Week 32, 2023

In this week’s release, we’ve introduced saved filters for the users tab, a new action for IT helpdesk teams, and even more context for checks. Read on, and enjoy!

💾 Save Time Querying Identity Population with Saved Filters

Earlier this year, we released the “Advanced Mode” for the search bar on the Users page, which enables you to create more complex queries across your entire identity population. This helps you to find specific parts of your population that have weaknesses. For example, you might want to see all guest accounts with weak forms of MFA that have been inactive in the last 30 days and experienced a password-spraying attack.
In this release, we’ve introduced saved filters. To create a new filter, simply select filters or craft your own advanced query in the search bar. Once you are happy, click the “Save” icon on the left-hand side of the search bar. You will be prompted to select a name for your saved filter. In the example below, I have created a filter called “Azure Admin Threats” that is filtered by “Administrator of Azure AD” and “High”, “Medium”, and “Low” User Risks.
You can create multiple saved queries, which are available from the “Saved Filters” dropdown on the left-hand side of the page.

📳 New Actions to Support IT Helpdesk Teams

We all know that attackers are increasingly targeting identities as part of their campaigns. Social engineering is a significant part of this, with sophisticated campaigns calling up IT helpdesk teams to impersonate an employee and seek to reset a password or reset MFA. Helpdesk teams need a way to verify the identity of a caller.
The context within user profiles can help to provide clues as to the legitimacy of the user, but another step. In this release, we’ve introduced a new action item, Send Push Notification. By clicking this button, support teams can send a one-off push notification to the user’s phone. The response will be recorded within the Activity tab of the user profile.
This new feature is available for all customers with Duo configured and requires Duo’s Auth API.

💡More Context for More Checks with Enhanced Explainabilty

When investigating a user with failing checks, it’s always helpful to have as much context as possible. Within the checks section of the User Profile, clicking on the check row will reveal a side panel to pop out on the right. This panel reveals some of the most important details and context for you to understand the precise issue.
In this release, we have beefed up the information in this right-hand panel for five checks:
Suspicious Activity Reported by User, Personal VPN Usage, Weak MFA configured, Sign in Threat Detected, and Missing Value In Mandatory field.
To give you an idea of why this is useful, check out the Suspicious Activity Reported by User check below. This now includes the IP address (which you can pivot on), country, browser, devices, OS, and other attributes.
Similarly, for the Week MFA configured check, you can see with identity provider(s) this applies to and specifically which factor was used. You can then pivot off the factor type to see what actions were performed during that session.

Bug Fixes and Minor Improvements

  • Microsoft Entra ID (Azure AD) Collection. We have extended data collection to include two new data types: message rules and device audit events. We will use message rules to collect and search for suspicious email forwarding rules.
  • Activity Tab Search. Advanced mode is now available within the Activity Tab of the User360 profiles. Selecting Control and Space will reveal the list of query suggestions.
  • Service Accounts. Service accounts are now excluded from the “User in IDP but not in HRIS” check, as it is not relevant for this account type.
  • IP Threats Filter. The Users Tab filters will now display different types of IP threats for you to search across. This includes Hosting, Malicious IP, Password Spray, Tor, and VPN.