Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • 👥Understanding your users
    • 📇Users
      • 💾Saved Filters
      • ❓Basic Search & Advanced Query Mode
    • 🩻User 360
      • 🗺️Overview Tab
      • 🔬Activity Tab
      • 📶Networks Tab
      • 💻Devices Tab
      • 🪺Applications and Groups Tabs
      • ✅Checks Tab
    • 🛠️Triaging Alerts and Remediation Actions
    • 🔗Linking User Accounts
    • 🤷User Statuses
  • 🗃️Applications
  • 💻Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑️Understanding Check failures
    • 🔍Reviewing Check Results
    • 🧹Customizing Checks
    • 📖Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • ⚙️Tenant Settings
    • 👨‍💼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • 🏥Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • 🏎️Can Identity Intelligence analyze behavior and fail checks more frequently?
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • 🗃️Understanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • 🛣️What’s Next? How to use Identity Intelligence effectively
    • 📚Identity Security Reading List
    • ✍️KPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in Gartner® 2023 Hype Cycle Reports™
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • Overview
  • Privacy Policy
  • Integration with Slack
  • Permission requirements within Slack
  • Geographic Distribution
  • High-level Setup Steps
  • Add Identity Intelligence Bot to Slack
  • Enable Notifications via Slack for Checks
  • Test Slack Notifications
  1. Configuring Integrations

Slack

08/2024

PreviousServiceNOW IntegrationNextSnowflake

Last updated 3 months ago

Overview

Identity Intelligence can integrate with one or more Slack tenants to both ingest Slack identities as a source AND provide notifications to Slack channels and users.

Privacy Policy

For information on Cisco Identity Intelligence Privacy Policy, please see .

Integration with Slack

To enable the integration with Slack, you will need to add the Cisco Identity Intelligence Bot for Slack available on the Slack Marketplace to your Slack workspace.

Identity Intelligence can have multiple target notification channels configured for the same Slack org

Permission requirements within Slack

By default, any workspace member can . However, many organizations have restricted the ability to install 3rd party apps to only administrators or via an approval process. If you don’t have , you may be able to instead. If installing new apps is restricted to Slack Admins, you can also ask your Slack Admin to the Identity Intelligence Bot app and then install it yourself once it has been approved.

NOTE - While Identity Intelligence asks for permission to view email addresses of people in your workspace for account identification purposes (shown in screenshot below), Identity Intelligence does not use the emails from Slack to actually send emails to users.

Geographic Distribution

Identity Intelligence maintains different bots for Slack for different geographic deployments (names listed below).

During the setup process, you will be automatically directed to the correct bot for Slack based on your tenant location. This is for informational purposes only and no action is required on your part.

  • Cisco Identity Intelligence Bot (this is our main bot, the U.S. deployment)

  • Cisco Identity Intelligence Bot AU

  • Cisco Identity Intelligence Bot EU

  • Cisco Identity Intelligence Bot JP

  • Cisco Identity Intelligence Bot UK

  • Cisco Identity Intelligence Bot SG

High-level Setup Steps

There are 3 steps you need to go through to set up the integration with Slack for your Identity Intelligence tenant to start receiving alerts about check failures:

  1. Add the Identity Intelligence Bot for Slack to your Slack workspace

  2. Configure the destination Slack channel for notifications within your Slack workspace

  3. In Identity Intelligence, create a new Integration for Slack

  4. Enable the Slack notification as a target in one or more Identity Intelligence Checks (none are selected by default - you must opt-in for specific Check failure notification messages)

Add Identity Intelligence Bot to Slack

To add the Identity Intelligence Bot for Slack, perform the following steps:

  1. Login to Identity Intelligence with a Identity Intelligence full admin account that meets these requirements:

    1. The admin's account also exists in the desired Slack organization under the same user login

    2. The admin's account has permissions to install applications within your Slack organization (or the Identity Intelligence bot has been pre-approved for your org by a Slack Admin)

  2. From the Integrations tab, click on Add Integration

  3. From the Notification Targets list, select Add Slack Target

  4. Provide the following details for the integration

    1. Display name

    2. Description (optional)

    3. Select the purpose of this particular Slack notification target. This could be one or both of these options:

      1. Check failures - notifications will be sent for the configured Checks - see #configure-slack-notification-target-details

      2. Data collection - notifications will be sent to this channel if any the data collection fails for any of the integrations

  5. Select Install Identity Intelligence Bot on your Slack Workspace

  6. On the next screen, check the box to confirm that the Identity Intelligence signed in user is a member of the target Slack org and then click Install Identity Intelligence Bot for Slack button

  7. The browser will redirect Slack to accept permissions for the Identity Intelligence Bot for Slack. Click Allow Note:

    • You must be signed into the Slack workspace where you want to install the Identity Intelligence Bot for Slack.

    • To select a different workspace, use the drop-down menu in the upper right corner of the browser window.

  1. The browser will redirect back to the Identity Intelligence console and the name of your Slack workspace will now show in the Notification Target configuration screen. Select a target Channel or an individual user (required).

    1. Channel can be either a public channel OR a private channel the Identity Intelligence Bot for Slack was added to already.

      1. If you do not see the name of a private channel, add the Identity Intelligence Bot to the channel first and then use the Please refresh channel button show below.

      2. You can only add the Identity Intelligence Bot for Slack to channels that your user on the Slack workspace can access.

    2. User is the email address of a member of the Slack workspace.

  • As mentioned above, the "Use this target for" can be a combination of Failed Check and/or Data Collection.

    • Failed Check means the notification target will be notified after checks are evaluated with the failed check results.

    • Data Collection means the notification target will be notified after a manually-triggered collection of an integration ends, or whenever a manual or scheduled data collection fails with an error. (shown below)

  1. Click Save in the upper right corner of the screen. The new integration with Slack will now be shown on the main Integrations screen

  2. Repeat this process for any other Slack orgs OR to create new notification target channels within the SAME Slack org. Identity Intelligence can have multiple target notification channels configured for the same Slack org As shown below, you can have multiple notification target types. To see the configured Checks for a particular target, click the blank space in that row to see the slide out on the right hand side.

Enable Notifications via Slack for Checks

The next, optional, step is to enable Slack notifications for one or more checks. By default, a notification target configured for "Failed checks" will get a message for each check that has users failing the check conditions. A notification target can be configured to be notified only for specific checks.

Navigate to the Checks page from the left side menu and then click on a specific Check type, such as Weak MFA Configured.

On the right side of the page, check the box to enable notifications for the Slack workspace and channel you configured.

The Slack workspace will now show as enabled for that Check type.

Within each individual Check details pane, you will be able to pick one or more notification targets for Slack channels or individual users.

Test Slack Notifications

To test the connectivity of the Slack notifications app:

  1. Go to the Integrations page

  2. Select the Slack notification target or use the 3 dot menu button

  3. Select the Test Connectivity button in the side panel or the menu to send a "verification" test message to the configured Slack channel

To test what a custom message for a specific failing check will look like:

  1. Go to a specific check page and click Customize Messages

  2. Customize the message as desired and select Save

  3. Click the Test button for the Slack Notification Target to send a test message to the signed in user, NOT the configured channel, to verify the custom message looks as intended

🧩
this resource
install apps to Slack
permission to install apps
submit an app request
pre-approve