It’s a bumper update this week, so read on to learn more about integrating your own mail provider, monitoring Entra ID bypass codes, and much more.
💌Bring your own mail provider!
One popular way to make identity insights actionable is to create workflows that improve employee awareness. This includes emailing employees that are not adhering to policies. For example, they may be using a personal VPN against company policy. In order to inform the relevant employees (and, optionally, their managers) it’s helpful to send them an email.
So far, this email will come from the Oort domain. For a more seamless process, we’re introducing the ability to bring your own mail provider. In the integrations tab, there is a new section for “Email”, which includes options to set up integrations for your own SendGrid or Mailgun service.
Configuring your own mail provider will enable you to define specific check failures that are delivered to failing users from your own email domain.
🔢 Track Usage of Bypass Codes in Microsoft Entra ID
The working world is starting to adopt strong, phishing-resistant forms of MFA. This makes it considerably harder for attackers. However, there are always exceptions; always times where employees lose tokens, forget passwords, and need to get access. In rare cases, companies may provide bypass codes for employees to login in. This is OK as an exception, but you want to ensure you are closely monitoring the use of these codes. If an attacker gets hold of these codes, they can gain access and register their own MFA.
In this release, we have extended the coverage for the “A Bypass Code Was Used to Successfully Sign In” check from Cisco Duo to Microsoft Entra ID. This, unsurprisingly, will notify you any time a user successfully logins in with a bypass code.
✅ Easily track check actions taken
Last week, we added the ability to view check actions within System Logs. In this release, we’ve extended that visibility with a new dashboard widget that shows you the feedback that checks have received in the past 30 days. This includes those marked as interesting, marked as normal behavior, and excluded or included in checks. This widget will enable you to focus on the most interesting checks, and tune your check settings if appropriate.
⛔ View user status for each provider
When investigating a user, it’s important to understand their status across the various identity providers that account exists in. For example, that user may be active in Salesforce, but suspended in Entra ID. Identifying these discrepancies is vital context for assessing the impact of a failing check.
Bug Fixes and Minor Improvements
- Salesforce login results. Oort now parses Salesforce login results in more detail, and displays those values in activity logs and the User 360 profile.
- Disabled integrations. Oort will now notify when an integration is disabled for more than 7 days. Stale data can harm the reliability and data integrity of checks and reports, so it is important to either re-enable the connection, or delete it.
- Registered location. We have simplified the logic of the Registered Location tag. When you select this tag in the Networks tab, you will now just see one chip in the search bar.