title: Contextual Insights category: Intelligence tags: insights, ai, contextual, security-analysis, inactivity priority: Normal
Contextual Insights
Contextual Insights provide AI-powered analysis for every directory object in IdentityCenter. Rather than relying solely on static rules, the ContextualInsightService examines each object's attributes, relationships, and history to generate targeted, actionable findings.
How Contextual Insights Work
The ContextualInsightService processes each directory object through a series of specialized analyzers. Each analyzer evaluates a specific dimension of the object's security posture and produces findings that are compiled into a unified insight report.
Analysis Pipeline
- Data Retrieval -- The service loads the object's full attribute set, group memberships, login timestamps, and related objects from the synced data store.
- Analyzer Execution -- Each registered analyzer runs against the object and produces zero or more findings.
- Prompt Construction -- The InsightPromptBuilder compiles the findings into a structured prompt, including security context such as UAC flags, delegation settings, SPNs, and privileged group memberships.
- LLM Enrichment -- The prompt is sent to the configured LLM (Anthropic Claude), which produces a narrative analysis with prioritized recommendations.
- Result Caching -- Results are cached to avoid redundant recalculation for recently analyzed objects.
Insight Types
Inactivity Detection
The ContextualInsightService computes DaysSinceLastLogin for all account types:
| Object Type | Timestamp Attributes Used |
|---|---|
| Users | lastLogon, lastLogonTimestamp |
| Computers | lastLogon, lastLogonTimestamp |
| gMSAs | lastLogon, lastLogonTimestamp |
| MSAs | lastLogon, lastLogonTimestamp |
Inactivity thresholds flag accounts at three levels:
| Days Inactive | Severity | Meaning |
|---|---|---|
| 30+ days | Low | Account is becoming stale -- monitor |
| 60+ days | Medium | Account may no longer be needed -- review |
| 90+ days | High | Account is considered inactive -- action recommended |
When an inactive account also holds privileged access (e.g., membership in Domain Admins), the severity is automatically escalated by one level.
Tip: Inactivity thresholds are configurable in the Intelligence settings. Adjust them based on your organization's policies and seasonal usage patterns.
Security Risk Analysis
The security risk analyzer examines Active Directory security attributes for misconfigurations and exposures:
| Risk Factor | Detection Logic | Severity |
|---|---|---|
| Unconstrained Delegation | TRUSTED_FOR_DELEGATION UAC flag is set |
Critical |
| Password Never Expires | DONT_EXPIRE_PASSWORD UAC flag is set on a privileged account |
High |
| Reversible Encryption | ENCRYPTED_TEXT_PWD_ALLOWED UAC flag is set |
High |
| Excessive Admin Count | More than 10 members in a Tier-0 administrative group | Medium |
| SPN Kerberoasting Risk | Non-computer accounts with Service Principal Names (SPNs) registered | High |
| Constrained Delegation Misuse | Account has constrained delegation to sensitive services | Medium |
| DES-Only Encryption | USE_DES_KEY_ONLY UAC flag is set |
High |
| Pre-Authentication Disabled | DONT_REQUIRE_PREAUTH UAC flag is set (AS-REP Roasting risk) |
Critical |
Kerberoasting Risk Detail
When a user account has SPNs registered, the insight includes:
- The specific SPNs registered on the account
- Whether the account has a weak password policy
- Whether the account is a member of any privileged groups
- A recommendation to convert to a gMSA or remove unnecessary SPNs
Group Analysis
The GroupInsightData module analyzes group objects for structural and security issues:
| Metric | Description | Flag Condition |
|---|---|---|
| Inactive Member Count | Members who have not logged in within the threshold period | Any inactive member in a security group |
| Nested Group Depth | How many levels of group nesting exist | Depth > 3 levels |
| Security vs Distribution | Whether the group is a security group or distribution list | Informational |
| Empty Groups | Groups with zero members | Always flagged for cleanup review |
| Large Groups | Groups with an unusually high member count | Member count > 500 |
| Circular Nesting | Group A contains Group B which contains Group A | Always Critical |
Organizational Anomalies
This analyzer identifies data quality and structural issues in your directory:
| Anomaly | Detection Logic | Impact |
|---|---|---|
| Broken Manager Chains | The manager attribute references a disabled, deleted, or non-existent account |
Affects org chart, reporting, and access review routing |
| Department Inconsistencies | Users in the same OU or team have different department values | Impacts peer group analysis accuracy |
| Duplicate Identities | Multiple objects with the same display name, email, or employee ID | Creates confusion in access management |
| Missing Required Attributes | Key attributes (department, title, manager) are empty | Reduces Intelligence accuracy |
UAC Flag Analysis
User Account Control (UAC) flags are examined for each account. The analyzer reports on both security-relevant and operational flags:
| UAC Flag | Hex Value | Insight Category |
|---|---|---|
ACCOUNTDISABLE |
0x0002 | Account is disabled -- verify if intentional |
LOCKOUT |
0x0010 | Account is locked out -- may indicate brute-force attempt |
PASSWD_NOTREQD |
0x0020 | No password required -- significant security risk |
NORMAL_ACCOUNT |
0x0200 | Standard user account (informational) |
DONT_EXPIRE_PASSWORD |
0x10000 | Password never expires -- review for compliance |
SMARTCARD_REQUIRED |
0x40000 | Smartcard required for logon (positive security control) |
TRUSTED_FOR_DELEGATION |
0x80000 | Unconstrained delegation -- high security risk |
NOT_DELEGATED |
0x100000 | Account cannot be delegated (positive security control) |
TRUSTED_TO_AUTH_FOR_DELEGATION |
0x1000000 | Protocol transition delegation -- review carefully |
PASSWORD_EXPIRED |
0x800000 | Password has expired -- user action needed |
The InsightPromptBuilder
The InsightPromptBuilder constructs structured prompts that include full security context for LLM analysis. The prompt contains:
- Object Identity -- Display name, sAMAccountName, UPN, DN, object type
- Account Status -- Enabled/disabled, locked, password status, last login
- Group Memberships -- Full list with privileged groups highlighted
- UAC Flags -- All active flags with descriptions
- Delegation Settings -- Constrained and unconstrained delegation details
- SPNs -- All registered Service Principal Names
- Analyzer Findings -- Pre-computed findings from each analyzer module
- Peer Context -- How this object compares to its peer group
This structured context ensures the LLM produces accurate, environment-specific insights rather than generic security advice.
Viewing Insights
In Object Detail Pages
Every object detail page (Users, Computers, Groups, Contacts, OUs) includes an Insights panel that displays the contextual analysis. The panel shows:
- A risk summary with the composite risk score
- Prioritized findings with severity indicators
- Actionable recommendations
In ChatHub
Use the /insights command with an optional object name:
/insights -- Environment-wide insights summary
/insights john.smith -- Insights for a specific user
/insights Domain Admins -- Insights for a specific group
/insights SRV-DC-01 -- Insights for a specific computer
Or ask naturally: "What are the security risks for john.smith?"
See ChatHub Slash Commands Reference for the full command reference.
In the Intelligence Center
The Intelligence Center dashboard aggregates insights across your entire environment, surfacing:
- The highest-risk identities
- The most common security findings
- Trends in finding counts over time
- Remediation progress
The Analyzer Modules
| Analyzer | Focus Area | Key Outputs |
|---|---|---|
| AdminAnalyzer | Privileged access | Admin group count, Tier-0 membership, delegation flags |
| InactivityAnalyzer | Account staleness | DaysSinceLastLogin, inactivity severity, last activity source |
| GroupAnalyzer | Group structure | Member counts, nesting depth, empty/large group flags |
| OrganizationAnalyzer | Data quality | Manager chain integrity, department consistency, duplicates |
Each analyzer implements a common interface and can be extended with custom analyzers for organization-specific detection logic.
Best Practices
- Review Critical insights immediately -- Unconstrained delegation and pre-authentication disabled are exploitable attack vectors
- Address inactivity systematically -- Use insights to feed your account cleanup process or lifecycle management policies
- Use insights during access reviews -- Contextual insights displayed alongside review items help reviewers make informed decisions
- Monitor trend direction -- A rising insight count may indicate a process gap; a declining count confirms remediation progress
- Train the AI -- The more data the AI has about your environment, the more accurate its insights become. See AI Intelligence Training
Next Steps
- Risk Scoring -- Understand the scoring model behind risk assessments
- AI Intelligence Training -- Train the AI on your environment's patterns
- Intelligence Hub Overview -- Overview of the full analytics platform
- ChatHub Slash Commands Reference -- Query insights through chat
- Directory Browser -- View insights on object detail pages
- Object Write-Back -- Take action on insight recommendations