows which devices match based on their enriched attributes
  • Traffic Lookup: Flow records include enriched attributes for both source and destination devices

Last Seen and Last Update Attributes for Enrichment Sources

For each connector enrichment source, IdentityGraph™ tracks two critical timestamps:

  • Last Seen: The last time the device was observed online by the VEN (based on network traffic)
  • Last Update: The last time the connector successfully enriched the device with updated attributes from the identity source

These timestamps are visible in the Device Details page under each connector's enrichment data. They help you understand:

  • Whether a device's attributes are current or stale
  • If a connector is successfully reaching devices
  • When a device was last active on the network

Enrichment Lookback Window

The Enrichment Lookback Window controls how recently a device must have been online to receive connector enrichment. By default, connectors only enrich devices that have been seen online within the past 72 hours. This threshold can be configured per connector in Advanced Settings (Settings > IdentityGraph > Connectors > [Connector Name] > Edit > Advanced Settings).

For devices that are online less frequently—such as OT systems, remote assets, or servers with intermittent connectivity—you can extend the lookback window to ensure they continue to receive enrichment even when they haven't been seen recently. The valid range is 1 to 2160 hours (1 hour to 90 days).

Connector Edit interface showing Enrichment Lookback Window field in Advanced Settings

Performance vs. Coverage: Shorter lookback windows improve performance by reducing enrichment attempts on stale or inactive devices. Longer windows ensure that infrequently-online devices remain enriched with current attribute data from the connector.

Tooltip for Enrichment Lookback Window field

Note: Changing the Enrichment Lookback Window only affects future enrichment operations. It does not retroactively modify historical enrichments or device data already collected.

Using IdentityGraph™

IdentityGraph™ data is used throughout the Elisity platform:

  • Dynamic Policy Groups: Create policy groups that automatically include/exclude devices based on enriched attributes
  • Policy Matrix: Build policies using device attributes rather than IP addresses
  • Traffic Analysis: Filter and analyze flows based on enriched device attributes
  • Compliance Reporting: Generate reports showing device security posture and compliance status

IdentityGraph Data Visibility in the Devices Table

The main Devices table displays enriched attributes as columns. You can:

  • Add/remove columns: Click the column selector to show/hide specific attributes
  • Filter by attribute: Use the filter bar to find devices matching specific enriched values
  • Sort by attribute: Click any column header to sort devices by that attribute
  • Export device data: Export the full device list with all enriched attributes to CSV
Was this article helpful?
0 out of 0 found this helpful