Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • 👥Understanding your users
    • 📇Users
      • 💾Saved Filters
      • ❓Basic Search & Advanced Query Mode
    • 🩻User 360
      • 🗺️Overview Tab
      • 🔬Activity Tab
      • 📶Networks Tab
      • 💻Devices Tab
      • 🪺Applications and Groups Tabs
      • ✅Checks Tab
    • 🛠️Triaging Alerts and Remediation Actions
    • 🔗Linking User Accounts
    • 🤷User Statuses
  • 🗃️Applications
  • 💻Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑️Understanding Check failures
    • 🔍Reviewing Check Results
    • 🧹Customizing Checks
    • 📖Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • ⚙️Tenant Settings
    • 👨‍💼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • 🏥Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • 🏎️Can Identity Intelligence analyze behavior and fail checks more frequently?
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • 🗃️Understanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • 🛣️What’s Next? How to use Identity Intelligence effectively
    • 📚Identity Security Reading List
    • ✍️KPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in Gartner® 2023 Hype Cycle Reports™
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • Overview
  • Activity table elements
  • Diving deeper into an event
  • Activity Tab general actions
  • Timeline visualization
  • Filters
  • Pivot on IP address
  1. Understanding your users
  2. User 360

Activity Tab

PreviousOverview TabNextNetworks Tab

Last updated 8 months ago

Overview

The Activity tab's purpose is to show a detailed view of all activities, across all sources, associated with a given identity over time in one view. Without having to jump across different tools and platforms to piece together bits of a user's activity, the Activity tab can save you time and is incredibly valuable when investigating a user.

The Activity tab is the second tab of the User 360. This article will describe the different information and functionality available on the Activity tab in detail.

Activity table elements

The Activity table contains all the detailed event information for a particular user. Above the column headers on the left, you can see the total number of events for the selected timeframe, and on the right, the last data collection timestamp for each source, if you hover over "Last data collection".

The section below details the fields that appear in the table by default, as well as the definition of each field:

Element
Definition

Date (UTC)

The date and time the event/action happened

Source

The identity source associated with the event/action

Event

What the event/action taken by the user was

Initiator

Who initiated the event/action and a session ID for the event, if available

Target

What the target of the event/action taken by the user was

Result

The result of the event/action taken by the user

Geo IP

The IP address and respective location for the associated event/action

Tags

Tags associated with the event and/or the IP address Hover over each tag to see a tooltip with the source of the tag (ex: Okta: Password Spray, IP info: Hosting, etc). If no source, it is an Identity Intelligence tag (ex: New ISP)

OS

The operating system associated with an event/action

Hover over the icon in this column to see a tooltip with the OS name

Browser

The browser associated with an event/action

Hover over the icon in this column to see a tooltip with the browser name

Device Type

The device type associated with an event/action

Diving deeper into an event

To see more information on an event in the Activity table, click on any blank space in the row related to the specific event you'd like to dig into.

This will open a slide panel from the right side of the page, that has 2 tabs - Event Attributes and Raw data. The event attributes themselves and raw data will vary depending on the relevant information for the event/action you are looking at.

  • Event attributes shows you more detailed information on the attributes related to the event

  • Raw data shows you the raw data for a given event

To close the slide panel, click the X in the top right corner, or click anywhere outside of slide panel.

Activity Tab general actions

This section describes the high level actions you can perform on the Activity tab. Click through the tabs below to learn more about how to utilize each feature.

Search issues

Use the search bar above the Activity table to search based on various items such as a specific IP address, session ID, application name, source, location, etc. When searching, you do not need to provide an exact value. Typing a piece of the word will return results.

If you have searched on a particular parameter, the search criteria is retained as you navigate between different tabs within the platform.

To clear the search bar click the X on the right most side of the search bar, next to the Advanced button.

Adjust timeframe

By default, the Activity tab is filtered to show all events over the last 30 days. If you would like to see a larger or smaller window, you can customize your view with the date selector, which can be found directly to the right of the search bar.

Click anywhere in the box to open a dropdown where you can select from preset timeframes (ex: Last 4 hours, Last day, Last 7 days, etc), a custom period, or 'View All', based on your needs.

Download results

You can download tabular data from the table to a CSV using the Download icon button on the right after the timeframe filter. All filters applied are included in the CSV output. If there are no results in the table, the CSV export will contain only headers and no user data. Note: The CSV output has a limit of 2,000 rows.

Timeline visualization

The Activity tab has a timeline widget which displays a given user's total number of events per day, color coded by result type (ie: success, failure, challenge, etc). Hovering over a segment of the bar will display a tooltip with the date, the result, and the count of events for that result. By default, the view is set for 30 days but this can be adjusted to see a wider or smaller window of time using the + and - buttons in the top right corner of the timeline widget.

To export this visualization, click on the 3 line button in the top right corner of the widget. Downloading as a SVG or PNG will export an image, whereas downloading as a CSV will export the raw data for you in CSV format.

If you would like to hide this widget to get more space for the Activity table, click the Graph icon button next to the timeframe filter. To get the widget back, click the Graph icon button again.

Filters

Like the Users table, the Activity table is filterable by multiple attributes, enabling you to slice and dice the activity based on the parameters that are important to you.

Basic filters

To access the basic filters, click on the filter button that is to the left of the search bar, above the Activity table. This will open a slide panel from the left side of the page with the available filters.

The filter categories available via the slide panel are Result and Event. You can enable a filter by clicking the check box for the attribute you would like to filter by. The applied filters will be added to the search bar. The number of events that you are currently viewing, based on any filters and searches used, will appear in the top left corner of the Activity table, above the column headers.

Filter attributes will vary user to user based on the results and events available for a particular user

Like on the Users tab, you can also select all attributes or exclude an attribute. To select all values within a given filter, hover over a filter value and click All. To exclude a value from filtered results (ie: NOT), you can click on the 🚫 icon in either the filter box in the search bar or the left hand filter menu. To remove a filter, you can either deselect a filter attribute from the filters list on left hand side of the Activity table, or click the X on the right hand side of the filter box that is in the search bar. To remove all filters, click the X located next to the Advanced Filter button in the search bar.

After you have selected your filters, the filters are retained as you navigate between different tabs within the platform.

Filtering via event attributes

Another way to filter in the Activity table is by clicking on an event attribute in the table or in the slide panel, which will add it to the search bar as a filter. The elements that can be filtered on via the table elements are:

  • Source

  • Event

  • Session ID (in Initiator column if present)

  • Target application (in Target column if relevant)

  • Result

  • OS and Browser (only works on icons, not free text)

Additionally, if you open the slide panel and click on any of the attributes in the Event Attribute tab, the attribute will be added as a filter.

Pivot on IP address

The IP address in the table or in the slide panel has a few actions associated with it that can be useful to learn more about an IP address and the associated activity.

The actions menu will pop up when left-clicking on a specific IP address in the Activity table. The actions are:

  • Find user activity - Adds the selected IP address as a filter on the given user's Activity tab so you can see all the user's activity associated with this particular IP address

  • See IP info - Add the selected IP address as a filter on the given user's Networks tab and opens the slide panel so you can see more detailed information about that IP address

  • Copy to clipboard - Copies the IP address to your clipboard so that you can paste it within Identity Intelligence or another tool

There are several ways to filter the results of the Activity table - , in the table or slide panel, and , which can be enabled via the search bar above the Activity table. to learn about how to use Advanced Query Mode.

Find users who attempted to sign in from X.X.X.X - Adds the selected IP address as a search parameter on the page so you can see any other users who have activity associated with this particular IP address

👥
🩻
🔬
Users
Advanced Query mode
Click here
basic filters
directly from attributes
Events Attributes Tab
Raw Data Tab