Okta Workflows has just released a number of templates focused on Security Operations Centre (SOC) processes. These Workflow templates are designed to help solve specific identity-based automation challenges for the Security Operations team using a bundled collection of pre-built and fully customizable flows. The categories include:
- Security Awareness
- Identity Automation + Response
- Incident Investigation + Response
- Threat Intelligence
- User Behavior Analytics
Some of the main benefits are:
- Okta Workflows Security templates vastly enhances your ability to accelerate, or even fully automate, security policy enforcement at the identity layer.
- Detect and respond to suspicious user or entity activity by identifying changes in user behavior that create a risk to the organization.
- Continuously monitor and improve your organization’s security posture with these automations as you focus your attention on preventing, detecting, analyzing, and responding to other critical security incidents.
To find all the workflow templates focused on security operations, go to the Templates tab in the Workflows console and enter security in the search criteria.
Suspicious Activity Reported
One of the new workflow templates focused on security operations is Suspicious Activity Reported.
The Suspicious Activity Reported template includes the following functionality:
The Suspicious Activity Reported event initiates the flow. The user sessions are then cleared and their password is reset. You can also optionally revoke all issued OAuth tokens. The benefit here is that this happens immediately and is not dependant on manual intervention by the security team.
The Unique Id of the event is extracted from the incoming event payload, which is then used to construct a URL that points to the actual event in the tenants system logs. This URL will be included in a message sent to a Slack channel.
The Event Details are extracted from the incoming event payload. This is then included in the record written to an internal workflow table. This will then provide an audit of the event. Also note that this could be further enhanced by processing this data via a separate flow. An additional flow could produce security reports from the data and/or integrate with 3rd party systems.
Finally, compose a message and send it to a Slack channel.
Note: The Slack connector can easily be replaced with a MS Teams connector. See info on the MS Teams connector here: Microsoft Teams connector | Okta
Now let’s walk through all the steps to enable this template.
Step 1 – Configure Okta
Okta provides an automated email to the end user, every time they set or reset an authentication factor, including a password. To enable this feature, within the Okta administration console, go to Security > General and enable Report suspicious activity via email.
Once enabled, the user will receive the following email the next time they enroll or update a factor, including their password.
Note: This email can be customized via Customizations > Branding > Emails in the Okta Administration console.
The email provides a button to report the fact that they were not the one that reset enrolled or reset the respective factor. Pressing the button and reporting suspicious activity results an auto-generated email sent to the Okta Administrators as well as an entry in the system log. This is a good first step in improving security and helping to reduce account take over. The issue is that the administrators need to be monitoring their mail box and they also need the ability to act promptly in rectifying the situation. As they may be dealing with other issues, this may not always be possible. Thats where Okta Workflows can help.
See the following documentation for more detail on Suspicious Activity Reporting: Suspicious Activity Reporting
Step 2 – Set Up Template
Within the Okta Workflows console, click on the Templates tab. Then search for Suspicious Activity Reported. Open the following template:
- Then click Add Template twice.
- This will create a new folder titled Suspicious Activity Reported containing a single flow and a single table.
- Open the flow and within the first Okta event card, click on Choose Connection and select the respective Okta connection for your tenant. This should update the connections for all the Okta cards within the flow.
- On the Clear User Sessions card, you can optionally set Revoke OAuth Tokens to true.
- On the Reset password card, select Options and then set Send Email to Yes. This will notify the end user that their password has been reset.
- On the compose card, update the URL. Replace acme-admin.oktapreview.com with your own Okta org address. As this URL points to system logs in the admin console, the URL needs to be the Admin URL (include “-admin”) .
- Finally, on the Slack card, update the connection to your local Slack connector. Under Options, choose the Slack channel to send security related events to. Leave the format to Plain Text.
- Save the flow and ensure Save all data that passes through the Flow has been ticked. This is required to check the flow runs as expected.
- Turn the flow on.
Testing the Flow
To test the flow, I logged into my Okta tenant and as test user and then reset my password.
As a result, the following message arrived on the respective Slack channel:
The Workflow table now has the following record:
Additionally the test user was automatically logged out of Okta and received the following email:
It’s as simple as that!!!
Get your Workflows questions answered
Do you have a question about Okta Workflows? Not sure how to build a flow? Join the weekly community office hours to get help.