Week 3, 2024
π’ Exclude Known Good IPs
A large amount of false positive alerts causes not only unnecessary noise, but also contributes to overall alert fatigue. This week, we released the ability to βExclude known good IPsβ on various checks. This is the best and most effective way administrators can address false positives with our IP-based checks.
To best utilize this feature, you need to have the IPs marked as trusted within Entra trusted locations or upload the CIDR lists to the Oort platform and set the βExclude known good ipsβ setting to true in the check setting. The default for this check is set to false.
Note: You can set βExclude known good ipsβ to true without having Entra trusted Locations or uploading a CIDR file however, nothing will be filtered.
βοΈ Cloud-Only indicator for Azure
We know the βRole Assigned to Azure Cloud Only Accountβ check within Oort detects if a new account has been assigned permissions and applications in Entra ID but not in Active Directory. Through extended research and feedback, we found that this does not just affect new accounts; you could have a large number of admin accounts in your environment that are βCloud-Onlyβ. To ensure we raise awareness, we have added visibility throughout the platform to better identify current admin accounts that are βCloud-Onlyβ.
There are two ways to determine cloud-only admin accounts in your environment. One is on the Azure AD user card in the overview section of the user360 profile. You will see the βis Cloud Only Account?β parameter.
You can also go to the search on the βUsersβ tab using the "Is Administrator Of" sidebar filter combined with βisCloudOnlyUser:trueβ. This will provide you with a list of all admin users identified as βCloud-Onlyβ accounts.
Note: You need to be in advanced search mode to utilize this command in the search.
π€ Oort Bot in Slack Enhancements
In the latest release, we provided you with the ability to retrieve βFull User Detailsβ from our Oort Bot for Slack. In this release, running the commands in Oort Bot for Slack, now gives the ability to link back to the Oort platform via βSee in Oortβ. If you need to perform further investigation, utilizing the βSee in Oortβ link will take you directly to the respective screen with Oort for a seamless way to continue your investigation.
π£ User Activity Related to Status Change Indicator
Gaining visibility into any user within your environment with user activity after a status change is crucial, as it allows you to gain insights into any attempts at unauthorized access. We have introduced a search parameter that provides you with users exhibiting activity inconsistent with their current status. In advanced search mode on the βUsersβ tab, you can enter βuserInconsistencyFeatures.isActiveSinceStatusChange:trueβ to see the list of users.
For instance, using this search parameter, we can identify users with a status of 'Deleted' for some providers, but have successfully logged in after the deleted date with other providers.
π New Data Type for Duo Integration
We are continuously striving to ensure that our integrations are always up to par and collecting the latest data points. We can now collect βPoliciesβ data type from Duo. If you currently have the Duo integration set up, you will need to go to Integrations > Edit settings > Advanced Settings and check the βPoliciesβ checkbox within the Oort platform. This will be turned on by default for new Duo integrations.
Bug Fixes and Minor Improvements
Last seen custom values. Fixed a bug that caused the numbers to lose focus on the last seen custom filters on the User tab.
Frameworks Filter. Frameworks now have their own filter section separate on checks from topics. They are also separate categories in check details.
User IP in Blocked State explainability improvements. For the βUser in Blocked Stateβ check explainability drawer, you now have the ability to click and filter on the user agent.
Bypass Code explainability improvements. For the β A Bypass Code Was Used To Successfully Sign Inβ explainability drawer, you can now see the unique id in the βBypass Code Usedβ field.
User Key Search. In basic search mode you can now search by user key.
Last updated