Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • 👥Understanding your users
    • 📇Users
      • 💾Saved Filters
      • ❓Basic Search & Advanced Query Mode
    • 🩻User 360
      • 🗺️Overview Tab
      • 🔬Activity Tab
      • 📶Networks Tab
      • 💻Devices Tab
      • 🪺Applications and Groups Tabs
      • ✅Checks Tab
    • 🛠️Triaging Alerts and Remediation Actions
    • 🔗Linking User Accounts
    • 🤷User Statuses
  • 🗃️Applications
  • 💻Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑️Understanding Check failures
    • 🔍Reviewing Check Results
    • 🧹Customizing Checks
    • 📖Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • ⚙️Tenant Settings
    • 👨‍💼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • 🏥Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • 🏎️Can Identity Intelligence analyze behavior and fail checks more frequently?
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • 🗃️Understanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • 🛣️What’s Next? How to use Identity Intelligence effectively
    • 📚Identity Security Reading List
    • ✍️KPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in Gartner® 2023 Hype Cycle Reports™
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • Integration Status
  • Identity Posture Score
  • Identity Posture Score
  • Identity Posture Trend
  • User Trust Level
  • Users per Trust Level
  • Risky Users Distribution Over Time
  • Identities
  • Identity Security Snapshot
  • Users per Source
  • Monthly Sign-ins
  • Login Attempts per Country
  • Login Attempts from New Countries
  • Check actions taken over last 30 days
  • Administrators
  • Administrators per Source
  • Administrator Logins
  • Applications
  • Sensitive Applications Activity
  • Least Used Apps
  1. 📊Dashboard

Overview Dashboard

PreviousGet Started DashboardNextMFA Dashboard

Last updated 13 days ago

The Overview tab in the Identity Intelligence Dashboard provides a high-level view into your connected identity platforms and associated key metrics. This article provides details on each of the sections or widgets in the Overview dashboard tab.

The Overview dashboard displays metrics and visualizations on areas of interest including:

  • Integration Status

  • Identity Posture Score

  • User Trust Level

  • Identities

  • Check Triage Actions

  • Administrators

  • Applications

Integration Status

Purpose & Benefit: Quickly see the status and approximate traffic from each integrationconfigured in your Identity Intelligence tenant.

The connected integrations are grouped by type, including Providers, Ticketing systems, Notification targets, SIEM platforms, etc

For identity sources like Azure AD, Okta, Duo, etc, the last collection status (ex: "Success") and average traffic metric is shown. Hover over the tool tip next to "Last Data Collection" on the left side of the widget to see the data and time of the last data collection for each connected identity source.

Note: Full admins in Identity Intelligence can also get more details on the integration status from the Integrations page in the left hand menu bar

Identity Posture Score

The Identity Posture Score is a single score calculated for your organization to help you quickly and easily determine your organization's posture state, as well as highlight areas of focus to improve your organization's overall identity security hygiene. The score utilizes multiple variables, many of which are visualized elsewhere in the Dashboard, to calculate a score for your organization.

To learn more about the Identity Posture Score and its thresholds, or what factors are included in the calculation, how it is calculated, why identity posture matters, how to improve your score and more, see our documentation about the Identity Posture Score.

There are two widgets in the Dashboard related to Identity Posture score which are described below.

Identity Posture Score

The first widget, Identity Posture Score, provides your organization's current Identity Posture Score. This widget shows you:

  • the organization's current score and score threshold category

  • the change (+ or -) to the score over the last 30 days

  • the last day the score was calculated

  • prioritized recommendations for how to improve your score, including

    • the number of users failing the check associated with the recommendation

    • the severity of the issue that is being recommended for remediation

The recommendations are ordered by impact to the posture score. This means that if the first recommendation in the list is fully remediated (0 failing users), you will see a bigger improvement in the score than if the second or third or last recommendation in the list was fully addressed, even though there may be more users associated with those other recommendations than with the first recommendation.

Select the number of users in the 'Failing Users' column to go to the Users page, pre-filtered for the users failing the selected check so that you can take action to improve your organization's identity posture score.

Additionally, other elements may contribute to your Identity Posture score. You may see 'Configure' in the 'Failing Users' column if the tenant does not have HRIS data configured (via the native Workday integration or a manual upload). Selecting 'Configure' will take you to the Integrations page where you can connect your HRIS data.

If a check used as part of the posture score is either disabled, or fails on settings instead of users, the 'Failing Users' column will say 'View Check'. Selecting 'View Check' will navigate to the specific check so it can be re-enabled (using the toggle next to the check name) or to review the failure.

Identity Posture Trend

The second widget, Identity Posture Trend, depicts changes to your organization's posture score overtime so that you can see and report on your organization's progress, as well as better understand how different events may have impacted your organization's Identity Posture Score positively or negatively over time.

If you hover over a data point, which are marked by a dot on the trend line, you will see some explainability about why the score may have increased or decreased. The 3 attributes that contributed most to the score change will be displayed when you hover on a specific data point.

By default, this widget looks at the last 30 days; however, you can use the timeframe filter in the top righthand corner of the widget to change the widget's timeframe to be longer or shorter depending on your needs.

User Trust Level

User Trust Level looks at different components that make up user risk, such as on a user's context, behavior and common tendencies, to calculate a single User Trust Level. Trust Levels allow you to quickly and easily pick the riskiest users out of the crowd, so that you can investigate with urgency and remediate the situation as quickly as possible, reducing the attack timeframe or even preventing an attack from happening in the first place.

To learn more about User Trust Levels, what factors are included in the calculation, how it is calculated, and more, see our documentation about User Trust Levels.

There are two widgets in the Dashboard related to User Trust Levels which are described below.

Users per Trust Level

The Users Per Trust Level widget displays the current breakdown of the number of identities in each Trust Levels across your organization.

Not only does this graph give you a sense of where your users are at today, but it is also a quick and easy way to find users for investigations. Selecting one of the bars in this visualization will take you to the Users page, pre-filtered for the Trust Levels selected, so you can see all users who currently have a particular Trust Level.

Risky Users Distribution Over Time

The second widget, Risky Users Distribution Over Time, depicts fluctuations to the trust levels of the users in your organization overtime. This widget can be useful to identify sudden spikes in User Trust Levels.

If you hover over a data point in this widget, which are marked by a dot on the trend line, you will see a tool tip with the count of users, segmented by Trust Level, for that given date.

By default, this widget looks at the last 30 days; however, you can use the timeframe filter in the top righthand corner of the widget to change the widget's timeframe to be longer or shorter depending on your needs.

Selecting a value in the legend below the graph will remove the corresponding data points from the visualization.

Identities

Purpose & Benefit: Multiple Identity themed widgets to make it easy to quickly assess the size of your total identity estate, as well as recent trends in your identity hygiene and security posture.

Identity Security Snapshot

The Identities widget provides total identities, protected population metrics, and key metrics around identity hygiene and threats, such as -

  • Inactive Guest Accounts

  • Never Logged In accounts

  • Inactive Account Probing

  • User Type Missing in user profile

You can select any of these numbers and it will take you to the corresponding Check details page or to a pre-filtered Users Page for further investigation.

Users per Source

The Users per Source widget further down the dashboard provides a breakdown of the number of identities in each connected identity platform.

Selecting one of the bars in this visualization will take you to the Users page, pre-filtered for the users derived from the selected integration.

Monthly Sign-ins

This widget provides details on the total number of monthly sign-ins, including a breakdown of success, failure, and other types of sign-in events.

Trends can be analyzed for changes, such as a high spike in failures or overall sign-in events.

Login Attempts per Country

Purpose & Benefit: This visualization can help you verify recent sign-in attempts that are originating from expected locations and identity and quickly pivot to unusual or unexpected sign-in attempts using the map data or the table widget next to it.

At the bottom left of the Dashboard page, you can see a heat map of user login attempts - success or failure - globally over the past 30 days.

Hovering over a country in this visualization will show you the number of users with login attempts from that country. Selecting a country will take you to the User page, pre-filtered for the users with login attempts from the selected location.

Login Attempts from New Countries

Next to the map at the bottom, the Dashboard provides a table of login attempts from new countries for the tenant. 'New' countries are defined as countries that have not seen any activity for the past 90 days. The Users column displays the number of users who have login attempts from a given country. Login attempts are broken down by outcome - success, failure, other (block, challenge, etc) - and are displayed as a count of unique login attempts. One user can have multiple attempts, as seen in the Bahamas example in the screenshot below.

You can select any value in the table to go to the Users page, pre-filtered for users with the selected outcome. For example, selecting the 2 in the Users column in the Malaysia row, will show the two users with any sign in attempt from Malaysia, regardless of outcome; whereas, selecting the 9 in the Success column of the Malaysia row will show me only users that had successful sign ins from Malaysia. Users in this list will likely also be failing the New Country for Tenant check, if the activity has been in the past 7 days.

Check actions taken over last 30 days

The Check Actions widget was developed to provide Identity Intelligence platform admins and other users insights into the different actions that other colleagues are taking in the platform on user check failures over the last 30 days. The metrics displayed in this widget include:

  • User activity marked as normal behavior

  • User activity marked as interesting

  • Users excluded or re-included in a check

Selecting any of the metrics in this widget will take you to the System Logs, pre-filtered on the action selected, where you can see more detailed information on the date the action was taken, who took the action, and which user account and check failure the action was taken on.

Administrators

Purpose & Benefit: Quickly answer an often difficult question for organizations - how many administrators do I have in each platform and where are they logging in from recently?

The Dashboard contains a couple widgets to highlight the administrators within your environment, as well as their recent activity, since these users have higher privileged access to your IDPs and present a higher security risk if their accounts were to be compromised.

Administrators per Source

The Administrators per Source widget provides a breakdown of the number of Admin users in each connected identity platform.

Selecting any of the bars in this visualization will take you to the Users page, pre-filtered for administrators of that specific integration.

Administrator Logins

Purpose & Benefit: Quickly monitor activity and spot admin account logins from unexpected networks and locations, including ones that have been tagged with a poor IP reputation or other alerts.

The Administrators logins widget shows a log of each Administrators most recent log in activity, including the user's name, email address, the IP address for their last login an the IP location, any tags for that IP address, and the sign in result - Success, Failure, etc

Selecting the blank space of a row or the 'open in new tab' icon next to the Admin's name will open the Admin's User360 in the same window or a new tab, depending on what is selected.

Applications

The Dashboard also contains a couple widgets focused on application usage within your environment. Removing user access from unused applications, especially sensitive/critical business applications, can not only help you save on licensing costs, but also improves your organization's security posture by reducing unnecessary application access.

Sensitive Applications Activity

Purpose & Benefit: Highlights users who could be deprovisioned from sensitive apps, reducing the overall attack surface and the blast radius for a given account should be it be compromised, while also reducing license costs for your organization.

The Sensitive Applications Activity widget provides a breakdown of the number of accounts who are assigned an application and are using that application compared to accounts not using the application.

Selecting either segment ('using the application' or 'not using the application') of one of the bars in the visualization will take you to the Users page, pre-filtered for the selected application and user segment.

Least Used Apps

The Least Used Apps widget shows you the applications that are most frequently unused by the accounts who have access to them.

Selecting any of the application names in the list will take you to the Users page, pre-filtered for users that have been assigned the selected application.

To customize the list of sensitive applications to align with your organization's preferences, go to the Sensitive Applications area of Tenant Settings within the platform. Documentation on how to configure your sensitive applications list can be found

here.