Week 26, 2023

This week you can enjoy a new check, extended coverage of our GitHub Beta release, and enhancements to Check pages that make it easy to customize and operationalize insights from Oort.

⛔ Detect Logins from Countries on the US Embargo List

To ensure compliance, companies operating in the United States employ a system that identifies successful login attempts from countries subject to embargoes or other restrictions. This is something already detected by the likes of Okta, Duo, Google, and Microsoft.

The new “Access from Denied Countries” check provides another level of assurance and extends to our SaaS applications, such as Salesforce, which may fall outside of checks provided by identity providers.

This check enables you to continuously monitor for successful logins from a specific list of countries listed by the Office of Foreign Assets Control. This check applies to both internal and external accounts and extends across all integrations.

📖 Enhanced Check Settings

For a large number of checks, we give you the option to configure your own check settings. In fact, we’ve moved this Check Settings box higher on the page to make it straightforward to edit these settings. You can find the consolidated check settings in the top right corner of the check page.

In order to best understand what the check is detecting and why users are failing checks, we’ve included the default values of our detections within the “Details” of the check page. If you change the check settings, the description will automatically update so you always know why users are failing checks.

🔔 Check Details Notification

Many of you already have set up notifications for your checks so that failed user alerts automatically go to email and instant messaging channels. Some of these checks even let you message users and their managers with embedded security awareness training videos so they understand the risk. It’s a great way to operationalize Oort’s insights.

Over the last few weeks, we’ve made it easier to identify those checks with and without notification setup. In this release, the checks tab of the User 360 profile will clearly illustrate a) how many times an administrator has been notified and b) how many times a manager or user has been notified. This will make it easy to understand who has already been informed about this risk.

❓ Rare Brower Activity in GitHub

Oort already monitors for logins from unusual browsers, which can be indicative of a compromised account. For example, if a user is based in California, it would be surprising if they were accessing their work account from Yandex. With this release, we’ve extended coverage of this check to GitHub.

📜 Access Azure Provisioning Logs

Within the User360 profiles, the “activity” tab is extremely popular for understanding all the activities of a user across multiple identity providers. This context is useful for conducting user investigations or for troubleshooting IT help desk issues.

This tab includes a number of different events, including user authentications, session starts, and app role assignments. With this release, you will now be able to access Azure Provisioning Logs from within the Activity Tab.

Bug Fixes and Minor Improvements

  • Integrations. We have added a “test connectivity” option for ticketing services within the Integrations page.

  • Check Tuning. Our data science team has further tuned the Okta admin anomaly detection to ensure accuracy.

Last updated