Week 46, 2023

This week we’re introducing two new checks, a “registered location” tag, and more. Read on to learn about the features our engineering team has released this week.

New Checks for Creation and Sign-Ins to New Identity Provider

Identity providers continue to be the target of a variety of attackers, abusing excessive permissions and a lack of monitoring to launch successful attacks. At Oort, we want to ensure that our detections are inline with the latest techniques used by attackers. You can read more about the use of cross tenant impersonation here: https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection.
To that end, we have introduced two new checks that will detect when new identity providers (IdPs) are created and signed into. Newly created IdPs are often legitimate and may be created for a variety of reasons, including for testing. However, in light of recent breaches, it’s vital to monitor for these events to confirm everything is OK.
The first check, “New IDP Created”, simply detects newly created IdPs. With this check, you’ll be able to easily identify the user behind the creation, their title, and the associated IP address.
The second (related) new check is “Sign In from Recently Created IDP”. This check detects when an administrator successfully signs in into a newly created identity provider. By default, “newly” created is 90 days but this may be customized.

Registered Location Tag

When investigating a user’s activity, devices, or failing checks, it can be extremely helpful to have the context of where their registered location is. While this was displayed in the User 360 Overview, you can now see this information from within any User 360 tab.
In this release, the Registered Location Tag is added to the right of the user’s name in the top left corner.
With this tag predominantly displayed, it makes it easier to assess the severity of a suspicious event (such as Impossible Travel or Session Hijacking).

Applications Added to Devices Tab

Over the past few weeks, we’ve been busy adding new functionality to the Devices tab of the User360 profile. This has included displaying context on activities, IP addresses, and factors associating with access and authentication devices.
This week, there is a new section dedicated to viewing the applications that were used from specific devices. On the right hand side of each application row, you can select “View Activity”, which will enable you to pivot into the Activity Tab and see all activity from that specific device for that specific application.

Receive a Message when a Slack Update is Available

Last week, we released the new Oort Bot for Slack. This updated integration provides a number of new capabilities to lookup users and IP addresses from within your Slack App. In order to benefit from these capabilities, it’s important to upgrade your Oort Bot to the latest version.
While this pending upgrade is displayed in the integrations tab, we’ve made a change this week to make it even easier to stay up-to-date. This change simply sends you a Slack message to let you know that an Upgrade is available. Please speak to your Oort admin to have this set up.

Bug Fixes and Minor Improvements

  • End User Active Status. “IsActive” field will reflect logins to any identity providers.