☑️Understanding Check failures
Overview
The Checks page provides high level information about all checks across all users in your environment, along with several filters, to quickly understand the state of your environment and assess potential areas in need of attention. The Checks page shows the full list of checks that are compatible with the identity data sources that are connected in your tenant. The check results in the table are ordered by compliance, starting with the checks that have the most users failing ranked. Checks that are in full compliance can be found towards the bottom of the list.
The Checks page is different than the User 360 Checks tab, which only shows information about a given user's check failures.
To dive into a specific check failure and review the full list of failing users, click on any part of the row of the check you are interested in exploring.
This section covers:
The full list of available checks can be found here
Different Types of Checks
When looking at the available checks in the platform, you may notice that some checks are marked as Identity Posture Insight checks, while others are marked as Identity Threat Insight checks. Posture based checks highlight ways to improve your organization's identity security hygiene, while Threat based checks draw attention to potentially risky behavior that your end users, or someone pretending to be your end users, may be engaging in. It is important to address your posture based issues as this ensures decreases the potential risk of every threat that comes in.
Behind the scenes, Identity Intelligence also categorizes checks as either state based or event based to retain and display a user's check history.
State based checks are those which are calculated on static entitlement information such as - Is the user active? Does the user have MFA configured? Does the user have unused applications? Is the user sharing an authenticator with another user? etc. Based on the response, a state based check will fail and will remain failing until the response changes.
Event based checks are those which rely on event data where a user, or someone pretending to be a user, to engages in a particular activity to trigger the check failure. Examples of event based checks are - Weak MFA was used to successfully sign in, IP Threat Detected, Personal VPN usage, Impossible Travel, etc.
If there are multiple unique events that trigger an event based check failure, event based checks will display the 'Observations' on a given User's Check tab, to keep a record of the individual events that caused the failure, rather than consolidating all the information into one check failure. For example, a particular user fails the New Country for Tenant check yesterday because of a login in from Croatia, and tomorrow because of a login from Uruguay. Each event would be recorded as an individual failing observation for this particular user.
Observations are only noted on Event based checks. State based checks do not have observations as the check failure logic does not rely on event data
All Checks table
The section below details the fields that appear in the table, as well as the definition of each field:
| Element | Definition |
|---|---|
Check Compliance | |
Check | The name of a given check The severity of the check The scope of who is being evaluated against the check (end user or Identity Provider) The names of any relevant frameworks or topics related to the check Any custom tags applied to a check, if present |
# Failing | The total number of users currently failing a given check The percentage change (increase or decrease) in number of users failing a given check over the last 7 days and 30 days |
# Excluded | The total number of users excluded from a given check |
Report Channels | If a Notification Target has not been configured for a given check, an Add button is displayed in this column. Select the Add button to open a modal to choose from existing notification targets, or, if no notification targets are configured in your environment, it will say "No notification targets found". Click the Add Notification Target button to go to Integrations and configure one If one Notification Target has been configured for a given check, you will see the name of the configured notification target and an icon for the target type (Slack icon, email icon, etc) If multiple Notification Targets have been configured on the same given check, this column will say 'Multiple Channels' To modify or add Notification Targets to a given check that already has one or more targets configured, click on the Pencil icon next to the target name to make changes |
Enabled | If a check is enabled, this check will be evaluated again the users in your protected population. A blue toggle to the right indicates a check is enabled If a check is disabled, users will not be evaluated against this check. A grey toggle to the left indicates a check is disabled By default, all checks are enabled. To disable a check, toggle the switch either from this column in the Checks table or from the specific Check page |
Checks page general actions
This section describes the high level actions you can perform on the Checks page. Click through the tabs below to learn more about how to utilize each feature.
Filters
The Checks page is filterable by a number of attributes, enabling you to slice and dice all Checks based on certain parameters that are important to you. You can see all the available basic filters on the left hand side of the Checks page.
To enable a filter, click the check box for the attribute you would like to filter by. The applied filters will be added to the search bar. Distinct filters are separated by an AND operator. Within a given filter, selecting more than one value will separate the values with an OR operator (ie: Moderate OR Low).
To remove a filter, you can either deselect the attribute from the filters list on left hand side of the Checks page, or click the X on the right hand side of the filter box that is in the search bar.
After you have selected your filters, the filters are retained as you navigate between different areas within the platform.
Last updated
