Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • 👥Understanding your users
    • 📇Users
      • 💾Saved Filters
      • ❓Basic Search & Advanced Query Mode
    • 🩻User 360
      • 🗺️Overview Tab
      • 🔬Activity Tab
      • 📶Networks Tab
      • 💻Devices Tab
      • 🪺Applications and Groups Tabs
      • ✅Checks Tab
    • 🛠️Triaging Alerts and Remediation Actions
    • 🔗Linking User Accounts
    • 🤷User Statuses
  • 🗃️Applications
  • 💻Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑️Understanding Check failures
    • 🔍Reviewing Check Results
    • 🧹Customizing Checks
    • 📖Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • ⚙️Tenant Settings
    • 👨‍💼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • 🏥Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • 🏎️Can Identity Intelligence analyze behavior and fail checks more frequently?
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • 🗃️Understanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • 🛣️What’s Next? How to use Identity Intelligence effectively
    • 📚Identity Security Reading List
    • ✍️KPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in Gartner® 2023 Hype Cycle Reports™
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • Starting with a clean slate
  • Where to start
  • Review check settings
  • Creating smaller sub-groups
  • Downloading results
  • Working with the recommended checks
  • Clean up complete - now what?
  • Identifying and Investigating Threats
  • Where to start
  • How to investigate
  • After an investigation
  • Conclusion
  1. Best Practices

What’s Next? How to use Identity Intelligence effectively

PreviousBest PracticesNextIdentity Security Reading List

Last updated 3 months ago

You've completed the "Getting Started" checklist - Congratulations!

This guide aims to detail how you can operationalize Identity Intelligence once you have completed the initial onboarding set up steps.

Identity Intelligence is unique because it is both an Identity Security Posture Management (ISPM) tool and an Identity Threat Detection and Response (ITDR) tool. To get the most of out the insights and data Identity Intelligence provides, it is crucial to understand why ISPM and ITDR are equally important, and how you can leverage both types of insights to make your organization more secure.

Starting with a clean slate

The identities in your environment are under constant threat, and while bad actors may adjust or change the techniques used, they will certainly not stop trying to compromise your users' accounts. As detailed in the documentation, making sure that the identities in your environment are secure is a necessary step to protect your organization from the attacks and threats targeted at those identities.

Without strong identity security posture, not only are your identities more vulnerable to being successfully compromised, but also every attack that comes in is inherently riskier. That means you and your team will need to spend more time and resources investigating every risky event or suspected attack to ensure that the impacted identities were not actually compromised.

Identity teams are spread thin enough as is - Why spend time worrying and investigating suspicious log in attempts on an account that has not been used in 3 years when that account should have just been deleted years ago?

For this reason, we recommend starting with user clean up before diving head first into the threat insights available, even if your primary responsibility is focused on user investigation and threat hunting. There are a few checks that we typically recommend starting with for user clean up, and multiple ways you can make the clean up easier to manage that are described below.

Where to start

There are several ways you can use Identity Intelligence's insights to improve your organization's identity posture. To find areas for improvement, you can use the recommended actions associated with your organization's or go through the list of checks and pick a couple that stand out. We usually suggest starting with the following checks (which are also part of the posture score) since they are often quick and easy to take action on and bring immediate value:

  • Never Logged In

  • Inactive Guest Users

  • Inactive Users

  • No MFA Configured

To start, we typically recommend picking only 1 or 2 checks/posture recommendations to focus on cleaning up properly. If you pick too many checks to clean up at once, it can be difficult to make real progress.

Depending on the size of your environment, there can be a lot of users failing a given check, which can be very overwhelming and make it difficult to decide where to start. Below are a couple ways to help you can make the results of checks more manageable and actionable, and prioritize certain users who may be carry more inherent risk to your organization.

Review check settings

Before you start cleaning up users on a given check, regardless of if you are using posture score recommendations or specific checks, review that check to see if there are custom settings that can and should be modified to better align with your organization's processes, policies and risk tolerance levels. This will ensure that the users failing the check are actually relevant to take action on for your organization.

Creating smaller sub-groups

Each organization has different priorities and concerns, which means not all identities are created equal for every company for every check - some users may be more important to take action on, and others may be less urgent.

If you have a lot of users failing a check that you would like to clean up, we recommend utilizing the filters on the Users page to partition a given check's failing users into smaller, more manageable sub-groups so that you and your team can more easily take action. You can do this from two places:

  • Via the desired Check's page

    • Use the View Users button above the table's column headers, or in the table area if there are more than 1,000 users failing the check, to go to the Users page pre-filtered on the given check where you can add additional filters or column sorting

    • Use the Failing Users by Integration widget on the right of the screen. Click a desired integration to go to the Users page pre-filtered on the selected integration and the given check where you can add additional filters or column sorting

For example, for the Inactive Users check, use the filters to display only inactive users that are internal accounts and do not have MFA configured.

Downloading results

If you need to share a list of users with other members of your team who may not have access to Identity Intelligence, you can download the results from the Users page into a .csv. On the right side of the page, next to the Search bar is a button with a Download icon which will export the list of users (up to 2,000 users), as well as any applied filters, column additions and column sorting that was done in the platform.

Working with the recommended checks

Below are some tips and tricks for making the clean up process more manageable for the specific checks listed above; however, these tips can apply to many other checks, so getting familiar with the features mentioned below can be useful when cleaning up other checks.

Never Logged In

The Never Logged In check alerts on accounts that have never successfully signed in since their account was created. These accounts pose a high risk if they were to get compromised as they are typically granted access to certain apps and information by default when the account was created. Additionally, bad actors often target these accounts as they do not have MFA registered, so they are easy to sign in to, and the bad actor can then register their own MFA method to maintain access to your system.

The default setting is 7 days after creation - Make sure to modify the check's default settings for this check to better align results with your organization's procedures.

Tips for cleaning up Never Logged In

  • After filtering the Users page on the check, use the User Type filter and select External

  • (If column is not visible) Select the Columns button on the right hand side, above the table headers and select Created Date (UTC) to add this data into the table as an additional column. Select the Created Date column header to sort the column from oldest to newest

Admin or VIP users failing this check can be more complex to remove than external users, as they may involve some more investigation to understand why the account exists and is unused. However, these unused accounts pose a lot of risk because they have elevated privileges, are often granted wide access to several different corporate apps, assets and sensitive corporate information, and very rarely have MFA configured, making them an easy, and valuable, target to compromise.

  • After filtering the Users page on the check, use the User Type filter and select Internal

  • Find either the Administrator of filter and select All or the Is Admin filter and select Yes

  • (If column is not visible) Select the Columns button on the right hand side, above the table headers and select Created Date (UTC) to add this data into the table as an additional column. Select the Created Date column header to sort the column from oldest to newest

    • Users must be deleted directly at the identity data source (ex: Entra), you cannot delete internal users directly in Identity Intelligence

  • Once completed, repeat these steps using the Is VIP: Yes filter

    • Note: VIP users are users with titles that are commonly used with executives

Internal users, like Admins users, can also be more complex to remove than external users. They also pose high risk to your environment because these accounts are typically provisioned with extensive access to different corporate systems and information, and very rarely have MFA configured.

  • After filtering the Users page on the check, use the User Type filter and select Internal

  • (If column is not visible) Select the Columns button on the right hand side, above the table headers and select Created Date (UTC) to add this data into the table as an additional column. Select the Created Date column header to sort the column from oldest to newest

    • Users must be deleted directly at the identity data source (ex: Entra), you cannot delete internal users directly in Identity Intelligence

  • If smaller groups are still needed, add the MFA Configured filter and select No and remove these accounts from oldest to newest. Once completed, go back and remove the MFA Configured filter and follow the same account deletion process (oldest to newest)

Inactive Guest Users

The Inactive Guest Users check detects external/guest accounts who have successfully signed in at least one time but have not done so recently. As discussed above with the Never Logged in check, these accounts are low-risk to remove since they can be added back easily if needed, and the unknown access these users may have poses a risk to your organization, so it is important to clean up unnecessary accounts.

The default setting is 30 days of inactivity - Make sure to modify the check's default settings for this check to better align results with your organization's procedures.

Tips for cleaning up Inactive Guest Users

  • Filter the Users page on the check

  • Select the Last Seen (UTC) column header to sort the column from oldest to newest

    • Note: Last Seen represents that last sign in attempt regardless of result. You can see the last successful sign in for each identity source in each source card on the User 360 Overview tab to review inactive users with more recent Last Seen dates

Inactive Users

The Inactive Users check alerts on internal accounts who have successfully signed in at least one time but have not done so recently. As discussed above with the Never Logged in check, these accounts can be more involved to remove, but pose high levels of risk because of what they have access to. These accounts can also highlight gaps in your organization's account automated or manual deprovisioning process.

The default setting is 30 days of inactivity - Make sure to modify the check's default settings for this check to better align results with your organization's procedures.

Tips for cleaning up Inactive Users

  • Filter the Users page on the check. Use the MFA Configured filter and select No

    • You can also use the Admin and VIP filters described in the Never Logged In check tips above to prioritize the results further

  • Select the Last Seen (UTC) column header to sort the column from oldest to newest

    • Note: Last Seen represents that last sign in attempt regardless of result. You can see the last successful sign in for each identity source in each source card on the User 360 Overview tab to review inactive users with more recent Last Seen dates

No MFA Configured

This check alerts on accounts that have successfully signed in at least once that have not configured any forms of MFA on their account. Accounts without MFA are much easier to compromise as they do not have a secondary authentication factor enrolled that they need to use to gain access to systems. Note: users failing the Never Logged In check are not evaluated as part of this check, even if they do not have MFA configured.

The default setting is 7 days after account creation - Make sure to modify the check's default settings for this check to better align results with your organization's procedures.

Tips for cleaning up No MFA Configured

Look through your Posture Score recommendations and find the recommendation that says "Require priority users to configure and utilize any MFA factor". Select the respective Failing Users to go to the Users page, pre-filtered on this information

  • Using the Status filter, select Active to identify accounts who have successfully signed in recently. Contact the end users in the list and require them to enroll a factor on their account immediately

  • Remove the Status: Active filter and review the users in the list. Delete any accounts that are no longer active and not needed. For unused accounts that are needed, contact the end user and require them to enroll a factor on their account immediately. Disable the account if the end user does not comply by a set timeframe

  • If applicable, temporarily exclude any users in this list from the No MFA Configured check and leave a comment with the necessary details

If the posture score recommendation does not exist, find the recommendation that says "Require users to configure and utilize any MFA factor". Select the respective Failing Users to go to the Users page, pre-filtered on this information

  • Focus on internal users first by enabling the User Type filter and selecting Internal

  • Using the Status filter, select Active to identify accounts who have successfully signed in recently

  • Add the Created Date column to the table if needed (see Never Logged In tips above for details on how to add columns) to find the accounts that have existed the longest amount of time without MFA configured. Click on the Created Date column header to sort from oldest to newest and delete any accounts that are no longer active and not needed. Contact the end users in the list and require them to enroll a factor on their account immediately

    • If applicable, temporarily exclude any users in this list from the No MFA Configured check and leave a comment with the necessary details

  • Once the Active users have been cleaned up, remove the Status: Active filter. Click on the Created Date column header to sort from oldest to newest. Delete any accounts that are no longer active and not needed, starting with the oldest creation date. For unused accounts that are needed, contact the end user and require them to enroll a factor on their account immediately. Disable the account if the end user does not comply by a set timeframe. Temporarily exclude users as needed

  • Deselect Internal from the User Type filter and work through the other user types based on your organization's priorities using the same techniques described above

Clean up complete - now what?

Once you have completed the clean up of a few checks we suggest doing the following:

  • Configuring your notification target on the cleaned up checks - This allows you to take quicker action on newly failing users, preventing the number of failing users from increasing substantially over time with you noticing. Cleaning up a couple of users here and there is much easier and saves a lot of time and effort compared to going through massive clean up processes a couple times a year

    • We do not recommend that you configure notification targets on these checks BEFORE you complete the clean up as it can overwhelm you more, and newly failing users may be less critical to take immediate action on

  • Review your organization's internal policies and processes based on your findings to identify areas for improvement - Are there any changes that can be made to onboarding or offboarding processes to ensure that unused accounts are removed automatically? Are there updates you can make to admin assignment procedures to ensure that admin accounts are not created if they are not really needed? Is there a reason that users are automatically granted access to certain resources or apps that frequently go unused - can you get rid of the resource all together or make access more 'as needed' ? Having these conversations can spark some great ideas to automate and proactively improve your organization's identity hygiene, and reduce the amount of manual clean up that needs to happen

  • Find new things to clean up - You've cleaned up a couple checks already, now it's time to find your next area to focus on! Use the Identity Posture Score to find high priority items or go through the list of checks to see everything that is available and find issues that are particularly concerning to your organization. Review the check recommendations and then utilize the same techniques, tips and features discussed above to make the clean up as manageable as possible.

Once your organization has spent some time addressing its postural issues, you can also start looking more into the Threat Detection functionality that Identity Intelligence has to offer.

Identifying and Investigating Threats

Even if your role's primary focus is investigating and responding to threats, or proactively threat hunting, we still highly recommend working with the relevant teams in your organization to follow the steps above for account clean up. This will make using Identity Intelligence easier to use and more effective since you can focus on the right accounts, rather than unnecessary dormant accounts that have lingered around for too long.

Once the clean up is complete, you can leverage Identity Intelligence to identify and investigate the attacks coming in on the accounts in your environment. There is a lot of data and detections available in Identity Intelligence that can easily overwhelm you and your team, which is why we recommend figuring out a plan first before diving in to the deep end.

Where to start

There are two ways you can start finding accounts to investigate

User Trust Levels

With the User Trust Level, the riskiest users are called out so that prioritization work is already done for you. Users who are assigned an Untrusted level should be investigated immediately. We also recommend investigating users with a Questionable level if time permits.

Per Check

Another way you can find users to investigate is on a per check basis. For some customers, there are specific threat based detections that are particularly of interest or of concern that they want to keep a very close eye on, so they choose to use this method alone - or combine it with the User Trust Level method.

Start by reviewing the list of available checks to determine if there are any checks that are critical to your organization to be alerted about. Like with account clean up, we recommend picking only a few checks (approx 3-5) to start with so that you and your team can get comfortable with operationalizing the checks first.

When you receive your first alert, practice investigating one user end to end to get a feel for how to operationalize Identity Intelligence in your organization.

How to investigate

When you have identified a user for investigation, you may not know where to start to get the information needed.

Depending on how to found the user - trust levels, failed checks, or just by accident - your investigation may have a different start point such as the Trust Level explainability, check explainability, or a strange looking user's activity flow widget.

Regardless of how you start - Identity Intelligence is full of information that can help you conduct your investigation, without having to jump around to different product consoles to try and compare activity logs.

After an investigation

Once you have successfully investigated a user end to end and remediated the account as needed, you need to remove the user from the list of failing users so that someone else does not spend time investigating the same person.

As with the account clean up, we also recommend using the findings of your investigations to identify wider organizational changes that can be made to improve the organization's posture and thus, reduce the risk of each threat, and time needed investigating.

For example - you may find that you have many users failing the A Bypass Code Was Used To Successfully Sign In check. Rather than consistently investigating these users to revoke long standing bypass codes, work with your teams to change the issuing process for bypass codes so that there is an automated expiration date or usage count instead. If there is rampant Personal VPN usage from risky VPNs, consider implementing a corporate policy that disallows usage of VPNs on corporate devices or to access corporate assets so that you can enforce this with end users. If you consistently see threats from certain IP addresses, IP ranges, or countries, work with your networking teams to ensure these IPs are blocked.

Once you feel comfortable with the volume of alerts coming in from the checks you initially chose to focus on, pick another few checks to add notification targets to so that you can start investigating users failing those checks as well!

Conclusion

We hope this article provided you with some helpful guidance on how to start using Identity Intelligence and incorporate it into your team's workflows. This just begins to scratch the surface of what is possible with Identity Intelligence. The more you use the tool, the more you will find. In the future, we plan to create new Journeys, like the Getting Started Journey that brought you here, to reflect this kind of information within Identity Intelligence directly!

For example, by default the Never Logged In check will fail on users who have not successfully signed in 7 days after their account was created. However, your organization's account creation procedure is to create accounts 14 days before a user's start date. In this case, it would be critical to to better align to that procedure, otherwise there will be many users failing the check who are not actually actionable.

Directly on the page - use the Failing check filter for the desired check, and then use additional filters or column sorting

To quickly access the same combination of filters later on, to your Identity Intelligence tenant. These filters are available to anyone with access to your tenant.

You can also download the list of failing users from a given check using the Download button above the table of failing users, which will include the information from the table, as well as the . If there are more than 1,000 users failing a check, you cannot download from this view. You must go to the Users page, using the View Users button in the middle of the table, and download there. If needed, use the filters to get to a group of 2,000 users or less so that you can download everyone

External users failing this check are typically low risk to remove as the account has never been used and can easily be re-added to your environment if needed. These accounts pose a risk because it is often unknown exactly what permissions or data access a guest user was given. Depending on how the user was invited into your environment, you can review the Invited By info in the source card on the user's .

Delete any accounts that were created at least 1 month ago and have never successfully signed in. You can download these users via .csv if needed (see for info). Temporarily any users from this check if there is a reason they need to remain in the system for a period of time

Users must be deleted directly at the identity data source (ex: Entra). However, if you have for Entra you can delete external Entra users through Identity Intelligence via the button on a given user's page

If the user has accounts in multiple sources, you can see where they are an admin in the source cards on the

Delete any accounts that were created at least 3 months ago and have never successfully signed in. You can download these users via .csv if needed (see for info). Temporarily any users from this check if there is a reason they need to remain in the system for a period of time

Delete any accounts that were created at least 3 month ago and have never successfully signed in. You can download these users via .csv if needed (see for info). Temporarily any users from this check if there is a reason they need to remain in the system for a period of time

Remove any users in the list, starting with the users with the oldest Last Seen date. Temporarily any users from this check if there is a reason they need to remain in the system for a period of time

Remove any users in the list, starting with the users with the oldest Last Seen date. Temporarily any users from this check if there is a reason they need to remain in the system for a period of time

The first way to identify concerning accounts is through User Trust Levels. At a high level, each user in your organization is assigned a User Trust Level that is calculated based on the user's context, behavior and common tendencies, and failing checks. You can read for more in-depth information.

To easily find these users, you can refer to the User Trust Level widget in the and select the desired trust level to drill into the users, or you can use the available on the Users page. From here, dive into any user to go to their where you can find the Trust Level widget at the top of the page, which details why the user received a particular score. Read the User 360 documentation to learn more about how to utilize the widget on this page to conduct your investigation.

There is also a check called User Trust Level Alert that detects users who have been assigned an Untrusted level. If desired, you can also modify the to fail users who have been assigned a Questionable level. We recommend adding a , such as the one created during the initial onboarding journey, to this check so that you can be proactively alerted to any new failing users and they can be investigated as quickly as possible.

For each desired check, look through the of some of the failing users, when available, to understand what types of behaviors or factors lead to users failing the given check. Once you have an understanding of what causes a user to fail each check, adjust the accordingly, if needed, so that they align with your organization's risk tolerance levels, policies, tools, etc. This ensures that whenever a user does fail a check, there is a higher likelihood that it is something worth investigating. For example - you see users failing the Users with Email Forwarding check because they are forwarding emails internally, so you add your company's domain to the Ignore List on the check settings, or you see users failing the Impossible Travel check with corporate IP addresses, so you import an with your office IPs and change the check's settings to exclude "good known IPs".

After adjusting any necessary check settings, add a , such as the one created during the initial onboarding journey, to each check so that you can be proactively alerted to any new failing users, instead of logging in daily to check if there are any new users failing the desired checks.

When investigating we recommend using the See in Context buttons that are available on both a given user's Trust Level widget on the Overview tab of the User 360, or in the check explainability if it is an . This takes you to the user's log where you can easily see the user's events, across all available systems, that happened before and after Identity Intelligence flagged the user.

You may also find yourself needing more information about a user, such as their location or the device they used, to better understand if certain events are actually malicious or not, or you may want to find out if any other users may be under similar attacks from the same IP. Get familiar with all the and the different functionality available in each tab. Because Identity Intelligence is pulling user data from multiples sources, it can provide an incredibly rich and in-depth view into an affected user with only a few clicks, making it much easier to compare events and identify concerning behavior, ultimately saving your team time and effort which is often critical in these situations.

If you do confirm that a user's account has been compromised, or highly suspect that it may have been, make sure to take the necessary steps to protect the account such as logging the user out of all sessions, resetting the user's credentials and factors, or even deprovisioning the account entirely and creating a new one. You can conduct certain from within Identity Intelligence directly as well if needed.

Depending on the result of your investigation and the , there are a few different that can be used so that the user will no longer fail the check. Review the documentation provided to understand the different triage options available and what triage action to use in each situation. We highly recommend not excluding users from checks when possible; however if it is needed, we recommended using a temporary exclusion so that the account can be audited and re-reviewed at a later date to determine if they should still be excluded from the given check.

🛣️
adjust the check's settings
save your filter
User 360 Overview tab
User 360 Overview tab
this article in our documentation
different tabs in the User 360
remediation actions
IP CIDR list
activity
above
above
above
check failure explainability
explainability
Identity Posture Score
Dashboard
write permissions
Identity Posture Score
event based check
User 360 Overview tab
type of check
check's settings
notification target
check's settings
notification target
Users
basic filters
exclude
Actions
exclude
exclude
exclude
exclude
triage options