# Result Details

Clicking on a query result will open a drawer with that result's details. Details looks like this:

<figure><img src="https://3783273641-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2Fgit-blob-0ec0fe284cc464facc157d7d8c8d1f8d5b797954%2Fimage.png?alt=media" alt="" width="563"><figcaption></figcaption></figure>

### Query path

At the top of the details you'll see a graph visualization of why this result matches your query. For instance, if you select an identity with `risk:exfiltration` as your search, you'll see the entitlements and privileges that lead to data-exfiltration risks.

### Result information

The top of the page shows detailed information for the result. The information displayed depends on the result type.

<table data-header-hidden><thead><tr><th width="123.33333333333331">Result type</th><th width="173">Field</th><th>Description</th></tr></thead><tbody><tr><td><strong>Credential</strong></td><td>Identity</td><td>The identity accessed via this credential</td></tr><tr><td></td><td>Last used</td><td>The most recent date that this credential was used</td></tr><tr><td></td><td>Last rotated</td><td>When this credential was created</td></tr><tr><td></td><td>Entitlements</td><td>All entitlements that can be used for access via this credential</td></tr><tr><td></td><td>Risks</td><td>Access risks reachable from this credentiall, and the privileges that expose those risks</td></tr><tr><td><strong>Entitlement</strong></td><td>Principal</td><td>The principal identity that is assigned this entitlement</td></tr><tr><td></td><td>Role | Policy</td><td>The name of the granted role (for non-AWS systems) or policy (for AWS)</td></tr><tr><td></td><td>Condition</td><td>(GCP role bindings only) this role binding's access condition</td></tr><tr><td></td><td>Resource</td><td>The resource(s) to which this entitlement grants direct access</td></tr><tr><td></td><td>Risks</td><td>Reachable IAM risks for this entitlement, broken down by whether the privilege(s) that yield the risk are used or not within the previous 90 days</td></tr><tr><td></td><td>Accessible by</td><td>The identities that can use this entitlement, including via federation, group membership, or lateral movement</td></tr><tr><td><strong>Identity</strong></td><td>Parent</td><td>The resource in which the identity is defined (e.g. AWS account, Azure subscription, GCP project, etc.)</td></tr><tr><td></td><td>Last Used</td><td>The last time this identity authenticated with its identity provider</td></tr><tr><td></td><td>Accessible by</td><td>(Federation identities only) the identities that can gain access to your system via this federation identity</td></tr><tr><td></td><td>Members</td><td>(Groups only) this group's direct and indirect members</td></tr><tr><td></td><td>MFA</td><td>(Users only) whether two-factor authentication is required for this user</td></tr><tr><td></td><td>Entitlements</td><td>A link to view all of the identity's entitlements</td></tr><tr><td></td><td>Risks</td><td>Access risks reachable from this identity, and the privileges that expose those risks</td></tr><tr><td><strong>Resource</strong></td><td>Parent</td><td>This resource's parent resource in the system's resource hierarchy (e.g. a database table's parent resource will be its enclosing database schema); top-level resources have the service as their parent</td></tr><tr><td></td><td>Children</td><td>A list of all this resource's child resources (e.g. a database schema will have all its tables, indices, views, etc. as children)</td></tr><tr><td></td><td>Accessible by</td><td>All identities that have direct access to this resource</td></tr></tbody></table>