Week 2, 2024
β
New Check for Identifying User IP in Blocked State
We have implemented the βUser IP in Blocked Stateβ check to offer visibility into usersβ IP addresses being blocked by Okta. Oort will analyze data from multiple Okta sources, including ThreatInsights, Network Zones, declined policy events, rate-limit violations, phishing attempts, and suspected toll fraud.
With this insight, we empower help desk teams to easily and efficiently identify blocked users and the reasons behind the blocks.
In the explainability drawer, you gain additional context about the event, including details such as the blocked IP address, user title, and the Okta sources responsible for the IP block.
πRegistered Location Mismatch Check
A few releases ago, we released the βRegistered Location Tagβ, providing context about a usersβ registered location. In this release, we have added the βRegistered Location Mismatchβ check to offer further insight when an user is operating from a location(s) different from their registered one. Opening the explainability drawer allows you to delve deeper into usersβ common working locations based upon the country and state, ensuring that the registered location within your HRIS or IDP system is up to date for accuracy.
By default, the check settings exclude remote employees, have a user location prevalence set to 0.51, and include known Network Obfuscators in the ignore list. However, these settings can be customized to best fit your organizationβs needs. You will also see the known Network Obfuscators in the default ignore list for βImpossible Travelβ check.
π€ Latest Oort Bot Capabilities in Slack
We are continuing to enhance the amazing capabilities of our Oort Bot for Slack. As an administrator, when you navigate to the Oort Bot for Slack, you now have access to the get βFull User Detailsβ action. This feature enables you to retrieve the comprehensive User Digest, including details such as working and registered location.
β
Unusual Repo Access Check
This new check for Github will analyze atypical patterns of access within Github. As with many of our checks you can customize the check settings from the default settings of accessing 10 repos in a 1 day period. Monitoring users accessing numerous GitHub repositories enables the detection of anomalies, potential data exfiltration, and any attempts at privilege escalation.
π οΈ Dashboard Improvements for MFA Prevalence
As you are aware, the βMFA Prevalence by User Countβ on the Oort dashboard offers a breakdown of the MFA factors in use versus MFA factors enabled. To enhance its value further, you now have the capability to click into each Factor and access user context related to the Factor prevalence.
For instance, clicking on the β9β representing Okta SMS takes you to the βUsersβ tab, where you can view the specific nine users with the factor enabled but not in use. Additionally, you can filter the βFactor Enabled Not in Useβ on the left column of the Users tab.
π£ Checks Explainability Improvements
As we continue in enhancing the context we offer for event-based and some state-based checks, you will now find βProviders Failing Checkβ in the explainability drawer when selecting the user associated with the check. This enhancement aims to provide greater visibility into providers linked to the failed check, facilitating more efficient investigations.
By clicking on the provider, you are directed to the activity tab of the user, where you can access all the events related to that specific provider(s).
Bug Fixes and Minor Improvements
Show only unique IP tags. Fixed a bug that caused multiple βPassword_Sprayβ tags to populate on IPs on the Network tabs.
Remove "Reset MFA" button. We have removed the βReset MFAβ button on the profile page as we do not enforce Auth0 in prod.
Never Logged In. Expanded Never Logged in check to Microsoft Entra ID.
User360 Factor Table. We now show the Factor ID for each factor on the overview tab of the User360.
βis known good IPβ indicator. In user activity raw data, we now show a boolean for βis known good IPβ. Show more buttons for Observations. Now when you have more than 5 observations you will see a βShow Moreβ button that gives you the ability to expand the observation list.
'Show more' button for Observations. Now when you have more than 5 observations you will see a βShow Moreβ button that gives you the ability to expand the observation list.
Last updated