Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • 👥Understanding your users
    • 📇Users
      • 💾Saved Filters
      • ❓Basic Search & Advanced Query Mode
    • 🩻User 360
      • 🗺️Overview Tab
      • 🔬Activity Tab
      • 📶Networks Tab
      • 💻Devices Tab
      • 🪺Applications and Groups Tabs
      • ✅Checks Tab
    • 🛠️Triaging Alerts and Remediation Actions
    • 🔗Linking User Accounts
    • 🤷User Statuses
  • 🗃️Applications
  • 💻Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑️Understanding Check failures
    • 🔍Reviewing Check Results
    • 🧹Customizing Checks
    • 📖Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • ⚙️Tenant Settings
    • 👨‍💼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • 🏥Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • 🏎️Can Identity Intelligence analyze behavior and fail checks more frequently?
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • 🗃️Understanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • 🛣️What’s Next? How to use Identity Intelligence effectively
    • 📚Identity Security Reading List
    • ✍️KPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in Gartner® 2023 Hype Cycle Reports™
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • Summary
  • User Trust Level
  • Last Login Attempt
  • Login Attempt visualizations
  • Source Cards
  • Activity Flow visualization
  • Authentication Factors
  • Groups and Application information
  • Tickets
  • Linked Users
  1. Understanding your users
  2. User 360

Overview Tab

PreviousUser 360NextActivity Tab

Last updated 7 months ago

Overview

The purpose of the Overview tab is to provide you with high level context on who a user is. Identity Intelligence will consolidate a user's information across sources (Entra ID, Duo, Salesforce, Github, Workday, etc) where the same email address has been associated, so that you can see all the information about one identity in one view.

The Overview tab is the first tab of the User 360. You will land on this tab when clicking through a user from the page.

In this article, we will describe the purpose and data of each widget of the Overview tab in detail.

Summary

The Summary widget displays high level context about a user that has been gathered across the different sources associated with an identity. The Summary widget is the first widget on the left hand side of the Overview tab. It is immediately below the user's display name and email.

Hovering over any icon in the Summary widget will display a tooltip indicating the information being shown alongside the respective icon. Below are the elements visible in the Summary widget, and the corresponding definitions:

Element
Definition

User Type

Combines IdP Status, Identity Intelligence Status, and HRIS status if available, to provide more context on this user's current state

Title

The user's current job title

This information must be available in the IdP or HRIS for this field to populate. If it is not available, it will show as N/A

Department

The department the user belongs to

This information must be available in the IdP or HRIS for this field to populate. If it is not available, it will show as N/A

Organization

The organization the user belongs to

This information must be available in the IdP or HRIS for this field to populate. If it is not available, it will show as N/A

Registered Location

The user's registered working location

This information must be available in the IdP or HRIS for this field to populate. If it is not available, it will show as N/A

MFA Status

Whether this user has any forms of MFA configured on an account

If yes = MFA Configured If no = MFA Missing

Last Successful Login

The last successful login date, time (UTC), and days elapsed, recorded for this user

User Manager

The user's manager's name

This information must be available in the IdP or HRIS for this field to populate. If it is not available, it will show as N/A

This field can be updated directly in Identity Intelligence by clicking the pencil icon; however, updating this field will not modify any data within the IdP. It will only change how the information is presented within Identity Intelligence. This action can always be undo later on

Lifecycle Events

Highlights recent, notable events that have occurred on this user's account that can be beneficial to know about during an investigation. Lifecycle events are displayed here for 7 days after the event is noted New Account badge - indicates that this account was recently created. Includes the date the account was created Significant Change badge - indicates that an uncommon, but important, activity has recently happened on this account (for ex: MFA factor added, admin privileges granted, sensitive app assigned, etc). Describes the event type(s) and the date(s) associated with the event

If this field is not visible, it means there have been no recent lifecycle events associated with this user in the last 7 days

User Trust Level

The User Trust Level provides an overview of the user's current Trust Level. This widget shows what the user's current trust level is, as well as what factors contributed to the user's particular Trust Level. The User Trust Level widget is the first widget in the middle of the Overview tab, immediately below the tab names. From this widget, you can dive deeper into the user's events to investigate the details of a unique event or the events that happened in the 48 hours before and after the user's Trust Level changed.

Last Login Attempt

The last log in attempt widget shows you information about the last log in attempt recorded for this user, regardless of result. The Last Login Attempt widget is on the left hand side of the Overview tab, directly below the Summary widget.

It will surface:

  • Last log in attempt result - ex. success, failure, challenge, etc

  • If there is a failure, it will also include the reason for the failure - ex. invalid credentials, etc

  • Date and time of last attempt (in UTC)

  • Location of last attempt

  • IP Address of last attempt

Login Attempt visualizations

Both Login Attempt visualizations can be found directly beneath the Failed Checks widget.

Attempted Logins

A pie chart breaking down the login attempts by result (success, failure, etc) for the user. This visualization is based on the user's history since the user has been monitored by Identity Intelligence (ie: all time)

To export this visualization to a PNG, SVG, or get the raw data in a CSV, click the 3 line button in the top right corner of the widget.

Records per day

A bar graph visualization breaking down the login attempts per day by result. By default, this timeline visualization looks across 30 days of activity. However, to see the same data over a smaller or larger timeframe, you can click the + or - buttons in the top right.

If the user is Inactive, this widget will still be visible but blank with a message stating "No records found".

To export this visualization to a PNG, SVG, or get the raw data in a CSV, click the 3 line button in the top right corner of the widget.

Source Cards

Because Identity Intelligence merges accounts across data sources based on email address into one user record, it is common for one user record to have accounts across multiple data sources. The Source Cards help you see the data sources where this user has an account that exists, and the different information coming from each source. On the left hand side of the Overview tab, there will be a source card for each data source that contains an account for the given user. Active source cards are always visible, while deleted or deprovisioned sources for a user are collapsed together and can be expanded for more information. The information in each source card will vary depending on the data source itself, as well as what information is available for a given user in the data source. For example, if Okta is your IdP and the fields for a specific user's registered location, job title, manager, etc, have not been populated for this user, those fields will not be displayed. You may see this information on another user in your environment, however, if those fields were filled out for that user in Okta.

All of the information in the source cards is coming directly from the source itself, except for the field called Identity Intelligence Type. The Identity Intelligence Type is assigned by Identity Intelligence based on a variety of different factors, such as IdP type, job title, department, etc.

Activity Flow visualization

The Activity Flow widget provides a visual representation of a user’s activities including locations visited, applications accessed, and related events, so that you can quickly identify anomalies and investigate specific user activities more effectively. The Activity Flow visualization widget can be found directly below the Login Attempt Visualizations.

The activity flow widget defaults to showing the user's activity over a 30 day window. This can be customized using the date picker in the top right corner of the widget. If you would like to full screen the flow, click on the Expand icon in the bottom left corner of the widget. To save a PNG of the flow, click on the Camera icon in the bottom left corner of the widget, next to the Expand icon.

Clicking on any of the colored bars within the visualization will take you to the Activity tab, pre-filtered on all events associated with your selection.

If the user is Inactive, this widget will still be visible but blank with a message stating "No records found".

Authentication Factors

The Authentication Factors widget displays all the authentication factors associated with a particular user, across all sources associated with that user. The Authentication Factors widget is below the Activity Flow visualization. However, if there is no MFA configured on a user's account, this widget will not be visible.

All columns in this widget, except Factor, can also be sorted by ascending or descending values, by clicking on the arrows next to each column header.

By default, the Authentication Factors widget contains the following information:

Element
Definition

Factor

  • Factor type (ie: Password, SMS, Push, etc)

  • Source associated with the factor

  • Factor ID

If the factor is new or weak, a tag indicator will be displayed next to the Factor Type

Assurance Level

Assigned by Identity Intelligence to make it easier to identify the posture of a specific factor. To learn more about Assurance Level mapping, click here (Link TO FAQ) Possible values: High, Medium, Low, Unknown

Status

The enrollment status of a given factor. Note: not all statuses are available with all data sources

Active - Factor is enabled and can be utilized

Disabled - Factor was reset or disabled and cannot be utilized Pending - Factor configuration process was started but not completed (ex: MFA Application is on device, but was not enabled for MFA)

# Changes

The number of changes that have been made to the factor

Usage Count

The number of times the factor has been utilized by the user

Device

The name of the device associated with the factor

Phone Number

The phone number associated with the factor, if relevant

Last Used (UTC)

The date and time the factor was last used successfully

Similar to the Users Table, columns can be added or removed from this table by clicking on the Columns button on the upper right of the table. Factor Type and usage count cannot be removed. To restore the default, click Restore Default after clicking the Columns button.

The columns that are not included by default are:

Element
Definition

Last Updated (UTC)

The date and time of the factor was last changed

To see more details about changes to a factor, click on the down arrow on the left of Factor to expand the details and see last updated date, created date, and any factor change information.

Created (UTC)

The date and time that the factor was set up

Groups and Application information

These four widgets, below the Authentication Factors table, show a quick snapshot of groups and application usage for a user.

Groups

Total number of groups this user is part of.

Applications Allowed

Total number of applications assigned to this user.

Unused Applications

Total number of applications assigned, but not in use, for this user.

Most frequently used applications

Tickets

Note: If you do not have a ticketing service integration set up, you will not see this widget.

Below is a table with the different fields visible in the table:

Element
Definition

Name

User's name + name given to a ticket when it was opened ex. John Smith: Ticket Test

State

Ticket's state as set in the Ticketing System

Priority

Ticket's priority as set in the Ticketing System

Urgency

Ticket's urgency as set in the Ticketing System

Ticket Opened (UTC)

The date and time the ticket was created

Last Updated (UTC)

The date and time the ticket was most recently updated

Linked Users

Below the Tickets widget, is the Linked Users widget, which will show you all the linked users associated with a user. If there are no linked users associated with a user, this widget will still be visible but blank with a message stating "No records found" and a button to add linked users.

Once you have linked a user to another user, a table will populate with information on the current user, and all associated linked users. The following fields are available in the table for each linked user:

Element
Definition

User

User's display name and user's email address

The first user in the table is always the user who's User 360 you are currently on

Status

Identity Intelligence Type

The Identity Intelligence user type assigned based on compiled identity data source user types

Last Seen (UTC)

Last login attempt for a user, regardless of result

Last Location

Last login attempt location for a user, regardless of result

MFA Configured

Providers

Logo icon for each source associated where the user's email was associated Hovering over a logo displays the name given to each source during the Integration setup (link to integrations)

To learn more about this status, check out

More detailed information about this widget and the User Trust Level can be found in the .

Clicking the View more data button at the bottom of this widget will take you to the Tab, filtered by the event associated with the last log in attempt.

Read our for more information

To see more details about a user's groups, click the View All button to navigate to the tab or navigate to the Groups tab directly yourself.

To see more details about a user's applications, click the View All Applications button to navigate to the tab or navigate to the Applications tab directly yourself.

To see more details about a user's applications, click the View All Applications button to navigate to the tab or navigate to the Applications tab directly yourself.

This bar graph visualization shows you the Top 10 most frequently used applications for a user, along with the usage count for each application. If the user is Inactive, this widget will still be visible but blank with a message stating "No records found". Clicking into one of the bars in this visualization will bring you to the tab, pre-filtered on all events associated with the selected application. To export this visualization to a PNG, SVG, or get the raw data in a CSV, click the 3 line button in the top right corner of the widget.

If you have a set up, you can open tickets for a user directly via the button in Identity Intelligence. Once you have opened a ticket for a user, a table will populate in this widget, which is below the Group and Application widgets. If there are no tickets associated with a user, this widget will still be visible but blank with a message stating "No records found".

Sometimes a user might have more than one account in your system, under different email addresses. We recommend linking these accounts for hygiene purposes. To learn more about the importance of linking users, how to add/remove linkages or filter on linked users, .

The user's and lifecycle events, if present

= MFA Configured = MFA Not Configured

👥
🩻
🗺️
User Trust Level docs
Activity
MFA Factors FAQ
Groups
Applications
Applications
Activity
ticketing service integration
Actions
read more here
User Statuses
Identity Intelligence Status
Users