Automate ATO prevention with Suspicious Activity Reports

Extensibility (Workflows and Development), Okta Identity Engine (OIE) 3 Minutes

One of the best security resources a company has is it’s users. One feature of Okta that can be leveraged to take advantage of this is Security Notification emails and the Report suspicious activity via email feature. The first of these sends email notifications to end users when an action such as a sign-on from a new device, password change, authenticator enrolment etc. The second of these adds a link/button for users who receive the email to immediately flag the activity as suspicious by clicking this link. This report then generates system log events that can be picked up by a SIEM/SOAR platform or Event Hooks can be used to automate actions. In this post we’re going to setup an Okta Workflows template with Suspicious activity reporting to clear a users sessions, reset their password and alert the security team directly.

The steps we will cover in this post are as follows.

  1. Setup Security notifications emails with Suspicious activity reporting.
  2. Import Workflows Template
  3. Configure Workflows Template
  4. Test the workflow

Configure Security Notifications

Setup Security notifications emails and Suspicious activity reporting can. be enabled under the Security -> General section of the Admin Console. The best bet is simply to set everything to enabled as shown below.

Import Workflows Template

Next we’re need to import the workflows template. There are two different ways to do this:

  1. Add the template from the Workflows Console
  2. Import from the Github repository.

We’re going to add from the Workflows console in this blog. To do this complete the following steps.

  1. Navigate to the Workflows console via Workflow -> Workflows Console within the admin console.
  2. Select Templates from the menu bar.
  3. Type Suspicious Activity Reported into the Search bar and click on either the drop down or hit enter and pick the workflow tile. You should then see something like the below.
  1. Click Add Template and you’ll get a popup, click Add Template again and this will add a new folder and a workflow like the below.

Configure Workflows Template

The steps to configure the template are straightforward and have been detailed here and in a video.

  1. Select the Okta Connection for your tenant by clicking Choose Connection and selecting the Okta tenant. If you have not setup your Okta connection yet follow the guidance in the documentation.

  1. Confirm the options for the Clear User Sessions action, if you’re unclear refer to the documentation.
  2. Confirm the behaviour for the Reset Password flow in the below we’re not converting the user but we are sending an email. See the action documentation for more details on the options.
  1. Next we’ll need to update the text compose card which is used to construct the call to retrieve the system logs. To do this replace the acme with your tenant name and if using a production organisation change oktapreview to okta.
  1. Finally select your Slack connection in the Slack action card and configure the message options. Refer to the documentation if you need to setup your connection to Slack or you are unsure of the available options.

Testing the Flow

Finally to test the flow make sure that you turn the flow on and save data that is passing through the flow. To do this trigger one of the actions that you have enabled for Security Notification emails in the first step above e.g. I enrolled a new authenticator and received the below email.

Clicking on the Report Suspicious Activity button will trigger the workflow. This should reset the users password and trigger a slack message like the below.

The flow will also save to a table the event details for later reference. You can find the table by navigating back to the folder in which the workflow was stored and it should look similar to the below.


Additionally, if you have configured Admin email notifications with User reporting of suspicious activity admins will receive an email like the below.

If you would like to update or change your admin email notifications settings navigate to Settings -> Account in the Admin console, scroll down to the Admin email notifications section and click Edit.

Conclusion

This workflow is one of the many sample workflows we have that can be leveraged to increase the security posture of your organisation. If the actions taken in this flow don’t match what you want to do then you can try out quarantining the user. There are also many other templates in the Workflows GitHub repository that can be used as is or combined to achieve more complex outcomes. I also recommend referring to the Okta Security Blog for posts such as Using Workflows to Respond to Anomalous Push Requests.

Published by Toby Allen

Toby Allen is a Solutions Engineer at Okta focussed on enabling simple secure access to technology everywhere powered by Identity. While working in the communications space for 15 years he developed a keen interest in security, particularly in his 5 years working with communications APIs at Twilio and is a CISSP and CCSP. In 2022 he transitioned fulling into the security space at Okta with Identity as the core enabler of Zero trust and secure access. Holding both an MBA and multiple technical certifications he is able to bridge the gap between executives and technical teams to deliver value to his customers.

Published

Leave a Reply