Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • 👥Understanding your users
    • 📇Users
      • 💾Saved Filters
      • ❓Basic Search & Advanced Query Mode
    • 🩻User 360
      • 🗺️Overview Tab
      • 🔬Activity Tab
      • 📶Networks Tab
      • 💻Devices Tab
      • 🪺Applications and Groups Tabs
      • ✅Checks Tab
    • 🛠️Triaging Alerts and Remediation Actions
    • 🔗Linking User Accounts
    • 🤷User Statuses
  • 🗃️Applications
  • 💻Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑️Understanding Check failures
    • 🔍Reviewing Check Results
    • 🧹Customizing Checks
    • 📖Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • ⚙️Tenant Settings
    • 👨‍💼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • 🏥Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • 🏎️Can Identity Intelligence analyze behavior and fail checks more frequently?
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • 🗃️Understanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • 🛣️What’s Next? How to use Identity Intelligence effectively
    • 📚Identity Security Reading List
    • ✍️KPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in Gartner® 2023 Hype Cycle Reports™
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • Check Details
  • Failing Users List
  • Customize Check Settings
  • Diving deeper into a check failure
  • Available Actions
  • Failing Users widgets
  1. Understanding Check failures

Reviewing Check Results

PreviousUnderstanding Check failuresNextCustomizing Checks

Last updated 1 month ago

From the Checks page, you can dive into a specific check to read about the check and the failure criteria used to evaluate users, review the recommended remediation actions, see the full list of users currently failing that check and why each user is failing, modify check settings, configure notification settings, and more.

To explore a specific check further, click on either the desired check name, or any part of that row (excluding the "Report Channels" and "Enabled" columns) to see the Check Results page.

The Check Results page is broken into multiple components:

  • , including customization and notification settings

Check Details

The Check Details provides high level information about the specific check you are reviewing and encompasses the full block of information that you see on the top of the Check Results page. While the information available will vary from check to check, the format is the same across all checks.

The severity level of each check can be seen next to the Check name, right above the Check Details block.

On the left side of the Check Details block you will see:

  • Check Description - Information about what a given check is detecting, the logic used to determine which users will fail the check, the potential risk to your organization, etc

  • Recommended Actions - Information on how you can remediate a given check failure, investigate the problem, and/or improve internal processes or policies to prevent users from failing this check in the future

On the right side of the Check Details block you will see:

  • Last Report Update (UTC) - The date and time the system last processed identity source data and ran the user analysis for a given check. Hover over this value to see a tooltip with the local time

  • Compatibility - Shows which identity data sources work for a given check. All compatible data sources are visible, even if they are not configured for your tenant

    • To apply a tag to a check, click the +Add Tag button in the Check Details block, enter the desired tag name and save

    • To remove an existing tag, click the X in the desired tag label in the Check Details block

  • Check Assessment (not available for all checks) - Certain checks are "Near Time Compatible", which means that if log streaming is enabled, the data collection and analysis for this check occurs multiple times a day rather than following the standard 24 hour data collection process. If a check is Near Time Compatible, this field will be visible in the Check Details block.

      • Certain integrations are only Near Time Compatible with certain checks (ie: a check may be near time compatible for Okta and Duo but not Azure)

    • Hover over the tooltip next to the Near Time label to see which data sources need log/event streaming enabled to start getting near time assessments for this check. Any data sources that already have streaming enabled will not appear in the tooltip

  • Additional resources (not available for all checks) - Some checks will have links to external sites with information related to a given check, such as relevant documentation from compatible data sources on data definitions or related configuration instructions, security framework detailed descriptions, etc where you can learn more about the security risk or how to remediate an issue

Failing Users List

Under the Check Details block is the list of users currently failing a given check. From this table you can review the users failing a given check, as well as dive into the 'Check Explainability' to learn more about why a specific user failed the check.

Directly above the column headers, you can see a count of the number of failing users and 2 buttons - View Users and Download List.

  • Download List will export the list of failing users, and the columns from the table, to a CSV file. It also does include the check explainability for the failing users

The table of failing users contains the following fields :

Element
Description

User

First Reported (UTC)

The date and time the user was reported for failing a given check for the first time To sort by this column value, click the First Reported column header to switch between ascending and descending order

Last Reported (UTC)

The date and time the user was most recently reported for failing a given check or having a new observation recorded for that check By default, the list of failing users is sorted in descending order (newest to oldest) on Last Reported. To sort by this column value, click the First Reported column header to switch between ascending and descending order

Admin Notified

The number of times a notification was sent to admins about a given user failing a given check, the notification method used as an icon (slack logo, email icon, etc) and the last date and time a notification was sent for a given user If notifications are not configured for a given check, this column will say 'Not Notified'

User/Manager Notified

Not supported for all checks. If a check is not compatible with end user/manager notifications, this column will not be visible

The number of times a notification was sent to an end user and/or end user manager about the user failing a given check, the notification method used as an icon (slack logo, email icon, etc) and the last date and time a notification was sent for the given user If end user/manager notifications are compatible with a given check but are not configured, this column will say 'Not Notified'

Non-user based checks

Customize Check Settings

On the right hand side of the Check Results page, next to the Check Details block, you will find a Check Settings block, that is collapsed by default. Click the down-arrow in the top right of this widget to expand it so that you can review or modify the check's settings.

Diving deeper into a check failure

The explainability available will vary from check to check based on what information or context is most relevant for a particular check, and can include information such as such as user title, failing data source, factor type, application accessed, IP address used, etc.

To review the check explainability from the Check Results page, click on any blank space in the row related to the specific user you'd like to dig into. This will open a side panel from the right side of the page with the explainability information for that user. To close the side panel, click the X in the top right corner of the panel, or click anywhere outside of side panel.

Available Actions

From the failing users list, you can also take a few different actions using the 3-dot button on the right side of the row for a given failing user. The actions available are:

Failing Users widgets

There are a few widgets on every Check Results page that can be useful to get a high level understanding of the users failing a given check

Failing Users

The number of users currently failing the check, as well as the percentage of users failing compared to the total number of users in your environment. This widget is available on all checks, though it may be replaced with a compliance score for provider based checks.

Within this widget, you can also see how the number of failing users has changed over the last 7 and 30 days expressed as a percent change. Large increases to either of these numbers may indicate something worth investigating such as an active attack, a policy misconfiguration, etc.

Failing Users Per Integration

The number and percentage of users currently failing a given check, broken down by which identity data source is causing a user to fail. Focusing on a specific Provider can help with prioritizing user failures stemming from the identity source that is more important for you on a particular check. This widget is not available on all checks.

For example, a user with an account in both Duo and Azure may fail the No MFA Configured check because they have MFA configured in Duo, but not in Azure. In this case, the user would be counted under the Azure integration count.

Failing Users Per Type

For example, an internal User failing the No MFA Configured check is more important to address than an external user failing the same check.

Excluded Users

Click the number of users in the Excluded Users widget to go to the Users page, pre-filtered on that specific check and excluded users, to review which users have been excluded from a check. Click on a specific user and navigate to their User 360 Checks Tab to see more details about the user's exclusion, or to re-include the user in a check if needed.

Unprotected users failing

By default, tenants do not have a protected population configured. Click the link above to read our documentation about setting and modifying your protected population.

This widget is available on all checks, except for provider based checks.

Some checks will have a sub-section within the description called Learn more about the risk with a short 1-2 minute educational video explaining the risk of this behavior and why it is important to remediate this failure. If check are set up to contact the failing end user, in certain cases (such as the "No MFA Configured" check), the message sent to end users will include the associated video to teach them about the risk and encourage them to take the necessary action to remediate the problem

Topics & Frameworks - Topics lists the category that a given check falls into (threat, posture, compliance). Frameworks lists different security frameworks and guidelines, such as NIST, MITRE &TTACK, CIS, etc, associated with a given check. Both of these fields are available as filters on the page

Tags - Tags can be added to a check for additional custom categorization. Any tags that are applied to a check will be visible in the Check Details block, and can also be used as a filter on the page. Tags are visible to all users with platform access

Log streaming is available for certain integration sources including , and . Configure log streaming to receive notifications about these checks in Near Time.

View Users will take you to the page, pre-filtered on the given failing check, so you can see all the users failing that check

If there are more than 1,000 users failing a given check, you will see a button that says View Users which will take you to the page, where you can see all failing users and utilize the filters to narrow down to smaller, more manageable groups of users.

The user key of the failing user Clicking on a user's name will take to you their tab

For Identity Provider checks, like Okta Session Length Policy Compliance or Apps with Expired Secrets, the check is evaluated against the integration instance, rather than end users so you will not see a table with failing users. On these checks, you will see Failing Instances, which lists the failing identity data source(s), and additional relevant data items, such as app display names, policy names, etc., that require remediation. You can filter for Identity Provider checks on the page, under the Scopes filter.

Detailed information about the different check settings available, and how to use them, can be found in our article.

Just like on the , for each failing check, you can click in and view more information about that particular failing check, along with the most important context, such as the actions that contributed to the user failing a given check and high level context about that user. This is called the 'check explainability'.

For , within the explainability panel, you can jump directly to a given user's tab to get more information by either clicking the View in Activity button to navigate to the Activity tab pre-filtered on all events related to that check failure, or clicking on a See in Context button to go to the Activity tab pre-filtered on events that occurred in the hour directly before and after the check failure.

Additionally, If you click a given user's user key from the table, you will go to that user's User 360 Checks tab, where you can see all the checks the user is failing, review the check explainability, and see the observation history for a check (for ).

Send notification - Sends a one-off notification about a given user's failure to a configured notification channel for Identity Intelligence admins, or the end user/manager if compatible. must be configured to use this functionality

View Logs - Takes you to a given user's , pre-filtered on the check failure

- Removes the user from the list of check failures and stops them from being evaluated against a given check for the specified time frame. Check will appear in Resolved Checks table in Checks tab of User 360

- Note: Only available for . Marking a user's check failure or observation as either interesting or normal behavior will mitigate the failed check for that occurrence for that user and move it to the table in Checks tab of given user's User 360

To see which users are failing because of a given source, click on the data source within this widget, which will take you to the page, pre-filtered on that specific check and the selected integration. Note: If a user is failing under more than one source, they will be counted under all applicable sources

The number and percentage of users currently failing a given check, broken down by their Identity Intelligence User Type. Focusing on a specific User Types makes it easier to prioritize user failures based on who the users are. This widget is available on all checks except for .

To see which users are categorized under a particular user type, click on the user type within this widget, which will take you to the page, pre-filtered on that specific check and the selected user type.

The total of number of users who have been from a given check, either temporarily or permanently. This widget is available on all checks, except for provider based checks.

The total number of users who are not currently in your designated that would be failing this check if they were part of the protected population. This data can be useful to determine if your protected population may be configured in way that is leading to unintended results.

☑️
🔍
Users
Users
Customizing Checks
User 360 Checks Tab
User 360 Activity tab
Users
Users
Provider based checks
User 360 Checks
Okta
Azure
Activity
Resolved
Check Details
Failing Users list
Reviewing individual user failures
Check Settings
Failing User count widgets
Protected Population
Checks
Checks
Checks
event based checks
event based checks
event based checks
notifications
Notification targets
Duo
Exclude from Check
Mark as Interesting and Mark as Normal
excluded