Oort introduced a new, updated Users tab that enables Oort power users to create simple but powerful queries that answer critical questions about your identity population.
First, and most notably, you now have the ability to enter βAdvanced Queryβ mode. When in Advanced mode, you will be able to use Kibana Query Language to form more complex queries.
Entering Advanced Mode & Adding Filters
From the Users tab, click the Advanced button on the right side of the search bar.
Alternatively, if you select a quick filter from the left-hand side menu, that will create a chip in Basic mode. Clicking on that chip will convert it to Advanced mode and enable you to edit.
Additional filters can be added and edited to the existing search string.
At any stage, you can convert back to the Basic filter mode.
Available Attributes & Auto-complete
The user records in Oort contain a large number of attributes or fields that can be queried in Advanced search mode.
The Attribute List is constantly being updated as new functionality and integrations are added.
The best way to find a particular attribute is to review the element structure below and then use Ctrl + Space in the bar to activate auto-complete and then start typing to find your desired attribute.
Operators
The Oort Advanced search follows the convention operators of KQL (reference article), including -
AND
OR
NOT
_exists_
!_exists_
Examples
This section provides several examples for building queries within the Advanced search bar. For questions, please see your Oort representative.
Example 1 - Complex query with AND
To find users with the following set of parameters -
users in the GSuite
Admins group
no MFA enabled
recently logged in
subject of an IP threat from a VPN or Tor proxy
The query would look like:
groupNames.keyword:"sg-gsuite-admins" AND mfaEnabled:false AND lastActive:{now-7d TO now-1d} AND ipAddressDetails.ipTags.name:(VPN OR TOR_Proxy)
Example 2 - IP Activity from a Specific Country
To find users with recent IP activity from a particular Country, such as China, the advanced query would look like:
ipAddressDetails.location.country.keyword:"CN"
Example 3 - Accounts with no Employee ID attribute
To list user accounts without an Employee ID attribute value, it would look like:
!_exists_:employeeId.keyword
Example 4 - Inactive users with specific naming convention
To find inactive users who's accounts start with "sa." and contain the word "company", the query would look like:
sa.*company* AND checkResults.checkId.keyword:inactive-users
Note - free test search will look in all indexed fields within the user profile, for example email address, UPN, etc.
Example 5 - Find admin accounts for a specific IDP
Oort attempts to determine admin privileges or roles granted to accounts. To search for the admin accounts associated with only one specific IDP, the query would look like one of the following, depending on the IDP desired:
Oort is able to collect assigned Microsoft license types through the Azure Graph API. This information is displayed in the Azure tile of the Overview tab for a user account.
To query for a specific license type, the search string would look like:
adActiveLicenses.keyword:("Azure Active Directory Premium P2")
Note that the License name value is a translation from the license UID provided through the Graph API.
Example 7 - MFA Factors
A common query is to search for the users who have a particular type of MFA factor enrolled, such as push notification, hardware security keys, etc.
Use the userFactors.factorType.keyword attribute to search for different enrolled factor types, as shown:
userFactors.factorType.keyword:"push"
The available factor types and names will vary based on which IAM platforms are connected to Oort. Some common factor names include:
A comprehensive list of factor types seen so far is below in the Factor List section.
Example 8 - Application Assignment and Usage
It is frequently useful to look for both which users have an application assigned and which users are actually using the application.
For example, to look for users who have application Salesforce SAML assigned, but not in use in their last 30 days of activity, the query would look like:
assignedAppNames.keyword:"Salesforce SAML" AND (NOT appNames.keyword:"Salesforce SAML")
Note that sensitive applications can be seen in the Oort Dashboard Overview tab and all applications that are integrated via an IDP or directly can be seen in a Users Applications tab.
Example 9 - Device Usage
If looking for users with sign-in activity from a particular user-agent string or device type, for instance iPhones, the search string might look like:
lastSignIn.rawUserAgent.keyword:"Mozilla/5.0 (iPhone; CPU iPhone OS 15_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Mobile/15E148 Safari/604.1"
Example 10 - Find a user by Duo Security alias
To find a user account by an alias in Duo Security, use this format:
Across the different IDPs, factors may have a variety of different names, which may change or grow over time. The list below provides examples of factor names that Oort has seen so far.
