For obvious reasons, protecting against threat actors gaining admin access is often a top priority for our customers. In this week’s update, Oort Engineering has added a host of enhancements to provide even more capabilities to detect and respond to suspicious admin activity.
Beyond this use case, we’re also releasing greater context and improved navigation and filtering capabilities. Read below to find out more
🔔 Admin Activity Anomaly in Okta and Azure AD
Oort already detected suspicious administrative behavior via “User Activity Anomaly” checks, but we’ve introduced some key updates that make it even easier to respond to these threats and ensure you only receive alerts you care about.
Okta and Azure Activity Anomaly Checks Separated.
For extra clarity, we’re renaming these notifications to “Okta Admin Activity Anomaly” and “Azure AD Admin Activity Anomaly”, making it easy to triage.
Ignore List Added.
When it comes to admin activities, there are plenty of different admin event types to choose from. This could be an Admin performing unusual MFA operations, enrolling devices, or adding new permissions.
Depending on your own priorities, you can now add specific event types to an Ignore List–enabling you to only focus on the suspicious activities you care most about.
Furthermore, because Okta and Azure AD checks are separated, you can choose from a different list of event types for each. To learn more about these categories of events, check out: https://docs.oort.io/docs/useractivityanomaly
⏳ Power Up Investigations with Microsoft Risky User Information
Microsoft Azure AD has risk information for risky events that we now surface in our activity view. Security analysts can now easily access this information within the user profiles and understand exactly what is happening. Oort combines this information with data from other platforms, providing security analysts with a more comprehensive picture of the true risk posed by the user. Without this view, Azure risk information can be overwhelming and hard to analyze.
📳 MFA Flood
While not the most sophisticated technique, attackers who have acquired legitimate credentials attempt to bypass MFA by overwhelming the victim with MFA push notifications in the hope the target will accept one.
Oort detects these attacks by calculating how many failed attempts have occurred over a short period of time, and alerts you if it seems particularly high.
In this update, these alert types now include more context for users to understand what the risk is, and what the details of this specific event were, such as the result and factor type.
✍️ Added Context for Admin Impersonation Notifications
Gaining insight into what actions were taken during an impersonation session is critical: it enables security teams to quickly identify how and where they may be impacted. This change will make it even quicker for users to respond to Oort’s alerts.
Sending notifications into Slack is one of the most popular triage workflows used by our customers today. While users may easily pivot into the portal to access more information, we want to provide as much useful context within the notification itself.
In the image below, you can see the audit trail we’re now exposing, such as Event Type and Target within the IM notification.
⬆️ Sort Users by Number of IP Addresses
The occasional login from your employee’s neighborhood coffee shop might be expected in the world of remote work, but too many IP addresses should raise flags.
Within the user table, Oort users can now sort the user list by the number of unique IP addresses, which helps to quickly identify suspicious activity associated with a given account. Further information about the IP addresses is displayed within the user profile itself, including a useful map view.
Bug Fixes and Minor Improvements
- Configurable landing pages. Oort admins may now set the default landing page, making it easier to get to the pages you care about most. Simply go to Settings - Landing Page to set your preference.
- IP Context Menu Additions. The new IP context menu (introduced two weeks ago), now appears in the checks list under each user.