This week we have been hard at work making investigations faster and more accurate in Oort, and improving usability over the whole portal:
“Suspicious Activity Reported by End User” check now comes with details
In Okta, Suspicious Activity Reporting provides everyone in your company with the option to report unrecognized activity based on an email notification. When a user confirms that activity detected by Okta is indeed suspicious, Oort captures that signal and uses it to trigger the “Suspicious Activity Reported by End User” check. Every instance of user-confirmed suspicious activity should be investigated.
Oort now makes it easier to investigate the source of confirmed suspicious activity. For any user who has reported suspicious activity, you can navigate to their User 360 profile and click into the “Suspicious Activity Reported by End User” check for more details. You’ll see a side panel open up where you can now see the details of the reported event, including device and geolocation information. You can use that additional information to better inform your investigation, decide if the activity is indeed fraudulent, and which next steps to take for remediation or dismissal.
Navigate to any user failing this check, click the ‘Checks’ tab, then click on the check line in the table. The sidebar will open up with details of the reported event.
“Service Account Successful Sign In” check now comes with details
Service accounts should never be used by a user to log in. As such, Oort detects when such an account is being logged into by a user, as it might reflect either bad (and risky) practise, or an ongoing attack.
When investigating this check, you can now see the details of the event, including device info, geolocation info, and the list of other users who used the same IP in the past week (highlighted in the screenshot).
You can use this information to identify the user who logged in using the service account if it was someone known, or remediate the active threat (force log out, rotate password, or even better, make sure that the account is set up in a way that does not allow logins).
To see this information, simply navigate to any user failing this check, click the ‘Checks’ tab, then click the check in the table. The sidebar will open up with the details.
Check Compliance Trend Chart
Our new compliance trend widget allows you to see the results of a given check over time. It can be embedded, for example, in a report in order to show progress, or identify large changes due to an external system change. Maybe you were at 99% MFA compliance yesterday and today you’re at 80%. Or maybe you’ve done the work to stamp out dormant accounts and you want to present this to your management to show progress. Having a visualization of these changes over time makes it easy to see in an instant how you’re doing with respect to any of the dozens of checks that Oort provides.
Admins can now sort MFA factors by status, number of changes, usage count, device, phone number, or last updated date from the User 360 Overview tab. By default the factors are sorted by max usage count, so the most used MFA factor comes first.
For each check, you could already view the underlying logs and provide feedback from the checks list in a user 360 page, now you can also do it directly from the users list in a check page. As a reminder logs give you underlying events behind a failed check, and feedback is used to train and refine our models (as you can see in the next section).
Increased accuracy of our models
Our models age like good wine: we keep refining them so that you see fewer false positives and false negatives over time.
This week, we have made “New IP” tagging and checks based on Workday data more accurate.
As always we love to hear your feedback and suggestions on our features and roadmap. Do not hesitate to get in touch!