Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • 👥Understanding your users
    • 📇Users
      • 💾Saved Filters
      • ❓Basic Search & Advanced Query Mode
    • 🩻User 360
      • 🗺️Overview Tab
      • 🔬Activity Tab
      • 📶Networks Tab
      • 💻Devices Tab
      • 🪺Applications and Groups Tabs
      • ✅Checks Tab
    • 🛠️Triaging Alerts and Remediation Actions
    • 🔗Linking User Accounts
    • 🤷User Statuses
  • 🗃️Applications
  • 💻Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑️Understanding Check failures
    • 🔍Reviewing Check Results
    • 🧹Customizing Checks
    • 📖Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • ⚙️Tenant Settings
    • 👨‍💼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • 🏥Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • 🏎️Can Identity Intelligence analyze behavior and fail checks more frequently?
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • 🗃️Understanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • 🛣️What’s Next? How to use Identity Intelligence effectively
    • 📚Identity Security Reading List
    • ✍️KPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in Gartner® 2023 Hype Cycle Reports™
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • Overview
  • Custom Detection Settings
  • List Settings
  • Why does the number of failing users stay the same after I change a check's settings?
  • Notification Settings
  • Disable checks
  • Unprotected users failing
  1. Understanding Check failures

Customizing Checks

PreviousReviewing Check ResultsNextCisco Identity Insights

Last updated 4 months ago

Overview

Each organization has a unique way of working - from different user onboarding/offboarding processes to tailor-made security policies and risk tolerances to approved workplace tools. What may be very concerning behavior to one company may be typical behavior for another, because of industry, size, maturity level, past experience, etc. Identity Intelligence knows that identity security does not have a 'one-size fits all' solution, which is why most checks can be tuned and customized to better align to your organization's way of working so you can focus on what matters most to your team.

On the right hand side of the Check Results page, next to the Check Details block, you will find a Check Settings block, that is collapsed by default. Click the down-arrow in the top right of this widget to expand it so that you can review or modify the check's settings.

This article will describe the different types of check settings available, and how you can best utilize them.

Custom Detection Settings

Many checks in Identity Intelligence can be tuned via the Custom Detection Settings to better align with your organization's risk tolerance, policies, and/or procedures. These settings could be numerical values that you increase or decrease to make the check evaluation criteria more or less strict, or it could be toggles to include or exclude event types, groups of known IP addresses, etc.

All custom detection settings will have a default value configured that can be modified as needed. To do so:

  1. Open the Check Settings widget by clicking on the down arrow to expand

  2. Click the Edit button in the Custom Detection Settings section of the Check Settings widget to open a settings modal where you can make the desired changes.

    1. Note: If this section does not exist, it means the check does not have configurable settings available

  3. Once you are done, click Save changes within the modal. The modal will then close

If you would ever like to revert back to the default settings - follow Steps 1 and 2 above. From within the settings modal, click the Restore Default button and then click Save changes

List Settings

Like Custom Detection Settings, List Settings should be used to better align check detections to your organization's risk tolerance, policies, and/or procedure based on what is and isn't allowed.

There are several checks in Identity Intelligence that have the option to configure List Settings. All List Settings work as allow or block lists even though sometimes they are called differently (such as Ignore Lists, Include lists, etc). What can be added to an allow or block will vary depending on the context of the check. For example, in some checks you can allow or block specific countries, whereas in other checks you may be able to allow or block certain applications, domains etc. Many checks have a default allow and/or block list that can be modified as needed. To do so:

  1. Open the Check Settings widget by clicking on the down arrow to expand.

    If a List already has values configured, you will see a count of values under the List name (ie: 10 items). Click the down arrow next to the count of items to see what values are already selected

    1. Note: If this section does not exist, it means the check does not have configurable list settings available

  2. Click the Edit button in the List Setting section of the Check Settings widget to open the list where you can make changes. If there is more than one List type available (ie: Allow and Block), be sure to select the Edit button that corresponds to the section you would like to modify

  3. To add a new item to a list, click the Add button to open a modal where you can either select from a dropdown of existing options, or enter free text values

  4. To remove an existing item from a list, find the item you'd like to remove within the list and click the Garbage can icon next to it

  5. Once you are done making changes to a given list, click Save. You can only edit one list type at a time, so if needed - navigate to the next list type to make any changes in the same way

If you would ever like to revert back to the default settings - follow Steps 1 and 2 above, click the Restore Default button and then click Save.

Why does the number of failing users stay the same after I change a check's settings?

Notification Settings

Every check in Identity Intelligence will have a Notification Settings area in the Check Settings widget. We highly recommend utilizing check notifications to closely monitor the user failures for the checks that are most critical to your organization to ensure that you are not missing anything critical, and so that you do not need to log into the Identity Intelligence platform daily to review new check failures.

Certain checks can also be configured to Send direct messages on failures to end users, and/or end user managers (if manager data is available). If you do not see an area to Send direct messages on failures in the Notifications Settings section, it means this functionality is not available for the given check. Use the Customize messages button to open a modal where you can write custom check descriptions or recommended actions that will be included in the admin notifications, or custom messages to send to failing end users and/or managers. You can also use this modal to Test both notification types to ensure that your custom message looks and works as intended.

Best Practices for Notifications

Notification targets should be configured based on where you and your team work together - whether that be shared channels in Slack, Webex, Teams or distribution lists via email.

Disable checks

If there are checks that your organization does not care about, you can "turn off", or disable, the check entirely to stop evaluating all users against this check.

The Disable Check toggle can be found in two places:

  • The Check results page, right next to the check name

  • The Failing Checks page, in the furthest right column of each row

To disable a check, switch the toggle to Disable. Once a check is disabled, the toggle will be grey. To enable a check, switch the toggle to Enable. Once a check is enabled, the toggle will be blue.

Disabling or enabling a check will go into effect immediately.

Unprotected users failing

By default, tenants do not have a protected population configured. Click the link above to read our documentation about setting and modifying your protected population.

You can see how many unprotected users are failing a specific check in a widget on the left of the Check Results page. This data can be useful to determine if your protected population may be configured in way that is leading to unintended results.

When you modify a check's custom detection settings or list settings, the user failure results for the check will not update immediately. When the tenant's next data collection runs, the results for most checks will update automatically. If needed, you can trigger a manual data collection for each integration on the Integrations page to see updated results for .

You may also notice after making a change to the custom detection or list settings of event based checks, that there are still users failing based on previous check settings. This is because of Identity Intelligence's data processing mechanisms and because users failing event based checks will continue to fail for 7 days, until no new observations are noted. If there are users failing a check based on previous settings, and not new settings, you can remove these users from the list with the .

Advice on how to adopt and incorporate Notifications can be found below, under the header

Once you have configured at least one , you can use the notification settings to Send failure reports to the desired notification target by selecting your desired notification target. You can select more than one notification target for a given check if needed.

When first starting out with Identity Intelligence, we highly recommend setting up failure report notifications for a small handful of checks only to start (3-5 checks), so that you and your team can get used to receiving the alerts, get comfortable with the amount of alerts sent, and start developing investigation and/or mitigation operationalization processes for the check failure reports. Once you are comfortable, you can begin to add notification targets to additional checks where needed. Typically, we also recommend starting with notifications for that your organization is concerned about and would like to monitor/investigate failures regularly. If there are you are interested in monitoring - be sure that the number of currently failing users is reasonable and actionable before configuring notification settings or you will overwhelm yourself with alerts. For example, if you have 200 users failing the Inactive Users check, we'd first recommend cleaning up these users as much as possible (ideally 10-20 users still failing). Once there are only a few users left failing the check, only should you turn on the notifications for this check to ensure that the number of failing users does not slowly increase to a point where clean up needs to become a bigger project.

If you would like to utilize end user notifications, be sure to inform end users/managers that they may be receiving these alerts and where they can find out more information or support if needed. If you would like these notifications to come from your own domain, which can reduce some end user confusion, you can do so with our or integrations.

Another way you can adjust checks is through the . This is a drastic measure, as adjusting the groups that are or are not included in the Protected Population will impact ALL of your checks.

☑️
🧹
Mailgun
SendGrid
Best Practices for Notifications
state based checks
Threat based checks
Posture based checks
notification target
Protected Population
Mark as normal behavior triage action