Week 16, 2023
Last updated
Last updated
Over the past months, we’ve been working with many of you to ensure you can maximize the identity analytics in the Oort platform. In this week’s release, a new “Advanced” mode will be made available to those Oort power users that want to dive even deeper into the identity population.
The Oort Users tab provides you visibility into your entire identity population (you can read why that’s non-trivial in this blog). In this release, we’ve introduced a new, updated Users tab that enables Oort power users to create simple but powerful queries that answer critical questions about your identity population.
First, and most notably, you now have the ability to enter “Advanced Query” mode. When in Advanced mode, you will be able to use Kibana Query Language to form more complex queries.
For example, if you want to understand which users in the GSuite Admins group have no MFA enabled, have recently logged in, and were the subject of an IP threat from a VPN or Tor proxy, you might write:
groupNames.keyword:"sg-gsuite-admins" AND mfaEnabled:false AND lastActive:{now-7d TO now-1d} AND ipAddressDetails.ipTags.name:(VPN OR TOR_Proxy)
Furthermore, if you select a quick filter from the left-hand side, that will create a chip in Basic mode. Clicking on that chip will convert it to Advanced mode and enable you to edit.
At any stage, you can convert back to the Basic filter mode. Please note that any existing, bookmarked filters you may have will need to be updated to reflect these new filters.
Second, we’ve included more quick filters on the left-hand side to understand users belonging to specific groups. This will populate your existing groups so you can create more focused queries. For example, you may want to filter by external users sitting in Jira groups (note the difference between Basic and Advanced queries in the two screenshots below!).
Third, we have more data available to have in the table than we could possibly display, so we’re giving you the option to customize this view. For example, you can choose to include further organizational information, such as “Created Date”, Employee ID”, and “Manager Login”.
Finally, if you click into the “Last IP address” field, you will be navigated directly to the Networks tab of the User360 profile and see the context for the last IP address the user came from.
When a user is present in Salesforce, but not in the HR system, it can indicate that the user has access to applications but has not been employed by the organization, or the user was not properly de-provisioned from previous employment.
Oort already monitors for inconsistencies between your HR system, such as Workday, and your identity providers via the “User in IDP but not in HRIS” check. With this release, we’ve extended this coverage to Salesforce, enabling you to identify Salesforce users that are not listed in your HRIS.
Bug Fixes and Minor Improvements
System Logs Fix. We have implemented a fix for the NOT filter with the System Logs, which now operates as expected.
Tenant Access Logs. You can now filter by last access date within Tenant Access Logs, which is useful for access reviews.
Notification Targets. Identify notification targets (such as Slack), which are not currently in use.
Devices. Devices without “isManaged” field from Azure will fail the “Unmanaged Device Access” check.
Titles from Workday. Titles in Workday can refer to the Position or Business Title. Oort will now combine these titles or remove the blank title.