---
source: newsletter
source_url: https://fandf.co/3QIKkEA
tags: [article]
ingested: 2026-05-15
sha256: 525e33cba862
review_value: 7
review_confidence: 8
review_recommendation: strong
---
# Identity Behavior & Context: ITDR Solution | Teleport
Markdown Content:
## See exactly what every identity did, and why.
Real-time behavior monitoring across humans, machines, and AI — with full session context, risk signals, and timeline clarity — to act in minutes, not hours.
![Image 1](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2FHeader_Ident_Behavior_ffaee1de27.svg&w=3840&q=100)
WHAT YOU CAN'T SEE, YOU CAN'T STOP
FRAGMENTED AUDIT LOGS NO CROSS-SYSTEM CONTEXT MANUAL LOG CORRELATION AI SESSIONS INVISIBLE
![Image 2](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2Fcolor_nasdaq_58d7957eab.svg&w=256&q=75)
![Image 3](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2Fcolor_discord_8bd9ef68b9.svg&w=256&q=75)
![Image 4](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2Fcolor_vonage_b114131cc5.svg&w=256&q=75)
![Image 5](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2Flogo_dbtlabs_a40bbc51ed.svg&w=256&q=75)
![Image 6](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2Fpostmark_logo_0780cffe21.png&w=256&q=75)
![Image 7](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2Flogo_vivint_c046888169.svg&w=256&q=75)
![Image 8](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2Flogo_airtable_2870b01a7c.svg&w=256&q=75)
![Image 9](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2Fcolor_elastic_5c53b2fe28.svg&w=256&q=75)
## Investigation used to take hours.
**Now it takes minutes.**
Security teams today stitch together logs from Okta, AWS, GitHub, and infrastructure by hand. Teleport unifies the full identity chain into one timeline — with context already attached.
| ![Image 10](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2FTeleport_logo_gear_7b276691c0.svg&w=3840&q=75) **Teleport Identity Behavior & Context** Unified, real-time, AI-assisted | **Traditional Log Analysis** Today's reality for most teams |
| --- | --- |
| One unified identity chain from IdP through cloud, code, and infrastructure access | Identity logs live in Okta, AWS CloudTrail, GitHub, and Kubernetes — each needing a separate query |
| AI-generated session summaries surface what happened, what was unusual, and what to check | Reconstructing a session means parsing raw logs — hours of manual work per incident |
| Every agent action — prompts, queries, tool calls, data touched — logged with full identity context | AI agent and MCP tool sessions produce no structured audit record at all |
| 50+ identity vulnerability types monitored continuously — alerts fire in real time | Anomaly detection requires custom SIEM rules that lag weeks behind new threat patterns |
| One-click identity lock terminates all active sessions across every Teleport-managed resource | Locking a compromised user means manual revocation across every connected system |
![Image 11: Background image](https://goteleport.com/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2FStats-section-bg.daa1c184.png&w=3840&q=100&dpl=25803398691)
OUTCOMES
## Realtime visibility and intelligence
![Image 12](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2FMagnifying_Glass_f193811ea1.svg&w=48&q=75)
Gain Visibility
100%
of identity activity — human, machine, and AI — in one timeline
0
sessions invisible to your security team
![Image 13](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2FTimer_27d9ff00be.svg&w=48&q=75)
Accelerate Response
Minutes
to investigate a security incident vs. hours of log correlation
50+
identity vulnerability types with realtime continuous detection
![Image 14](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2FLock_Simple_80ae0f3796.svg&w=48&q=75)
Reduce Risk
1-click
to lock an identity and terminate all active sessions everywhere
0
manual revocation steps across connected systems
![Image 15](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2FKey_ead674207b.svg&w=48&q=75)
AI Session Summaries with Timeline & Risk
## Read summaries, not logs.
Teleport generates a plain-language summary of every session — SSH, Kubernetes, database, cloud console, and agentic AI — highlighting access events, commands, and anomalies, with full identity timeline context.
*   **Surface key actions** and commands without manual log review
*   **Flag risk signals —** volume anomalies, privilege escalations, off-hours access
*   **Lock identities**(human or machine) to prevent new connections
*   **Inspect identity timeline**across auth, cloud, and infra
*   **Accelerate forensics** with AI-generated incident narrative
![Image 16](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2FID_Behavior_AI_Sessions_16b65f07e4.svg&w=3840&q=75)
![Image 17](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2FKey_ead674207b.svg&w=48&q=75)
Identity Context for Detection & Response
## Context your SIEM doesn't give you.
Response time to detected threats depends on context — what does an identity typically access, what's anomalous? Teleport surfaces that context instantly, alongside the controls to act: lock the identity, terminate the session, kill the agent.
*   **Continuous monitoring** of 50+ identity vulnerability types
*   **Real-time detection** of privilege escalation, lateral movement, and anomalous access
*   **1-click identity lock** across SSH, K8s, DB, & cloud sessions
*   **Structured audit export** to SIEM and SOAR workflows
![Image 18](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2FID_Behavior_Detection_Response_31489d9a34.svg&w=3840&q=75)
![Image 19](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2FKey_ead674207b.svg&w=48&q=75)
CLI for Agents — Advanced Insights
## Query behavior like a database.
Access Graph allows security and platform engineers to explore complex questions about who can access what, trace lateral movement paths, and investigate privilege chains — without writing custom SIEM logic.
*   **SQL Editor** for querying identity-to-resource relationships in real time: roles, groups, permissions, and access paths
*   **CLI-native workflow** for engineers who don't want a dashboard
*   **Graph Explorer** for visual traversal of identity-to-resource relationships
*   **Crown Jewels designation** for monitoring of the most critical assets
![Image 20](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2FID_Behavior_CLI_Agents_c43fd83a63.svg&w=3840&q=75)
## Key Capabilities
![Image 21](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2Fsparkle_bg_06cbfa6e86.svg&w=96&q=75)
##### AI Session Summaries
Plain-language summaries of every session — human, machine, or AI agent — with risk signals and identity timeline context.
![Image 22](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2Fgraph_bg_e290243b84.svg&w=96&q=75)
##### Access Graph & SQL Editor
Visual and query-based exploration of real-time identity-to-resource relationships across your entire infrastructure.
![Image 23](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2Flines_bg_8a6dd2b3f8.svg&w=96&q=75)
##### Identity Chain Observability
Unified view tracing every identity across Okta, GitHub, AWS, and infrastructure access — correlated in one timeline.
![Image 24](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2Fwarning_bg_b2e76ab61a.svg&w=96&q=75)
##### 50+ Anomaly Detections
Continuous monitoring for privilege escalation, lateral movement, standing privileges, unmanaged keys, and more.
![Image 25](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2Flock_bg_dc716d4af0.svg&w=96&q=75)
##### 1-Click Identity Lock
Immediately terminate all sessions and block new connections for any identity — human, machine, or AI agent.
![Image 26](https://goteleport.com/_next/image/?url=https%3A%2F%2Fwebsite.goteleport.com%2F_uploads%2Fcrown_bg_5da1f5fe12.svg&w=96&q=75)
##### Crown Jewels Monitoring
Designate your most critical resources for priority alerting and access path monitoring. Know the moment anything changes.
![Image 27: Background image](https://goteleport.com/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Fshapes.d1726fed.png&w=3840&q=100&dpl=25803398691)
Within fifteen minutes of deployment, we flagged two engineers whose accounts retained super-admin maintainer rights across 1,800 repos — far beyond their intended read-only access.
Teleport customer
as reported by Ben Arent, Director of Product, Teleport
![Video 3](https://website.goteleport.com/_uploads/Teleport_Marketing_Website_Homepage_Banner_Desktop_Footer_ffmpeg_a8900f942b.mp4)
### Ready to Teleport?
DIVE DEEPER
### Frequently Asked Questions
What identity vulnerability types can Teleport alert on?
Teleport provides[50+ pre-built identity security detections](https://goteleport.com/docs/identity-security/usage/alerts/) that automatically create alerts for suspicious identity-related activities across your infrastructure, including AWS, GitHub, and Okta
*   **AWS**: Root account activity, CloudTrail/GuardDuty/flow log deletions, EBS encryption changes, public DB snapshots, IAM user creation, credential policy modifications
*   **GitHub**: SAML/MFA/OAuth policy changes, branch protection overrides, repository visibility changes, secret scanning alerts, 26 advanced security feature change sub-types
*   **Okta**: Admin MFA disabled, OAuth token reuse, rate limit violations, API token lifecycle, dormant account access, excessive MFA failures, support-initiated resets
*   **Teleport**: Root SSH sessions, authentication without MFA, unusual failure patterns, role mutations, connector updates, unusual session commands
*   **Cross-platform**: impossible travel detection across GitHub, Okta, and Teleport
How does Teleport correlate identity activity across systems?
Teleport[ingests and standardizes audit logs](https://goteleport.com/docs/identity-security/usage/investigate/) from AWS, GitHub, Okta, and Teleport into a single queryable store. It combines activities from the same identity across platforms, correlates events, and runs an alerting engine that detects irregularities and provides contextual insights during incident response.
How does Teleport generate automated session recording summaries?
After a recorded SSH, Kubernetes, or database session ends, Teleport matches it against configurable policies and sends qualifying recordings to an external inference provider (OpenAI or Amazon Bedrock) for[automatic summarization](https://goteleport.com/docs/identity-security/session-summaries/). Policies control which sessions are summarized based on session kind, participants, resource labels, and user traits. AI features are never enabled without explicit consent.
What happens when a compromised identity is locked?
When an identity is locked in Teleport, all existing sessions matching the lock target are immediately terminated and new sessions are rejected while the lock is in force. Supported targets include specific users, roles, servers, desktops, and MFA devices. Locks can be scoped and time-limited for safe rollback.
What does Teleport detect and alert on?
Teleport provides[pre-built security alerts](https://goteleport.com/docs/identity-security/usage/alerts/) for suspicious identity-related activities. These detections monitor events from Teleport and integrated services like AWS, GitHub, and Okta to identify potential security risks, including unusual authentication patterns, privilege escalations, configuration changes, account compromises, or policy violations.
What is the Graph Explorer in Teleport?
[The Graph Explorer](https://goteleport.com/docs/identity-security/usage/graph-explorer/) is a visual interface in Teleport Identity Security that maps identity-to-resource access paths across your infrastructure, showing allow paths, deny paths, temporary access from Access Requests, and standing privileges in a single unified view that spans Teleport roles, cloud providers, and other integrated systems. You can search for any identity, role, or resource, then drill down by right-clicking a node to filter the graph to only the specific access paths you're investigating.
What is the SQL Editor in Teleport?
[The SQL Editor](https://goteleport.com/docs/identity-security/usage/sql-editor/) is a Teleport feature that provides a SQL-like query interface to explore live identity-to-resource relationships. Users can query to analyze connections between identities, user groups, and actions without building custom SIEM logic.
What are Crown Jewels in Teleport?
[Crown Jewels](https://goteleport.com/docs/identity-security/usage/crown-jewels/) is a Teleport feature that tracks access changes to designated critical resources or users. When a resource is marked as a Crown Jewel, Teleport emits audit events any time its access path changes, displayed in a diff format showing added and removed nodes.
How does Teleport audit AI agents and MCP sessions?
Agents receive the same session recording, RBAC, and locking controls applied to human and machine identities. Teleport secures infrastructure including SSH servers, Kubernetes clusters, databases, or MCP servers when accessed by agents, ensuring all queries, commands, and requests executed by the agent are logged and auditable.
Can Teleport export identity data to existing SIEM or SOAR tools?
Yes, you can export Teleport audit events via HTTP to Splunk, Datadog, Elastic, and Panther. Teleport supports long-term S3 storage with Amazon Athena queries and ingests CloudTrail, EKS audit logs, and data from Okta and GitHub alongside Teleport's own events.