Week 46, 2023
This week weβre introducing two new checks, a βregistered locationβ tag, and more. Read on to learn about the features our engineering team has released this week.
New Checks for Creation and Sign-Ins to New Identity Provider
Identity providers continue to be the target of a variety of attackers, abusing excessive permissions and a lack of monitoring to launch successful attacks. At Oort, we want to ensure that our detections are inline with the latest techniques used by attackers. You can read more about the use of cross tenant impersonation here: https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection.
To that end, we have introduced two new checks that will detect when new identity providers (IdPs) are created and signed into. Newly created IdPs are often legitimate and may be created for a variety of reasons, including for testing. However, in light of recent breaches, itβs vital to monitor for these events to confirm everything is OK.
The first check, βNew IDP Createdβ, simply detects newly created IdPs. With this check, youβll be able to easily identify the user behind the creation, their title, and the associated IP address.
The second (related) new check is βSign In from Recently Created IDPβ. This check detects when an administrator successfully signs in into a newly created identity provider. By default, βnewlyβ created is 90 days but this may be customized.
Registered Location Tag
When investigating a userβs activity, devices, or failing checks, it can be extremely helpful to have the context of where their registered location is. While this was displayed in the User 360 Overview, you can now see this information from within any User 360 tab.
In this release, the Registered Location Tag is added to the right of the userβs name in the top left corner.
With this tag predominantly displayed, it makes it easier to assess the severity of a suspicious event (such as Impossible Travel or Session Hijacking).
Applications Added to Devices Tab
Over the past few weeks, weβve been busy adding new functionality to the Devices tab of the User360 profile. This has included displaying context on activities, IP addresses, and factors associating with access and authentication devices.
This week, there is a new section dedicated to viewing the applications that were used from specific devices. On the right hand side of each application row, you can select βView Activityβ, which will enable you to pivot into the Activity Tab and see all activity from that specific device for that specific application.
Receive a Message when a Slack Update is Available
Last week, we released the new Oort Bot for Slack. This updated integration provides a number of new capabilities to lookup users and IP addresses from within your Slack App. In order to benefit from these capabilities, itβs important to upgrade your Oort Bot to the latest version.
While this pending upgrade is displayed in the integrations tab, weβve made a change this week to make it even easier to stay up-to-date. This change simply sends you a Slack message to let you know that an Upgrade is available. Please speak to your Oort admin to have this set up.
Bug Fixes and Minor Improvements
End User Active Status. βIsActiveβ field will reflect logins to any identity providers.
Last updated