New in Workflows: Security Operations Solution Packs

Okta Workflows has just released a number of templates focused on Security Operations Centre (SOC) processes. In this blog post, you will learn about these templates. 

Getting started

Okta Workflows has just released a number of templates focused on Security Operations Centre (SOC) processes. These Workflow templates are designed to help solve specific identity-based automation challenges for the Security Operations team using a bundled collection of pre-built and fully customizable flows. The categories include:

  • Security Awareness
  • Identity Automation + Response
  • Incident Investigation + Response
  • Threat Intelligence
  • User Behavior Analytics

Some of the main benefits are:

  • Okta Workflows Security templates vastly enhance your ability to accelerate, or even fully automate, security policy enforcement at the identity layer.
  • Detect and respond to suspicious user or entity activity by identifying changes in user behavior that create a risk to the organization.
  • Continuously monitor and improve your organization’s security posture with these automations as you focus your attention on preventing, detecting, analyzing, and responding to other critical security incidents.

To find all the workflow templates focused on security operations, go to the Templates tab in the Workflows console and enter security in the search criteria.

Suspicious Activity Reported

One of the new workflow templates focused on security operations is Suspicious Activity Reported.

Template Overview

The Suspicious Activity Reported template includes the following functionality:

The Suspicious Activity Reported event initiates the flow. The user sessions are then cleared, and their password is reset. You can also optionally revoke all issued OAuth tokens. The benefit here is that this happens immediately and is not dependent on manual intervention by the security team.

image 11Suspicious Activity Reported template – Part 1

The Unique Id of the event is extracted from the incoming event payload, which is then used to construct a URL that points to the actual event in the tenants system logs. This URL will be included in a message sent to a Slack channel.

image 9Suspicious Activity Reported template – Part 2

The Event Details are extracted from the incoming event payload. This is then included in the record written to an internal workflow table. This will then provide an audit of the event. Also note that this could be further enhanced by processing this data via a separate flow. An additional flow could produce security reports from the data and/or integrate with 3rd party systems.

image 7Suspicious Activity Reported template – Part 3

Finally, compose a message and send it to a Slack channel.

image 10Suspicious Activity Reported template – Part 4

Note: The Slack connector can easily be replaced with an MS Teams connector. See info on the MS Teams connector here: Microsoft Teams connector | Okta

Now let’s walk through all the steps to enable this template.

Step 1 – Configure Okta

Okta provides an automated email to the end user, every time they set or reset an authentication factor, including a password. To enable this feature, within the Okta administration console, go to Security > General and enable Report suspicious activity via email.

image 100General Security Screen – Security Notification Emails

Once enabled, the user will receive the following email the next time they enroll or update a factor, including their password.

image 104Sample Report Suspicious Activity Email

Note: This email can be customized via Customizations > Branding > Emails in the Okta Administration console.

The email provides a button to report the fact that they were not the one that reset enrolled or reset the respective factor. Pressing the button and reporting suspicious activity results in an auto-generated email sent to the Okta Administrators as well as an entry in the system log. This is a good first step in improving security and helping to reduce account takeover. The issue is that the administrators need to be monitoring their mail Cbox and they also need the ability to act promptly in rectifying the situation. As they may be dealing with other issues, this may not always be possible. That's where Okta Workflows can help.

See the following documentation for more detail on Suspicious Activity Reporting: Suspicious Activity Reporting

Step 2 – Set Up Template

Within the Okta Workflows console, click on the Templates tab. Then search for Suspicious Activity Reported. Open the following template:

image 102Suspicious Activity Reported template

  1. Then click Add Template twice.
  2. This will create a new folder titled Suspicious Activity Reported containing a single flow and a single table.
  3. Open the flow and within the first Okta event card, click on Choose Connection and select the respective Okta connection for your tenant. This should update the connections for all the Okta cards within the flow.
  4. On the Clear User Sessions card, you can optionally set Revoke OAuth Tokens to true.
  5. On the Reset password card, select Options and then set Send Email to Yes. This will notify the end user that their password has been reset.
  6. On the Compse card, update the URL. Replace with your own Okta org address. As this URL points to system logs in the admin console, the URL needs to be the Admin URL (include “-admin”).
  7. Finally, on the Slack card, update the connection to your local Slack connector. Under Options, choose the Slack channel to send security-related events to. Leave the format to Plain Text.
  8. Save the flow and ensure Save all data that passes through the Flow has been ticked. This is required to check the flow runs as expected.
  9. Turn the flow on.

Testing the Flow

To test the flow, I logged into my Okta tenant as test user and then reset my password.

As a result, the following message arrived on the respective Slack channel:

image 103Sample Slack Message

The Workflow table now has the following record:

image 1Sample Workflow Table Record

Additionally, the test user was automatically logged out of Okta and received the following email:

image 2Sample Reset Password Email

Get your Workflows questions answered

Do you have a question about Okta Workflows? Not sure how to build a flow? Join the weekly community office hours to get help.