Week 3, 2024

🟢 Exclude Known Good IPs

A large amount of false positive alerts causes not only unnecessary noise, but also contributes to overall alert fatigue. This week, we released the ability to ‘Exclude known good IPs’ on various checks. This is the best and most effective way administrators can address false positives with our IP-based checks.
To best utilize this feature, you need to have the IPs marked as trusted within Entra trusted locations or upload the CIDR lists to the Oort platform and set the ‘Exclude known good ips’ setting to true in the check setting. The default for this check is set to false.
Note: You can set ‘Exclude known good ips’ to true without having Entra trusted Locations or uploading a CIDR file however, nothing will be filtered.

☁️ Cloud-Only indicator for Azure

We know the ‘Role Assigned to Azure Cloud Only Account’ check within Oort detects if a new account has been assigned permissions and applications in Entra ID but not in Active Directory. Through extended research and feedback, we found that this does not just affect new accounts; you could have a large number of admin accounts in your environment that are ‘Cloud-Only’. To ensure we raise awareness, we have added visibility throughout the platform to better identify current admin accounts that are ‘Cloud-Only’.
There are two ways to determine cloud-only admin accounts in your environment. One is on the Azure AD user card in the overview section of the user360 profile. You will see the ‘is Cloud Only Account?’ parameter.
You can also go to the search on the ‘Users’ tab using the "Is Administrator Of" sidebar filter combined with ‘isCloudOnlyUser:true’. This will provide you with a list of all admin users identified as ‘Cloud-Only’ accounts.
Note: You need to be in advanced search mode to utilize this command in the search.

🤖 Oort Bot in Slack Enhancements

In the latest release, we provided you with the ability to retrieve ‘Full User Details’ from our Oort Bot for Slack. In this release, running the commands in Oort Bot for Slack, now gives the ability to link back to the Oort platform via ‘See in Oort’. If you need to perform further investigation, utilizing the ‘See in Oort’ link will take you directly to the respective screen with Oort for a seamless way to continue your investigation.
Gaining visibility into any user within your environment with user activity after a status change is crucial, as it allows you to gain insights into any attempts at unauthorized access. We have introduced a search parameter that provides you with users exhibiting activity inconsistent with their current status. In advanced search mode on the ‘Users’ tab, you can enter ‘userInconsistencyFeatures.isActiveSinceStatusChange:true’ to see the list of users.
For instance, using this search parameter, we can identify users with a status of 'Deleted' for some providers, but have successfully logged in after the deleted date with other providers.

📈 New Data Type for Duo Integration

We are continuously striving to ensure that our integrations are always up to par and collecting the latest data points. We can now collect ‘Policies’ data type from Duo. If you currently have the Duo integration set up, you will need to go to Integrations > Edit settings > Advanced Settings and check the ‘Policies’ checkbox within the Oort platform. This will be turned on by default for new Duo integrations.

Bug Fixes and Minor Improvements

  • Last seen custom values. Fixed a bug that caused the numbers to lose focus on the last seen custom filters on the User tab.
  • Frameworks Filter. Frameworks now have their own filter section separate on checks from topics. They are also separate categories in check details.
  • User IP in Blocked State explainability improvements. For the ‘User in Blocked State’ check explainability drawer, you now have the ability to click and filter on the user agent.
  • Bypass Code explainability improvements. For the ‘ A Bypass Code Was Used To Successfully Sign In’ explainability drawer, you can now see the unique id in the ‘Bypass Code Used’ field.
  • User Key Search. In basic search mode you can now search by user key.