Oort Knowledge Base
  • Home
  • Glossary
  • šŸ“ŠDashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • šŸ‘„Understanding your users
    • šŸ“‡Users
      • šŸ’¾Saved Filters
      • ā“Basic Search & Advanced Query Mode
    • šŸ©»User 360
      • šŸ—ŗļøOverview Tab
      • šŸ”¬Activity Tab
      • šŸ“¶Networks Tab
      • šŸ’»Devices Tab
      • šŸŖŗApplications and Groups Tabs
      • āœ…Checks Tab
    • šŸ› ļøTriaging Alerts and Remediation Actions
    • šŸ”—Linking User Accounts
    • šŸ¤·User Statuses
  • šŸ—ƒļøApplications
  • šŸ’»Devices
  • šŸ§©Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ā˜‘ļøUnderstanding Check failures
    • šŸ”Reviewing Check Results
    • šŸ§¹Customizing Checks
    • šŸ“–Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • āš™ļøTenant Settings
    • šŸ‘Øā€šŸ’¼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • šŸ„Identity Posture Score
  • šŸšØUser Trust Level
  • How-to Guides
    • šŸ”Accessing and Securing your Cisco Identity Intelligence Tenant
    • šŸŽļøCan Identity Intelligence analyze behavior and fail checks more frequently?
    • šŸ›‚Importing Known IP Address Lists
    • šŸ”ŽNetworks Tab & User Investigations
    • šŸ”Okta Workflows Webhook Example
    • šŸ—ƒļøUnderstanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • šŸ›£ļøWhatā€™s Next? How to use Identity Intelligence effectively
    • šŸ“šIdentity Security Reading List
    • āœļøKPIs forā€Ø IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in GartnerĀ® 2023 Hype Cycle Reportsā„¢
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oortā€™s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oortā€™s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex ā€œSashaā€ Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oortā€™s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  1. Release Notes
  2. 2022

Week 37, 2022

PreviousWeek 38, 2022NextWeek 36, 2022

Last updated 2 years ago

New features

New Check: Admin Impersonation in Okta

Okta offers the ability for admins to impersonate any user in their account (and benefit from the permissions of that user in the environment).

While this can be useful for admins to do their job, if an attacker manages to take over an Okta admin account, they can essentially access any resource in the company. Recently this technique is believed to be used in relation to the Lapsu$ breach.

In response to this, we have created a new check that alerts you when an admin impersonates a user in Okta, so you can investigate and make sure that this capability was used legitimately.

Choose the data you want to see in User Authentication Factors table

Across the board, we are making it increasingly easier to read, use and download the tables all across the Oort interface. This week, we are giving you the capability to choose which columns you want to see in the Authentication factors table of the User360 page, and save your preferences.

To customize the table, click on the ā€œColumnsā€ button in the table header, toggle the column options in the popup menu. Note that the options marked with Lock icon can not be toggled off.

To save the table settings, click on the ā€œSave as defaultā€ button at the bottom of the menu. The settings will be saved on the device that is currently used.

Recently added factors tagged in User Authentication Factors table

When performing an investigation on a user suspected to be a victim of malicious activity, it is recommended to check and review any recent changes in MFA factors, as attackers might be setting up the account to access it easily later.

We are making this easier and more obvious by tagging any authentication factor added in the last 7 days, and showing the tag on the User360 page.

Azure applications with expired or soon-to-be-expired certificates are tagged and highlighted

Whenever you perform an investigation, any piece of context can be helpful. Thatā€™s why we now tag Azure applications with expired or soon-to-be-expired certificates, and show that tag in the applications page of a User360.

The ā€œApp expiration warning windowā€ is configurable in the ā€œUpcoming App Key Expirationā€ check settings (the default value is 90 days).

Failing check actions now available from the check page users list

This usability improvement aims to reduce the time it takes to investigate and take remediation steps a little more.

The actions menu (that was already available in other places in the interface) is now available directly in the users table of any check page.

From here you can:

  • Send a notifications

  • >> To the users themselves by: email, direct message service (Slack, MSTeams)

  • >> To a specific direct message channel (Slack, MSTeams)

  • Exclude the user from the check

  • Redirect to the user details page and view the corresponding activity logs

  • Mark the funding as Interesting or False Positive. As a reminder, Oort uses that feedback information to always improve the accuracy of the checks.

Filter by External Session ID on Risky Parallel Sessions

Previously it was tricky to visualize events related to a parallel sessions check on the activity view. We were only able to filter by some events, but not by sessions, making it a very manual job.

When investigating a parallel sessions check, the session IDs are now much easier to see and read.

Additionally you now can click on the session IDs and be redirected to the activity view adequately filtered. Alternatively you can click on ā€œView activity from all sessionsā€ which will concatenate all activity sessions with ORs, generating a query like ā€˜ā€œsession1ā€ OR ā€œsession2ā€

The user activity stream page now contains activities impacting the user

Showing activities performed by an admin on the user helps understand the security posture of the user. For example, if an admin impersonates a user, it is critical to know that when performing an investigation on that user.

The userā€™s activity tab now shows activities performed by an admin on the user in addition to the activities performed by the user.

Past activities performed on users as targets will not be backported into the activities view. The stream will include such activities from now on.

The context and of a check failure is now stored in the audit record

When investigating the timeline of a user, it is common to see a failed check event. If you click on that event, you will now see the details of why this check failed in the first place, without having to navigate somewhere else. This makes investigations faster, and improves total time to remediation.

Build factors list based on OIE Authenticator enrollment methods

Oktaā€™s new identity engine added ā€œAuthenticatorsā€ and ā€œAuthenticators to usersā€ enrollments as security methods. MFA events now reference those methods by id and not by user factor id as it was in the classic Okta engine.

We now support this new model, to provide accurate Okta MFA factors list and usage counts.

For this to work, make sure that in your Okta integration advanced settings the ā€œAuthenticatorsā€ and ā€œAuthenticators to Userā€ data types are selected for data collection.

Better display of explainability details

Previously we displayed all explainability details as a JSON, making it hard to scan when there were nested objects inside the details.

Now we parse the explainability details. If they are strings or numbers, we render them as a list. Only when there are nested objects we proceed to show them as JSON

Bug fixes

On top of all those exciting new capabilities, we have been squashing some bugs:

  • Truncating Failed Notification Slack messages

  • Programmatic Slack messages have a limit of 3,000 characters for a text field. This caused an error which prevented the message from being delivered.

  • In cases where the failing check context exceeds this limit we now truncate the context information in the Slack message.

  • Adding Workday checks compatibility

  • We did not show HRIS checks that are compatible with the native Workday integration. Now we do!

  • Handling of whitespaces in IP CIDR uploaded files

  • When the uploaded IP CIDR file had trailing empty lines after the JSON data we failed to parse the file. We now parse these files correctly.

  • Provider card for Auth0 was missing on user details page

  • ETL was checking the Auth0 user type that is now removed from the API. Auth0 provider card is not listed on User Details page

  • Duo phone methods status

  • Duo response contains an activated field that is false when Duo Mobile is not enabled. We split Duo phone method status detection based on that field, and mark only Duo Mobile factor based it

  • Duo SMS usage count

  • We fixed Duo SMS usage count

  • Display array in JSON Renderer properly

  • Previously we were showing arrays as object representation (like 0: value, 1: value, etc). Now we parse them properly as arrays

Deprecated features

We removed obsolete dashboards from our UI. While those dashboards were providing value when they were created, their functionality was replicated and enhanced via new checks and better reporting in the users and checks section.