Collections

Collections are inventory queries that are saved for future reuse. You can build a collection focused on what matters most to your role and your organization, and track statuses over time.

Collections are not just a way to save you from recreating the same queries every day. They can also be used to build custom dashboards, detection rules, and scheduled reports.

All collections on the platform are automatically updated daily, and can also be updated on demand.

ITP-PCCE Collections vs. Computer Collections

ITP-PCCE Collections

ITP-PCCE Collections can track Access Policies, Activities, Assets, Groups, Identities, Memberships, Privileges, or any combination of these, and they can be either System Collections or Custom Collections. ITP-PCCE Collections are described in this topic, below.

Computer Collections

Computer Collections can track only computer assets, and can use only Custom Collections. Computer Collections are described in Computer Collections.

System Collections

ITP-PCCE inventory comes with built-in System Collections, which include account and group definitions that apply system-wide—in all inventories, dashboards, and detection rules. Although you can customize a System Collection, remember that the System Collection definition impacts the entire platform, so you must proceed with caution. Consider customizing the System Collection for temporary purposes only, and remember that you can revert the System Collection definitions back to the platform defaults at any time.

To view System Collections: 

  1. Choose Inventory > Collections from the left navigation menu.

  2. Click the System Collections tab.

The System Collections tab displays a table showing the accounts and groups—and the numbers of each—that match the System Collection definition. For each account and group, the table displays its name, type, and status information. The table also indicates whether the System Collection definitions have been modified from the default settings. By default, the definitions are sorted by date of creation, in descending order.

The built-in, default System Collections are defined below:

  • Admin Accounts: Accounts with administrator privileges.
    Use the inventory filter, Account: Admin Access to find Admin Accounts. For example:

  • Admin Groups: Groups that grant Admin Account privileges to their members.
    Use the inventory filter, Group: Admin Access to find Admin Groups.

  • Compliant Admin Accounts: An Admin Account that is deemed compliant according to possession of some extra factor, for example having an email formatted this way:
    {full_name}_adm@company.com. To find Compliant Admin Accounts, define a query to find all Admin Accounts with the specified email format. The Privileged Accounts dashboard displays all Compliant Admin Accounts along with the number of non-compliant accounts.

  • External Accounts: Use the inventory filter, Account: Is External to find External Accounts.

  • Privileged Accounts: Accounts with privileged access.
    Use the inventory filter, Account: Privileged Access to find Privileged Accounts.

  • Privileged Groups: Groups that grant privileged access to their members.
    Use the inventory filter, Groups: Privileged Access to find Privileged Groups.

Filter and Sort the Collections table

To change the data displayed in the table, use the filters above the table. The selections you make are shown in the filter bar.

To search for a custom collection by name, type text into the search field at the top-right of the table.

From the Custom Collections tab, you can edit, duplicate, delete, and calculate an existing custom collection.

You can also create detection rules based on an existing collection. See Create a Detection Rule from a Custom Collection.

Insight into Selected Table Data

The Type column shows which inventory the custom collection was created from.

  • The Status column shows the following values:

    • Calculating

    • Exceed results – results are too large, re-run the collection query with narrower filters to reduce its size

    • Empty – the search yielded no results

    • Done

    • Error

  • The Results column shows how many entities matched the filters in the custom collection. To see the actual results, click the number in this column.

To see details about a collection, click the collection row in the table. A window showing details about the collection will open, including the query that created the collection, a description (if one was entered when the collection was created) and the last sync date.

The trend line detects rapid changes and shows how your collection changes over time, such as privilege creep, new admins, or shadow admins.

Configure System Collections

From the System Collections tab, you can:

  • Edit a collection: Edit a system collection to customize the values according to your organization’s needs.

  • Duplicate, then modify a collection: Duplicate a system collection and then modify it for other needs. For example, you might want to trigger an alert for more limited matches than are defined by the system collection.

  • Reset a collection to default values: Set an edited system collection back to the system default.

  • Calculate collection results: Instead of waiting for the next scheduled recalculation, you can initiate an immediate calculation of the matched accounts and groups.

  • Create a new detection rule based on a collection: Create a detection rule based on the system collection.

Edit a System Collection

You can edit a system collection to customize the values according to your organization’s needs.

  1. Hover over a system collection.

  2. From its More menu, click Edit.

  3. Edit the filter values.

  4. Click Save.

In the Default column, the value changes to Edited; results will be shown after the next result refresh. To see the results sooner, see Calculate Collection Results.

Duplicate, then Modify a System Collection

You can duplicate a collection and then modify it for other needs. For example, you might want to trigger an alert for more limited matches than are defined by the original collection.

  1. Hover over a system collection

  2. From its More menu, click Duplicate.

  3. Edit the filter values and click Save.

The System Collections tab shows only those collections defined by the system. Duplicated system collections are displayed in the Custom Collections tab.

Reset a System Collection to Default Values

You can set an edited system collection back to the system default.

  1. Hover over a system collection whose value in the Default column is Edited.

  2. From its More menu, click Reset.

The collection value returns to the default definition, and in the Default column, the value returns to Default.

Calculate Collection Results

When a collection is changed, the Platform automatically begins to calculate the accounts and groups that match the definition. While this is taking place, the status value changes to Calculating. You can work elsewhere while the calculation is processed (may take some time), or you can calculate collection results immediately this way:

  1. Hover over a system collection.

  2. From its More menu, click Calculate.

The calculation is initiated immediately. Results will be shown as soon as they are ready.

Custom Collections

A custom inventory query of cloud service users can be saved for later re-use as a Custom Collection. See Save a Custom Collection below.

Custom Collections are not just a way to save you from rebuilding the same queries every day. They can help you to focus on what matters most to you in your role within your organization, and to track statuses over time.

Custom Collections can also be used to build custom dashboards, scheduled reports, and new detection rules. See Create a Detection Rule from a Custom Collection below.

All Custom Collections on the platform are updated automatically every day, and can also be updated on demand.

To view Custom Collections: 

  1. Choose Inventory > Collections from the left navigation menu.

  2. Click the Custom Collections tab.

Save a Custom Collection

  1. Filter an inventory table.

  2. Click Save.

  3. In the Collection Creation dialog, enter a name.

  4. (Optional) Enter a description.

  5. Click Save.

The saved custom collection is displayed in Inventory > Collections

Saving a custom collection may take some time.

Create a Detection Rule from a Custom Collection

You can create a custom detection rule based on the filter criteria of a Custom Collection.

This feature is not available for custom collections created from the Computers inventory.

To create a detection rule from a custom collection:

  1. From the Collection page, click the More menu at the far right of the desired collection, then choose Create New Detection Rule.

  2. Name the new detection rule, then click Create. The Detection Rules page is displayed with the side panel open.

  3. From the side panel, configure the detection rule, as described in Detection Rules.