📈Oort Dashboard Overview

Oort Dashboard at-a-glance

The Oort Dashboard tab provides a high-level view into your connected identity platforms and associated key metrics.

This article provides details on each of the sections or widgets in the Dashboard tab. For more information on the origin and value of the Dashboard tab, please see this blog.

Integrations and Status

The top section or widget in the Dashboard provides an overview of the connected integrations, grouped by type, such as Providers, Ticketing systems, Notification Targets like Slack or Teams, or SIEM platforms.

For Providers like Azure AD, Okta, Duo, etc., the last collection status ("Success") and average traffic metric is shown.

Note that full admins in Oort can also get more details on the integration status from the Integrations tab at the top middle of the console.

Purpose & Benefit: Quickly see the status of your integrations and approximate traffic from each.

Identities

The Dashboard contains several widgets for better understanding your identity source metrics, including trends and changes in these platforms.

Purpose & Benefit: Quickly assess both size of total identity estate and recent trends in identity hygiene and security posture.

Identity Security Posture Trends

First widget provides total identities, protected population metrics, and key metrics around identity hygiene and threats, such as -

Inactive Guest Accounts
Never Logged In accounts
Inactive Account Probing
User Type Missing in user profile

You can click on any of these numbers and it will take you to the corresponding Check details page for further investigation.

Users per Source

The Users per Source widget further down the dashboard provides a breakdown of the number of identities in each connected identity platform.

Monthly Sign-ins

This widget provides details on the total number of monthly sign-ins, including a breakdown of success, failure, and other types of sign-in events.

Trends can be analyzed for changes, such as a high spike in failures or overall sign-in events.

At the bottom left of the Dashboard page, you can see a heat map of the login attempts - success or failure - for the world over the past 30 days.

Purpose & Benefit: Ensure visually that recent sign-in attempts are originating from expected locations and pivot to unusual or unexpected sign-in attempts using the map data or table next to it.

Next to the map at the bottom, the Dashboard provides a table of login attempts from new countries for the tenant. New countries are defined as not having seen any activity from that country for the past 90 days.

You can click each row of the table and it will take you an advanced query on the Users page, showing the users who have recent activity from that new country. Users will likely also be failing the New Country for Tenant check, if the activity has been in the past 7 days.

Administrators

The Dashboard provides two important widgets for understanding your administrator population.

Purpose & Benefit: Quickly answer an often difficult question for organizations - how many administrators do I have in each platform and where are they logging in from recently?

Administrators per Source

The first widget provides a breakdown of how many user accounts with some level of elevated privileges exist in each of the connected identity sources.

Recent Admin Logins

The widget next to it shows a list of recent admin account logins from all the connected platforms.

You can click each user to view their activity, or you can also click the IP addresses to search for activity from that user or all users.

Purpose & Benefit: This is extremely valuable in the sense that you can quickly monitor activity and spot admin account logins from unexpected networks and locations, including ones that have been tagged with a poor IP reputation or other alerts.

MFA Status

The top-level MFA widget provides metrics and links to the associated Check details page for a number of important MFA adoption and usage metrics, including accounts with -

No MFA configured
Weak MFA configured or used to sign in (e.g. SMS, email, phone call factors)
MFA Flood events (also known as push fatigue)
Telecom MFA limits, indicating an account has been getting a large number of MFA challenges
Admins with only Weak MFA methods

Purpose & Benefit: All organizations have an urgent need to understand their MFA posture across their various IAM platforms. This widget provides stats on coverage and also the trends of key MFA metrics.

MFA Factor Prevalence

Another very important aspect of MFA security is which types of factors are configured and which ones are actually in use in your environment.

An important part of MFA adoption is understanding if users have strong factors such as Webauthn or FIDO security keys enabled, but are continuing to use weak, non-phishing resistant factors like SMS or email.

Purpose & Benefit: Quickly assess the status of your MFA factors in use and track migrations to stronger factors or other MFA usage anomalies.

Sensitive and Unused Applications

An important part of identity security revolves around application entitlements, particularly for sensitive applications.

Within the Oort tenant settings, you can configure a custom list of sensitive applications for your IAM platforms, such as Salesforce, Netsuite, etc.

This list is then used in the Dashboard widget to display a graph of how many users have access to each of those sensitive apps vs. the number actually using them in the past 30 days.

Purpose & Benefit: Often, the chart shows that many users could be deprovisioned from sensitive apps, reducing the overall attack surface and also the blast radius for a given account, should be it be compromised.

Click through on an application in this widget to see a Users page list of the assigned users for that application.