Comment on page
Week 20, 2023
The latest updates to the Oort Identity Security Platform will help you to customize, visualize, and operationalize Oort’s identity insights. Read on to learn more!
Last week we released a new way to detect employees using personal VPNs. This check is already been used by a number of you. Now, based on some excellent feedback, we have some updates to help further operationalize this check.
Many of our checks come with the option to customize and tune them based on your specific needs and thresholds. For the Personal VPN Usage check, we’ve added to and improved these options.
For last week’s initial release, we provided you the option to define a percentage of successful logins coming from a personal VPN that you wish to be alerted to. As well as this option, you can now define the number of successful login attempts. By default, this will be set as 5 successful logins in the last 30 days, but this is customizable to any number of logins.
Customize Check Settinhs
Additionally, we’ve added the option to add specific VPNs to an Ignore List. By default, this Ignore List has three services listed: Cisco Secure Web Gateway, Google One VPN, and McAfee. You can easily delete these (which will mean these are in scope), or add new VPN services to the Ignore List.
With these new customization options, you will be able to ensure these checks fully align with your company policies.
Personal VPN Usage Check
The second significant update to the Personal VPN Usage check is around the response capabilities.
Within the Check Settings page, you can now define automated Slack, Teams, or Email messages to go to the User in question or their Manager. This message will let them know that they have failed the check, explain why this is important, and let them know that action will be taken soon to prevent this use. As always, these messages may be customized.
These automated messaging workflows enable you to save time chasing up individuals using personal VPNs.
Send Direct Messages
Security teams are often interested in learning which users are logging in from new countries. Oort’s dashboard already has a map view that shows the distribution of logins across the world. In this release, we’ve added a new table that specifically shows the top new countries that accounts have attempted to log in from in the last 30 days.
If you click into any row within the table, this will take you through to the full Users tab with the relevant advanced query. To learn more about Advanced Query Mode, check out our release notes from a few weeks back.
As we continue to release more checks for identity threat detection and identity posture, we now have well over 50 checks. This can make it difficult to quickly access the check pages you are most interested in.
In this release, we’ve released a handy new search bar that lets you search by title. For example, you can search by all checks with “Okta”, “Azure”, or “Admin” in the title. In addition to this free-text search for titles, any filters you apply from the left-hand side will now appear in this search bar. This means that you can easily view the filters currently applied to the Checks screen.
Armed with this insight, you can then go and verify private VPN usage with the account and clarify the access policies.
Checks Search Bar
- Azure Factors. Authentication factors from Azure are now available within the User 360 profiles.
- Table Behavior. For tables in the Networks, Activity, and User tab, we will pin the first columns. This will mean you can always see the IP addresses, Date, or User names when scrolling to additional columns to the right.
- Event Streaming. You will see new guidance in the user interface for setting up event streaming, giving Oort the most recent data possible.
- User Groups. Within the “Groups” tab of the User 360 profiles, you will now see a “Group Type” field for Azure. Additionally, we have fixed a bug that created problems for displaying group names.
-Slack Feedback. We have removed the option to flag state-based checks (such as inactive users or HRIS discrepancies) as false positives, but have kept the capabilities for event-based checks (such as IP threats).