Week 2, 2024

✅ New Check for Identifying User IP in Blocked State

We have implemented the ‘User IP in Blocked State’ check to offer visibility into users’ IP addresses being blocked by Okta. Oort will analyze data from multiple Okta sources, including ThreatInsights, Network Zones, declined policy events, rate-limit violations, phishing attempts, and suspected toll fraud.

With this insight, we empower help desk teams to easily and efficiently identify blocked users and the reasons behind the blocks.

In the explainability drawer, you gain additional context about the event, including details such as the blocked IP address, user title, and the Okta sources responsible for the IP block.

📍Registered Location Mismatch Check

A few releases ago, we released the ‘Registered Location Tag’, providing context about a users’ registered location. In this release, we have added the ‘Registered Location Mismatch’ check to offer further insight when an user is operating from a location(s) different from their registered one. Opening the explainability drawer allows you to delve deeper into users’ common working locations based upon the country and state, ensuring that the registered location within your HRIS or IDP system is up to date for accuracy.

By default, the check settings exclude remote employees, have a user location prevalence set to 0.51, and include known Network Obfuscators in the ignore list. However, these settings can be customized to best fit your organization’s needs. You will also see the known Network Obfuscators in the default ignore list for ‘Impossible Travel’ check.

🤖 Latest Oort Bot Capabilities in Slack

We are continuing to enhance the amazing capabilities of our Oort Bot for Slack. As an administrator, when you navigate to the Oort Bot for Slack, you now have access to the get ‘Full User Details’ action. This feature enables you to retrieve the comprehensive User Digest, including details such as working and registered location.

✅ Unusual Repo Access Check

This new check for Github will analyze atypical patterns of access within Github. As with many of our checks you can customize the check settings from the default settings of accessing 10 repos in a 1 day period. Monitoring users accessing numerous GitHub repositories enables the detection of anomalies, potential data exfiltration, and any attempts at privilege escalation.

🛠️ Dashboard Improvements for MFA Prevalence

As you are aware, the ‘MFA Prevalence by User Count’ on the Oort dashboard offers a breakdown of the MFA factors in use versus MFA factors enabled. To enhance its value further, you now have the capability to click into each Factor and access user context related to the Factor prevalence.

For instance, clicking on the ‘9’ representing Okta SMS takes you to the ‘Users’ tab, where you can view the specific nine users with the factor enabled but not in use. Additionally, you can filter the ‘Factor Enabled Not in Use’ on the left column of the Users tab.

📣 Checks Explainability Improvements

As we continue in enhancing the context we offer for event-based and some state-based checks, you will now find ‘Providers Failing Check’ in the explainability drawer when selecting the user associated with the check. This enhancement aims to provide greater visibility into providers linked to the failed check, facilitating more efficient investigations.

By clicking on the provider, you are directed to the activity tab of the user, where you can access all the events related to that specific provider(s).

Bug Fixes and Minor Improvements

  • Show only unique IP tags. Fixed a bug that caused multiple “Password_Spray” tags to populate on IPs on the Network tabs.

  • Remove "Reset MFA" button. We have removed the “Reset MFA” button on the profile page as we do not enforce Auth0 in prod.

  • Never Logged In. Expanded Never Logged in check to Microsoft Entra ID.

  • User360 Factor Table. We now show the Factor ID for each factor on the overview tab of the User360.

  • ‘is known good IP’ indicator. In user activity raw data, we now show a boolean for ‘is known good IP’. Show more buttons for Observations. Now when you have more than 5 observations you will see a ‘Show More’ button that gives you the ability to expand the observation list.

  • 'Show more' button for Observations. Now when you have more than 5 observations you will see a ‘Show More’ button that gives you the ability to expand the observation list.

Last updated