logo

Overview

Our Identity Threat Detection report and control helps increase visibility into events and abnormal actions taken through your identity provider(s) (Google, Azure/Entra, or Okta).
Zip pulls information directly from your IDP’s logs so that identity threat detection is integrated into your security workflows.

Set up

📣
Zip currently supports Google for Identity Threat Detection. We are actively building support for Azure/Entra and Okta, so stay tuned for broader cross-platform support.
  1. Visit the Reports page (https://zipsecinc.cc/reports?tab=controls) and click on the Identity Threat Detection tab.
  1. If you have not yet set up a Google integration for Zip with audit read-only permissions, you will see the following warning:
      2. Image without caption
  1. Visit the linked docs (or ) and follow step 3, Granting permissions to the Zip Service Account, to add the admin.reports.audit.readonly permission to your Zip service account. If you haven’t done steps 1-4 already, follow the entire guide to connect Zip to your Google workspace.
  1. Reload the report page, and you should see the table populate with Google events. If you’re still not seeing anything, change the “Severity Levels” filter to include “Info” level events and/or increase the “Time Period” filter to 1 month. This will show the maximum amount of data.

What does this report show?

Image without caption
The Identity Threat Detection report shows events from your identity provider, including actions such as login times and password resets. The top section summarizes the data and highlights the presence of any warning or critical events. Below, the table shows detailed log of all events which can be filtered using the dropdowns at the top of the page.
Expanding event rows shows additional metadata. The purpose of this report is to integrate IDP data into Zip and highlight information that is otherwise hidden deep in your IDP Admin console, but you can always visit the Google Admin to look for more details.

Identity Threat Detection Control

The control is listed under Identity Management. This control builds off the report by highlighting the suspicious events and providing an entry point to take action and respond to them.
Image without caption
The Tasks tab lists out warning and critical events with an option to “Triage”. Triaging allows you to mark the alert with a status and/or note to provide context into the alert. Once an alert is marked as closed, it will go away from the list of open alerts.
The control Tasks page
The control Tasks page
An example of how to triage an alert and add context.
An example of how to triage an alert and add context.

What alerts mean and how to respond

Info

These events include very normal, expected behavior such as log ins, login verifications, or enrolling in 2FA. These are filtered out by default since they can be quite noisy, but you can always view them by adjusting the report page filters or going directly to an account page.
How to respond: No action is needed, unless further context is required.

Warning

These events are unusual and could be indicators of suspicious activity, warranting further investigation. Examples include changes to account recovery methods, granting apps to access Google data, or sensitive actions blocked by Google, since these actions could potentially be done by a malicious actor.
How to respond: We recommend verifying with the account user that the action was taken by them. In addition, the IP Address field can be used to further confirm whether the action was taken in the expected location such as a home or office address (using this handy tool What Is My IP).

Critical

These events are highly correlated with suspicious activity and should be investigated ASAP. Examples include disabling 2FA, leaked credentials, suspicious programmatic logins, or anything that the IDP has deemed “suspicious”.
How to respond: We recommend verifying with the account user that the action was taken by them, and suspending or resetting the account until it has been verified by the user over a safe communication channel. In addition, the IP Address field can be used to further confirm whether the action was taken in the expected location such as a home or office address (using this handy tool What Is My IP).

Coming Soon

To continue building out our Identity Threat Detection capabilities, we are working on the following features:
  • Supporting other IDPs (Microsoft and Okta)
  • Directly suspending or resetting accounts from the Zip console - Currently, you can do this directly in your IDP Admin console.
  • Email templates to notify account users directly from the Zip console
📣
If you have more ideas, questions, or feedback on identity-related security actions, please contact info@zipsecinc.cc. We’d love to hear from you!
Deploying Apps with the Application Center
Migrations
Powered by Notaku
Share
Content
Identity Threat Detection
Overview
Set up
What does this report show?
Identity Threat Detection Control
What alerts mean and how to respond
Info
Warning
Critical
Coming Soon