Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • 👥Understanding your users
    • 📇Users
      • 💾Saved Filters
      • ❓Basic Search & Advanced Query Mode
    • 🩻User 360
      • 🗺️Overview Tab
      • 🔬Activity Tab
      • 📶Networks Tab
      • 💻Devices Tab
      • 🪺Applications and Groups Tabs
      • ✅Checks Tab
    • 🛠️Triaging Alerts and Remediation Actions
    • 🔗Linking User Accounts
    • 🤷User Statuses
  • 🗃️Applications
  • 💻Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake (Beta)
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑️Understanding Check failures
    • 🔍Reviewing Check Results
    • 🧹Customizing Checks
    • 📖Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • ⚙️Tenant Settings
    • 👨‍💼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • 🏥Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • 🏎️Can Identity Intelligence analyze behavior and fail checks more frequently?
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • 🗃️Understanding HRIS Data and SCIM
    • MFA FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • 🛣️What’s Next? How to use Identity Intelligence effectively
    • 📚Identity Security Reading List
    • ✍️KPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in Gartner® 2023 Hype Cycle Reports™
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • Overview
  • Basic Search Mode
  • Important Notes
  • Entering Advanced Mode & Adding Filters
  • Available Attributes & Auto-complete
  • Operators
  • Examples
  • Factor List
  1. Understanding your users
  2. Users

Basic Search & Advanced Query Mode

09/2024

PreviousSaved FiltersNextUser 360

Last updated 14 days ago

Overview

Identity Intelligence enables users to create simple but powerful searches with basic filters and also advanced queries that answer critical questions about your identity population. When in Advanced Query mode, you will be able to use Kibana Query Language to form more complex queries to find specific information that you may need that is not available in our Basic filters.

Basic Search Mode

The default search mode within the UI allows for point-and-select combination of filters on the lefthand menu bar of the Users page.

The same type of select-to-filter functionality is available in the Activity tab of the User 360 page.

Important Notes

  1. By default, accounts that are disabled, deleted, or deprovisioned are filtered OUT of the Users page results. Clear this filter to see those accounts in your search results.

  2. In Basic mode, searching with a leading wildcard, such as *<some term>, is not supported.

Entering Advanced Mode & Adding Filters

  1. From the Users tab, press the Advanced button on the right side within the search bar

    1. Alternatively, if you select a Basic filter from the left hand side of the Users table, it will add a chip for the selected filter in Basic mode to the Search bar. Select that chip in the search bar to convert that filter to an Advanced attribute, which enables you to edit that attribute

  2. Additional filters can be added and edited to the existing search string

  3. At any point, you can convert back to the Basic filter mode by pressing the Advanced button and confirming that you'd like to switch back to Basic mode. Please note that converting back will remove anything written into the search string

Available Attributes & Auto-complete

The user records in Identity Intelligence contain a large number of attributes or fields that can be queried in Advanced search mode. The Attribute List is constantly being updated as new functionality and integrations are added.

The best way to find a particular attribute is by selecting the Advanced button, which will open the list of available attributes that can be used to create queries. Start typing your desired attribute into the search bar to trigger the auto-complete functionality, which allows you to see what attributes exist that include your keywords, or scroll through the alphabetized list of attributes to see everything that exists! There are also hints frozen to the "bottom" of the attribute list that can help guide you when crafting more complex queries.

Operators

The Advanced search follows the convention operators of KQL (reference article), including -

  • AND

  • OR

  • NOT

  • _exists_

  • !_exists_

Examples

This section provides several examples for building queries within the Advanced search bar.

Example 1 - Complex query with AND

To find users with the following set of parameters -

  • users in the GSuite

  • Admins group

  • no MFA enabled

  • recently logged in

  • subject of an IP threat from a VPN or Tor proxy

The query would look like:

groupNames.keyword:"sg-gsuite-admins" AND mfaEnabled:false AND lastActive:{now-7d TO now-1d} AND ipAddressDetails.ipTags.name:(VPN OR TOR_Proxy)

Example 2 - IP Activity from a Specific Country

To find users with recent IP activity from a particular Country, such as China, the advanced query would look like:

ipAddressDetails.location.country.keyword:"CN"

Example 3 - Accounts with no Employee ID attribute

To list user accounts without an Employee ID attribute value, it would look like:

!_exists_:employeeId.keyword

Example 4 - Inactive users with specific naming convention

To find inactive users who's accounts start with "sa." and contain the word "company", the query would look like: 

sa.*company* AND checkResults.checkId.keyword:inactive-users

Note: free text search will look in all indexed fields within the user profile, for example email address, UPN, etc.

Example 5 - Find admin accounts for a specific IDP

Identity Intelligence attempts to determine admin privileges or roles granted to accounts. To search for the admin accounts associated with only one specific IDP, the query would look like one of the following, depending on the IDP desired:

integrationInstanceDetails.providerAdmin.keyword:"OKTA__true"

integrationInstanceDetails.providerAdmin.keyword:"AZURE_AD__true"

integrationInstanceDetails.providerAdmin.keyword:"G_SUITE__true"

Example 6 - Query for Microsoft License Types

Identity Intelligence is able to collect assigned Microsoft license types through the Azure Graph API. This information is displayed in the Azure tile of the Overview tab for a user account.

To query for a specific license type, the search string would look like:

adActiveLicenses.keyword:("Azure Active Directory Premium P2")

Note: the License name value is a translation from the license UID provided through the Graph API.

Example 7 - MFA Factors

A common query is to search for the users who have a particular type of MFA factor enrolled, such as push notification, hardware security keys, etc.

Use the userFactors.factorType.keywordattribute to search for different enrolled factor types, as shown:

userFactors.factorType.keyword:"push"

The available factor types and names will vary based on which IAM platforms are connected to Identity Intelligence. Some common factor names include:

webauthn 
google_otp
push
okta_verify
okta_password
password
signed_nonce	
okta_email
Security_key

A comprehensive list of factor types seen so far is below in the Factor List section.

Example 8 - Application Assignment and Usage

It is frequently useful to look for both which users have an application assigned and which users are actually using the application.

For example, to look for users who have application Salesforce SAML assigned, but not in use in their last 30 days of activity, the query would look like:

assignedAppNames.keyword:"Salesforce SAML" AND (NOT appNames.keyword:"Salesforce SAML")

Note: Sensitive applications can be seen in the Dashboard tab and all applications that are integrated via an IDP or directly can be seen in a User's Applications tab. Sensitive Applications can be configured through Tenant Settings

Example 9 - Device Usage

If looking for users with sign-in activity from a particular user-agent string or device type, for instance iPhones, the search string might look like:

lastSignIn.rawUserAgent.keyword:"Mozilla/5.0 (iPhone; CPU iPhone OS 15_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Mobile/15E148 Safari/604.1"

Example 10 - Find a user by Duo Security alias

To find a user account by an alias in Duo Security, use this format:

integrationInstanceDetails.userKey.keyword:/.*kheuck*./

Factor List

Across the different IDPs, factors may have a variety of different names, which may change or grow over time. The list below provides examples of factor names that Identity Intelligence has seen so far.

okta_verify
okta_email
Passkey
Platform_authenticator_(passwordless)
webauthn
web
microsoftAuthenticatorPasswordless
Security_Key
Other
token:hotp
duo_mobile_passcode
windowsHelloForBusiness
yk
d1
Security_key
password
microsoftAuthenticator
duo
softwareOath
token:software:totp
webauthn-roaming
yubikey_token
okta_password
totp
sms
Touch_ID
token
phone
fido2
signed_nonce
phone_number
bypass_code
push
duo_push
google_otp
question
claims_provider
WebAuthn_Chrome_Touch_ID
u2ftoken
QR code
sms_passcode
email
phone_call
security_question
webauthn-platform
call
token:hardware
otp
custom_otp
509 Certificate

👥
📇
❓