Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • 👥Understanding your users
    • 📇Users
      • 💾Saved Filters
      • ❓Basic Search & Advanced Query Mode
    • 🩻User 360
      • 🗺️Overview Tab
      • 🔬Activity Tab
      • 📶Networks Tab
      • 💻Devices Tab
      • 🪺Applications and Groups Tabs
      • ✅Checks Tab
    • 🛠️Triaging Alerts and Remediation Actions
    • 🔗Linking User Accounts
    • 🤷User Statuses
  • 🗃️Applications
  • 💻Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑️Understanding Check failures
    • 🔍Reviewing Check Results
    • 🧹Customizing Checks
    • 📖Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • ⚙️Tenant Settings
    • 👨‍💼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • 🏥Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • 🏎️Can Identity Intelligence analyze behavior and fail checks more frequently?
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • 🗃️Understanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • 🛣️What’s Next? How to use Identity Intelligence effectively
    • 📚Identity Security Reading List
    • ✍️KPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in Gartner® 2023 Hype Cycle Reports™
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • Overview
  • Users table elements
  • Users page general actions
  • Filters
  • Pivot on IP address
  1. Understanding your users

Users

PreviousUnderstanding your usersNextSaved Filters

Last updated 2 months ago

Overview

The Users page provides high level information on all the user identities in your environment, along with several filters and sortable columns, so that you can better understand, analyze and share user population data based on a variety of useful parameters. By default, the table on the Users page is sorted by User Name, and excludes user accounts that have been deleted, deprovisioned, or disabled.

This section covers:

To get a high level overview of the Users page, watch the video below.

Users table elements

The section below details the fields that appear in the table by default, as well as the definition of each field:

Element
Description

User

The user's display name and their corresponding email or username

Trust Level

Checks

# IPs

The total number of IP addresses associated with a user's activity across all providers

# Logins

The total number of attempted logins across all providers, regardless of result (success, failure, challenge, other)

Last Seen (UTC)

The date and time of the last login attempt, regardless of outcome, for a user across all providers

Last IP Address

Last Location

The location associated with the last successful or failed login attempt for a user across all providers

MFA

Providers

The logo icon(s) for the corresponding identity data sources where a user's account has been associated Hovering over a source will show you the integration name and user's status as gathered from the identity data source

Status

Compiled Status

Additional columns can be added to the table view using the Columns button:

Element
Description

Created Date (UTC)

The date a user's account was created. Uses the first creation date available across all configured providers

Employee ID

The employee ID, gathered from the provider if available

Manager Login

The user's manager's email address, gathered from the provider if available

Title

The user's job title, gathered from the provider(s) if available

Department

The department a user belongs to, gathered from the provider(s) if available

Registered Location

The location a user is supposed to be working from based on hiring agreements, if available from the HRIS or the IdP. If the user has multiple registered locations that differ, the HRIS data always takes precedence. If HR information is not available for a user, then the data comes from the IdP

Inconsistency Severity

User Type

The Identity Intelligence user type assigned based on compiled identity data source user types

Users page general actions

There are several general actions that can be performed on the Users page:

  • Search

  • Sort, add or remove columns

  • Download results

  • Share results

  • Refresh

Click through the tabs below to read more about how to utilize each action.

Search

Use the search bar to search based on users, names, group, applications and IPs. When searching, you do not need to provide an exact value. Typing a piece of the word will return results.

If you have searched on a particular parameter, the search criteria is retained as you navigate between different tabs within the platform.

To clear the search bar click the X on the right most side of the search bar, next to the Advanced button.

Sort Columns

Sort columns within the table by clicking the column header you'd like to sort by. Click once to sort in ascending order, click again to sort in descending order.

Multi-column sorting is not currently supported.

Add or remove columns

Columns can be added or removed from the table using the Columns button in the top right of the table, above the column headers. Click this button to choose the columns you'd like to display in the UI. To return to the default settings, click the Restore Default option at the bottom of the list when you open the Columns button.

The Download feature (next tab) respects the visible columns.

Download results

You can download tabular data from the table to a CSV using the Download icon button on the right after the search bar. All columns displayed and filters applied are included in the CSV output.

If there are no results in the table, the CSV export will contain only headers and no user data Note: The CSV output has a limit of 2,000 rows

Share URL

For easy sharing, use the Share button on the right side of the search bar. The Share button copies a link, with the applied filters and selected columns, that can be pasted, bookmarked or shared with anyone who has the appropriate access to your Identity Intelligence tenant

Refresh

Use the Refresh button on the right side of the search bar to refresh user data and filter counts in the table after making changes (ex: linking users, excluding a user from a check).

Filters

The Users table is filterable by a number of attributes, enabling you to slice and dice your user population based on the parameters that are important to you.

Applying basic filters

You can see all the available basic filters on the left hand side of the Users page.

To enable a filter, click the check box for the attribute you would like to filter by. The applied filters will be added to the search bar, as seen in the screenshot below. The number of users that you are currently viewing, based on the filters and searches used, will appear in the top left corner of the Users table above the column headers.

To remove a filter, you can either deselect the attribute from the filters list on left hand side of the Users table, or click the X on the right hand side of the filter box that is in the search bar. To remove all filters besides the default filter, click the X located next to the Advanced Filter button in the search bar.

After you have selected your filters, the filters are retained as you navigate between different areas within the platform.

By default, the Users Table excludes user accounts that have been deleted, deprovisioned, or disabled. To include these accounts in the results, click the X on the right side of the 'NOT Status' filter box in the search bar.

Distinct filters are separated by an AND operator. For example, if you select the Duo value from the Sources filter and the No value for MFA Configured filter, the table will display all users in Duo who have No MFA Configured.

For most filters, you can select more than one value to filter by. Within a given filter, selecting more than one value will separate the values with an OR operator by default. For example, if you select the values Okta and Duo for the Sources filter, users with accounts in either Okta OR Duo will be displayed.

However, within a given filter, if you would like to filter for users with accounts in both Okta AND Duo, you can click on the OR operator found in the filter box in the search bar or in the left hand filter menu (screenshots below), to switch it to AND. Doing this will allow you to see users that are in both Okta AND Duo.

Filters that use radio buttons cannot have more than one value selected at once (for ex: Is Admin)

Filter values can also be excluded from the results for most filters, except for those that cannot have more than one value selected at once. To exclude a value from filtered results (ie: NOT), you can click on the 🚫 icon in either the filter box in the search bar or the left hand filter menu.

Similarly, you can 'include all' filter values in the results, except for filters that cannot have more than one value selected at once. To select all values within a given filter, click All next to the filter value title.

Pivot on IP address

The IP address in the table has a few actions associated with it that can be useful to learn more about an IP address and the associated activity.

The actions menu will pop up when left-clicking on a specific IP address in a user row. The actions are:

  • Copy to clipboard - Copies the IP address to your clipboard so that you can paste it within Identity Intelligence or another tool

such as searching, exporting results, etc

and

The user's current

The total number of a user is failing. A 🚫 icon in this column indicates that the corresponding user is not part of the protected population and checks are not being evaluated against this user

The IP address associated with the last successful or failed login attempt for a user across all providers To learn how to pivot on this IP address,

= MFA configured = MFA not configured

The user's and Lifecycle Event tag, if applicable. Lifecycle events highlight recent, notable events that have occurred on a user's account that can be beneficial to know about during an investigation. Lifecycle event badges are displayed for 7 days after the event is noted Status - Active (green badge): This account is enabled in an identity data source and has successfully logged in over the last X days. The number of days is consistent with the value set on the Inactive Users and Inactive Guest Users checks (default setting is 30 days) - Inactive (Grey badge): This account is enabled in an identity data source, but has not successfully logged in over the last X days. The number of days is consistent with the value set on the Inactive Users and Inactive Guest Users checks. (default setting is 30 days) - Deprovisioned (Grey badge): This account is no longer enabled in an identity data source and cannot be signed into - Inconsistent (red badge): This account has been flagged because there are account status discrepancies that may pose a significant security threat. See Inconsistent Users to learn about what factors contribute to a user being marked as inconsistent Lifecycle Events (yellow badge) - New Account: indicates that this account was recently created. Includes the date the account was created Significant Change: indicates that an uncommon, but important, activity has recently happened on this account (for ex: MFA factor added, admin privileges granted, sensitive app assigned, etc). You can query for specific Significant change events using mode

Compiled status combines provider user types (ie: internal, external, service accounts, etc) and the user's

The severity of the inconsistency noted for a user with status

There are two types of filters that can be used on the Users table - , which can be found to the left of the Users table and , which can be enabled via the search bar above the users table. to learn about how to use Advanced Query Mode.

Filtered results derived from both basic filters, as well as advanced queries, can be saved to access later or share with teammates. To learn more about how to save filters, see to learn more.

Find user activity - Takes you to the tab of the User 360 for the respective user, with the selected IP address added as a filter, so you can see all the user's activity associated with this particular IP address

Find users who attempted to sign in from X.X.X.X - Adds the selected IP address as a search parameter on the page so you can see any other users who have activity associated with this particular IP address

See IP info - Takes you to the tab of the User 360 for the respective user, with the selected IP address added as a filter, and opens the slide panel so you can see more detailed information about that IP address for this user

👥
📇
Saved Filters
Activity
Users
Networks
Definitions of the elements in the table
Users page actions
Advanced Query Mode
Basic Filters
Pivoting on IP address
Advanced Query mode
Click here
basic filters
Trust Level
checks
Identity Intelligence Status
Advanced Query
Identity Intelligence Status
click here
Inconsistent