Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • 👥Understanding your users
    • 📇Users
      • 💾Saved Filters
      • ❓Basic Search & Advanced Query Mode
    • 🩻User 360
      • 🗺️Overview Tab
      • 🔬Activity Tab
      • 📶Networks Tab
      • 💻Devices Tab
      • 🪺Applications and Groups Tabs
      • ✅Checks Tab
    • 🛠️Triaging Alerts and Remediation Actions
    • 🔗Linking User Accounts
    • 🤷User Statuses
  • 🗃️Applications
  • 💻Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑️Understanding Check failures
    • 🔍Reviewing Check Results
    • 🧹Customizing Checks
    • 📖Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • ⚙️Tenant Settings
    • 👨‍💼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • 🏥Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • 🏎️Can Identity Intelligence analyze behavior and fail checks more frequently?
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • 🗃️Understanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • 🛣️What’s Next? How to use Identity Intelligence effectively
    • 📚Identity Security Reading List
    • ✍️KPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in Gartner® 2023 Hype Cycle Reports™
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • Overview
  • Triage Actions vs Remediation Actions
  • RBAC Role Permissions
  • Technical Requirements
  • Triage Actions
  • Exclude User from Check
  • Mark as Suspicious / Mark as Normal Behavior
  • When to use each triage action
  • Remediation Actions
  • Send Push Notification
  • Delete Guest User
  • Reset MFA
  • Log User Out of Active Sessions
  • Quarantine User
  • Additional Actions
  • Open Ticket
  • Link User
  • Update User Type
  • Refresh User Data
  1. Understanding your users

Triaging Alerts and Remediation Actions

11/2023

PreviousChecks TabNextLinking User Accounts

Last updated 2 months ago

Overview

Cisco Identity Intelligence provides the ability to triage check failures and take action to remediate problems or identity security threats within your connected identity platforms, such as Okta, Azure, Google, or Duo.

This article provides an overview of each triage option and remediation action, its intended use cases, how to use it, and platform compatibility.

For more information, please see this short video:

Triage Actions vs Remediation Actions

Triage Actions

Check failures can be triaged so that a given user will no longer fail a given check. Once a failing user has been triaged, they will no longer appear in the list of failing users for a given check.

The triage actions available are:

No additional permissions or set up are required to utilize the Triage Actions.

Remediation Actions

Remediation actions are available for a wide variety of scenarios. Most remediation actions are typically utilized once an investigation into a given user's behavior has concluded to protect a user's account if it has been, or is suspected to be, compromised or is under attack. However, there are other remediation actions available that can be used to clean up an environment, to track an investigation, validate a user's identity, etc.

The remediation actions available are:

Remediation Actions can be found under the Action button, which is available across all tabs of a given user's User 360.

Other Actions

Under the Actions button there are a few additional actions that are neither remediation actions nor triage actions. Those actions are:

RBAC Role Permissions

All of the triage and remediation actions listed in this article are available to both full admin users and also help desk role users.

Technical Requirements

To take Remediation Actions beyond simply read-only data collection in identity platforms, Identity Intelligence requires specific API or token write permissions/scopes within the data source platforms so that it can talk back to the source and execute the remediation action there.

The specific API or token permissions are outlined in the integration guide for the respective data source. Please see the following articles for more details:

Triage Actions

Exclude User from Check

Once you have identified a user to exclude from a particular check

  1. Use the 3-dot menu at the end of the corresponding row and click Exclude from check.

  2. Select the desired timeframe from the drop down - either Indefinitely, which will result in a permanent exclusion, or one of the default timeframes. If your desired timeframe is not available, you can use the Custom option in the drop down to set your own timeframe, up to 180 days. We highly recommend NOT ignoring users from checks indefinitely whenever possible and would instead recommend setting up a longer exclusion timeframe.

  1. Include a Reason for why this user will be excluded for this timeframe so that you and/or other members of the team can refer back to this historical context if needed. While entering a Reason is not required, it is highly recommended for record keeping purposes

If needed, a user can be re-included in a Check by selecting Include in Check under the 3-dot menu in the Resolved Checks section.

Mark as Suspicious / Mark as Normal Behavior

These triage actions are available under the 3-dot menu in two places

As mentioned above, when using either Mark as Suspicious or Mark as Normal, the given user's observation(s) that was triaged is then "snoozed" for 30 days. As Identity Intelligence continuously analyzes user data, if a new observation is noted for the same user with the same context as the "snoozed" observation, then it will NOT log a new observation and will not trigger a check failure for that user; however, if a new observation is noted for the same user with different context than the "snoozed" observation, then it WILL log a new observation and will trigger a check failure for that user.

Context is usually information that can be found in the failing check's explainability, such as IP address info, device info, factor info, etc and will vary by check based on what is relevant to that check. For example, for the Personal VPN Usage check, the context is the VPN service used. For the Rare Browser Activity check, it is the browser user, etc.

If needed, feedback options can be reset by selecting Reset Feedback under the 3-dot menu in the Resolved Checks section for a given user.

When to use each triage action

Exclude from Check should be used in cases where you are certain a user does not need to be evaluated against this check for a desired amount of time under ANY circumstances

Mark as suspicious should be used in cases where a check failure was accurate in some way such as behavior that could risky or concerning, a possible compromise, a confirmed compromise, etc.

Mark as normal behavior should be used in cases where a check failure was accurate but is expected behavior or is simply not risky or concerning behavior, or if the check failure was not accurate (false positive).

Note - All roles, including Read Only, can provide triage user check failures with these options.

Additionally, when you triage a check failure or observation using mark as suspicious or mark as normal behavior, you help the Identity Intelligence data science team gather data on ways to improve the check failure logic moving forward.

Remediation Actions

You may not see all Remediation Actions available across all users in your tenant! Identity Intelligence only shows the remediation actions that are compatible with the data sources that have a record for a given user For ex: You have a given user with accounts in both Azure and Duo. You will not see the Quarantine action for this user, since this action is only compatible with Okta and this user does not have an Okta account

Send Push Notification

Supported platforms: Duo Security for end users only, Okta

In certain scenarios, such as verifying a user's identity when calling into the help desk or support team, it is extremely useful to be able to send the user a one-time push notification to their enrolled mobile device and have them confirm it as part of the identity verification process.

Okta Implementation Details

Specifically, the Okta service account for Identity Intelligence needs to have Help Desk Administrator role or a higher role.

Duo Implementation Details

The Send Push Notification action only works on Duo end users. It is not compatible with Duo Admin accounts.

To enable this functionality for Duo, requires the Duo Security Auth API security token to be configured in your Duo integration as mentioned in the Duo Security Integration article. As mentioned there, the Duo Auth API app name should be created with something the end user will recognize as having sent the push to them, such as "Company ABC IT Support Team".

How to Send a Push Notification

  1. A verification dialog box will open. If there are both Duo Security and Okta integrations in your Identity Intelligence tenant, you'll be asked to select which one you want to use

Note - If a user has multiple devices enrolled for an integration, you will be given a choice to select the desired device. If a user has NO devices for an integration, you will see the message below

  1. Click Confirm to send the push notification

  2. A Remediation status bar will appear above the User Overview page

  3. The API operation is asynchronous, so you may need to hit the refresh button within the remediation status bar to update the status

  4. If the user receives and accepts the push, the status will be SUCCESS. Otherwise it will report FAILURE

NOTE! - Because the push notification is sent from Identity Intelligence to the Identity provider via API and originates from a specific AWS region, then the geolocation details in the request will show it coming from an AWS region (AWS US East 2 in Columbus, Ohio for most Identity Intelligence customers).

Delete Guest User

Supported IDP: Azure AD

Microsoft 365 productivity applications like Teams, SharePoint, and OneDrive provide powerful mechanism for sharing resources, data, and chat functions outside of an organizations internal user base. However, this frequently leads to a build-up of guest accounts, especially ones that are inactive or never used, in Azure AD, which functions as the primary identity directory for many Microsoft 365 environments.

With the correct API permissions noted above, Identity Intelligence admin and help desk roles can delete these accounts directly from Identity Intelligence, cleaning up the environment and reducing identity attack surface, while reducing the need to pivot back to Azure to complete this task once a user has been identified for deletion.

There are two requirements -

  1. The account must be of type guest in Azure AD

  2. The account must be within the configured Protected Population within Identity Intelligence (not excluded from all Checks)

To identify delete guest accounts for deletion, you can use the Users table page and the filters to find external users. Some ways you can find external users are:

  • Filter on User Type only and select External

  • Filter on failing checks > Select the Inactive Guest User check and select an individual user to review

  • Filter on failing checks > Select the Never Logged In check > Find the User Type filter and select External and select an individual user to review

Once you have identified a user to delete:

  1. Click Actions -> Delete User

  2. A Remediation status bar will be displayed with the status of the operation in Azure AD

  3. If you delete a user and the status bar displays a Failed message, it may be an indicator that the necessary API permissions are not configured

If you do not see the Delete User remediation action, ensure that the user is a Guest user in Azure AD. If the user is not, this remediation action will not be visible.

Reset MFA

Supported IDPs: Okta, Azure AD, Duo, Google

In certain scenarios, such as a lost phone or OTP soft token, you may need to reset a user's MFA factors in one or more IDP systems.

Select Reset MFA. This will prompt you to confirm this action. Once you select Confirm, the reset is effective across ALL connected IDPs for the user. Note - The Reset MFA action only works on Duo end users. It is not compatible with Duo Admin accounts.

Log User Out of Active Sessions

Supported IDPs: Okta, Azure AD, Google

In the event of a identity security threat, you may need to log a user out of any active sessions in one or more IDP systems.

As with other options, this remediation action will be effective on all platforms where a given user has an account. You will be prompted to confirm the action before it executes.

Quarantine User

Supported IDPs: Okta

If suspicious or potentially malicious events have occurred with a user's account, you may want to place the account into a quarantine group within the IDP that severely restricts their access to data and applications until further investigation or incident response procedures can be performed.

To use this option, the following steps must be taken:

  1. A group called Quarantine must exist in the primary IDP, Okta, for the user account. If a different group name is required, please coordinate with your Identity Intelligence technical representative

  2. The group must be associated with polices and rules that take precedence over normal auth policies and restrict the user from accessing applications and data. Several use cases for this exist:

    1. The user's account may be compromised, so the Quarantine group allows them to only access the user help desk portal and nothing else

    2. The user has failed some other security policy or training, and so the account can only access the security training application until the issue is remediated

Under the Actions button for a given user, the Quarantine option will perform this action for the connected IDP(s).

Note - Once a user has been placed in the Quarantine group, they can only be removed from the Quarantine group through the IdP Platform, e.g. Okta

Additional Actions

Open Ticket

Supported platforms: ServiceNOW, Jira

Open a ticket for a specific user:

  1. Enter a Subject and click Confirm to open the ticket in your Ticketing System. Specify if it is a general issue or a request

Open a ticket for a specific check failure for a specific user:

  1. Select the desired platform (if more than one is connected) and click Confirm.

Link User

Many scenarios exist where the same human user has access to multiple discrete users accounts, either within the same IDP or across different IDPs. In these cases, we recommend creating a link between these users to make account clean up and investigations easier and faster.

Update User Type

Supported IDPs: Okta, Azure AD

Several primary IDP types provide an attribute of User Type, but this user account attribute may not be populated or properly sync'd with a source of truth, such as an HR system.

In this case, an admin or help desk role may want to manually set the user type attribute in the IDP from the Identity Intelligence console. This is especially true if the account is a service account or a 3rd party/external user, such as a contractor or consultant.

  1. To do so, click Assign

  1. Type in your desired value and click Save Changes

  1. At the top of the User Overview page, you will see a Status bar noting that the action has been triggered. When complete, the status will update.

Refresh User Data

Supported IDPs: Okta, Azure AD, Google, Duo, Salesforce

You can see the most recent full data collection for a user in the Activity tab by hovering over the Last data collection link in the middle right side, about the events table.

To obtain the latest data set for an individual user across all connected platforms, click Actions -> Refresh User Data

The status will be available in a bar at the top of the User Overview tab.

Triage Actions are accessed through check failures - either on the page of failing users for a given check or on the tab. You may notice that not all checks contain all the triage actions listed above. That is because cannot be marked as suspicious/normal.

Additional permissions or set up are required to utilize all Remediation Actions. More information on what is needed for each data source can be found in the section below.

Another action available, outside of the Actions button, is Update User Type. This action also requires which you can read more about below.

Actions reserved for full administrators, such as changing tenant settings, checks settings, or integration configuration, are discussed in the .

For both Checks, you can exclude a given user from that particular check. Excluding a user from a check can be customized to exclude for a specific timeframe, or made permanent with an indefinite timeframe.

Once the user has been excluded, this particular check will move to the section of the given user's User 360 Checks tab, with Result as Excluded. It will also include information on who excluded the user and display the Reason, if one was provided.

For threat detections, after you have investigated a check failure, you should then triage the failed check or observation for that user with the Mark as suspicious or Mark as normal behavior buttons so that they are no longer failing a given check. It is recommended to leave a brief comment with the triage result of your investigation for record keeping and historical purposes.

Marking a user's check failure or observation as either suspicious or normal behavior will mitigate the failed check/observation for that user and move it to the section of the given user's User 360 Checks tab and will not alert on observations with the same context for the next 30 days.

the table of failing users on a given

a given user's tab

Marking a user as suspicious or interesting from a given Failing check page will apply that feedback to ALL observations for the given user; however, on the tab you can review each individual observation and mark each accordingly. This is important because if a user has multiple observations, each with different context, the observations should be reviewed individually and triaged appropriately via the User 360 Checks tab, otherwise you may miss future check failures for a user.

To enable this functionality for Okta integrations, the Okta service account used to generate the API token in use by Identity Intelligence needs to be configured with the Okta Roles outlined in .

Click the Actions button on any tab within a selected user's and then select Send push notification

These actions will also show up as events in the user's tab

Click on the desired guest user to open their User360 tab

You can do this in Identity Intelligence via the Reset MFA action under the Actions button on any tab of a given user's .

You can do this in Identity Intelligence via the Log Out User action under the Actions button on any tab of a given user's .

The status will be displayed in the remediation status bar in the tab of the user360 for the selected user.

Via integrations with and , Identity Intelligence is able to open tickets in those platforms in several scenarios. A ticketing service integration must be configured to use this action.

Click the Actions button on the top right of any tab of the given user's and select the Open Ticket action to pen a ticket for that user

Select Open ticket for check, which can be found under the 3-dot button on either the or on the list of users failing a given check, to open a ticket

Any tickets opened via Identity Intelligence and their status will be visible at the bottom of the .

Under the Actions button on a given user's User360, there is an option to Link User. There are also other ways to link users. , which includes information on when, why and how to use it.

If there are any issues with the remediation action, you can see the details in the page under the tenant options menu in the top right corner.

For most IDP connections, Identity Intelligence will pull changes to static user account information and activity once every 24 hours. (Note: If or event streaming are enabled, the events in the Activity tab will be processed and visible more frequently)

Because of a limitation on the Microsoft side, Identity Intelligence typically gets users' on a monthly cycle. Use the Refresh User Data action to pull the current factor info for a given user if needed

👥
🛠️
RBAC and Access Logs article
Azure AD
Okta
Duo
Google
Failing Check page
User 360 Checks
User 360 Checks
User360
Activity
Overview
User360
User360
Overview
ServiceNOW
Jira
User 360
User360 Checks tab
Click here to see our documentation about the Linked Users functionality
System Logs
Okta
Azure AD
Exclude from Check
Mark as suspicious
Mark as normal behavior
Send Push Notification
Delete Guest User
Reset MFA
Log Out User
Quarantine User
Technical Requirements
Open Ticket
Link User
Update User Type
Refresh User Data
additional permissions
User 360 Checks
State based checks
event-based and state-based
event-based identity
#setup-steps-1
Resolved Checks
Resolved
User360 Overview tab
configured factor information