Boosting security with Okta Identity Threat Protection and Workflows

As cyberthreats grow in complexity and frequency, the need for robust identity security has never been more critical. Identity-based attacks, such as compromised credentials and unauthorized access, pose significant risks to organizations. Protecting against these threats requires a proactive and intelligent approach that detects and responds to suspicious activities and integrates seamlessly with existing security measures.

Enter Okta Identity Threat Protection with Okta AI, a cutting-edge solution designed to fortify your organization’s identity security. Combining the power of artificial intelligence (AI) with comprehensive identity protection, Okta Identity Threat Protection offers real-time, continuous threat detection and response capabilities tailored to address the unique challenges of modern cybersecurity.

One of the most powerful features of Okta Identity Threat Protection with Okta AI is its integration with Okta Workflows. These workflows serve to create automation and enable your security infrastructure to respond dynamically and effectively to threats. With customizable, policy-driven actions, Okta Workflows can be used to deactivate or quarantine compromised accounts, enforce multi-factor authentication (MFA) for high-risk activities, and alert security teams to potential breaches — helping make  your defenses active and responsive.

 

AD 4nXeN5IPgE4uAuuC5I2OyxvQKTRhbKwpTnjfnAHhbckznD6VHiNCKhCCLUCp4pNtI5JkYT9AwYgJH1lAuwn8ktwnekqPis8pkpceVG8myVHZsxX8on7R4HK1GJm2jNui99nxZgmM4h 8Z4tGy8V3oKaAix6as?key=uFuTXEnPsH78U95C4D3gkg

 

Let’s explore how Okta Identity Threat Protection with Okta AI and Okta Workflows, our low-code automation platform, can help you better meet your security and business goals.

Bespoke automation for Okta Identity Threat Protection

Below is a simplified view of Okta Identity Threat Protection with Okta AI. Signals and events from both Okta and partners are constantly fed into Okta, and the Identity Threat Protection risk engine determines risks and executes associated policies.

 

AD 4nXfbp41eiFhuMLP3jeH8z n GabXUL0wMDhKDbPb8ATJ0GZIbfNvrEtjGnl74 WbhMP1vbRyafAh3XdPH6QP7u3F8fe0ylFVneUkmecu4OHjd0LON8qJ1PFLkc3JxJ pfsv8i 5rYokK0KFDQzhawGI81VHV?key=uFuTXEnPsH78U95C4D3gkg 

 

These policies can trigger corrective actions, such as performing Universal Logout or calling a delegated flow in Okta Workflows. In this article, we will call these policy-initiated workflows.

Risk evaluation may also trigger actions within Okta, such as increasing the user risk level (called the entity risk level). A user risk level change is just one of many events related to Identity Threat Protection that will be written to Okta system logs, along with things like re-evaluation of policies, session context changes, receiving a risk signal from a third-party vendor, and much more. Almost any activity within Okta is logged in the system log. It is common to trigger workflows from eligible events using event hooks or the built-in Okta connector within Workflows. In this article, we will call these event-initiated workflows.

Policy-initiated workflows

From the product documentation: When Identity Threat Protection with Okta AI uncovers a risk and the remediation event requires additional actions beyond universal sign-out, you can automatically run a delegated workflow.

The third-party apps and services provided through Okta Workflows connectors offer numerous possible remediation actions.

  • Notify users or administrators through Slack or email
  • Deactivate a user
  • Remove a user from a privileged group
  • Move a user to a new restricted group
  • Quarantine a device
  • Submit an incident ticket to a queue
  • Configure different flows for different risk scenarios based on your requirements

In addition, you can use the Custom API Action cards included in nearly all connectors to create custom actions that can interface with any third-party API endpoints.

Okta Identity Threat Protection documentation illustrates several Workflow examples that could be initiated from specific policies, such as:

  • Send a Slack message to indicate a policy violation
  • Clear user sessions and send an email notification to reduce the risk 
  • Remove the user from all memberships and deactivate their account

Thus, policy-initiated workflows are useful for automation tied to specific risks generated by Identity Threat Protection, as workflows are tied to specific policies. If you want to drive automation based on more generic situations, such as a user risk level change,  then event-initiated workflows are more appropriate.

Event-initiated workflows

Events appearing in the Okta system log can also initiate workflows. While specific events are related to Identity Threat Protection, you might want to leverage other events in Okta, such as those relating to devices, applications, group membership, and more. Perhaps you want to check a user's risk level before they can be unsuspended, before allowing a device to register, or when the user is assigned to an application.

There are two mechanisms to trigger a workflow from an event in the system log:

  1. The Okta connector comes pre-built with a large number of events; you just click on the event to add it to the start of a workflow
  2. Event hooks in Okta can call workflows built with an API endpoint that triggers the flow; an event hook is created for a specific event type, which calls the API and passes the event details

When building event-initiated workflows, using the Okta Connector events is simpler, but you can use the API endpoint if the Okta Connector doesn’t support the event you need.

There are examples of policy-initiated workflows in the documentation, so the following sections will look at some event-initiated examples.

Event-initiated workflow examples

Below are three examples of triggering workflows from events in the Okta system log and covering different use cases.

  1. A user risk level change triggers a ticket in ServiceNow and assignment to a high-risk group in Okta.
  2. When a user is assigned to a high-risk application, a workflow checks the user's risk and allows or rolls back the new access.
  3. When a user is assigned to a high-risk application, a workflow checks the user's risk and allows or triggers a User Access Review in Okta Identity Governance.

1. Logging a ServiceNow ticket and assigning a user to a high-risk group

In this example, we use an event hook subscribed to user.risk.detect events to fire a workflow. In this scenario, we notify our security team about the event in Slack with useful details and email the manager of the user whose risk level changed.

In cases where a user’s risk level is HIGH, we also create a ServiceNow incident, add the user to a high-risk group in Okta, enrich our notification with a link to the ServiceNow incident, and indicate that the user has been added to the group. When the user’s risk level lowers, they are removed from the high-risk group.

 

AD 4nXdSNCkm0S2jXskTkJdFJZ8TyfpwkxRtQp  1c7cdtzF5sP0TzHVfMpsuUx9QjzQ8TLvaZhIxt ptQHbX1WuJLD  CUbYgG2C2UTWqtgWg7i0Z OJ94DKmPCSlpw2Xp9jJ5Z2G Ieg?key=uFuTXEnPsH78U95C4D3gkg

 

The workflow will:

 

  • Be triggered by the user.risk.detect event in the Okta system log. We’ll use an event hook pointed at an API Endpoint flow. (See Processing Okta Event Hooks with Workflows for more information.)
  • Parse the event details
  • Read the user by ID to return information from their profile and generate a link to a system log query related to the event
  • Determine the user’s risk level:
    • If it is now “HIGH”
      • Create a ServiceNow incident
      • Add the user to a high-risk Okta group
      • Email the user’s manager
      • Enrich chat notifications with context about the above actions
    • If it has decreased from “HIGH”:
      • Remove the user from the high-risk Okta group
      • Enrich chat notifications with context about the above actions
  • Send notifications on all user.risk.detect events:
    • Slack (or Teams) message to a security channel for all user.risk.detect events
  • Add information about group addition/removal and link to ServiceNow incident when applicable.
     

Let's walk through the flow. First, we parse out the payload from the user.risk.detect event and assign some values we’ll use later in our flow. We then close out the connection to the event hook with a 200 status code.

 

AD 4nXfrw UBTGvOFAdzH69PA0BUoGBkEeQQ2O8QFXCUEE0d9WP5Ec9JkMV9MrZaEKHfj5mpOYJ30redbX3RjZCg7AE4xI2qg2Uk0W2quLREr5x J K7ruLrPzoFHyGYXU9UhWGTq v1gjJnG7maa3jh 4imtifW?key=uFuTXEnPsH78U95C4D3gkgAD 4nXeBQrH9CZe4x5PbGh6HWF3Ioq02eW6m9gN1JPoLHxx8CXVKQd1Th CVR 3nW 6bgArIAdZW 1vq JaFR0GGmeSa7vZjhpQm4E6dbKXmLqq8pmYd0jsKlzbjU4Mrc3wBXObDTPLTUN8vk zbXTnXZTAEhDo?key=uFuTXEnPsH78U95C4D3gkg

 

Next, we’ll call some helper flows. One will help us further parse out the debugData.risk event to get the current and previous risk levels. The other will retrieve some profile information about the user whose risk level has elevated and build a link to a system log query about the event. 

AD 4nXe0JYO3sIqTxDzz qMyWqD9kfHLhwX61nTiqflMCGRb4YMnZmc 5xHA5WOqPhMuYtNO9mk9u 0p1bjtWgf voSeU Ylw3pjJ19iF9tLOexeAiFwQGTxGfTRXV yptUXisMnqexBhl 51tFj2jUqKL1f4uqD?key=uFuTXEnPsH78U95C4D3gkg

 

If the user’s risk is now “HIGH,” we’ll

  • Add them to the high-risk Okta group
  • Send an email to the user’s manager
  • Create an incident in ServiceNow
  • Customize our Slack notification sent with every risk level change to inform our team that the user was added to the group and include a link to the ServiceNow incident. The message will also indicate if the ServiceNow “Create Incident” action fails.

 

AD 4nXcAjrXKc5YZdUVrk1oL3ZamGrJxo xpr ooHXJDVAky6gIUgsLa0vFuWdjgzfsruXUcrsd2cZx5zItteDQKa7tFLSdbZsjjTz YXy 3gCGc EBeU9JQ3F ejtYwgpZqODa2kS46HYbIM p5JdKjM i9Sb8?key=uFuTXEnPsH78U95C4D3gkg

 

Finally, we’ll take the messages dynamically built up, indicating 

  • The user has been added or removed from the high-risk Okta group
  • ServiceNow incident and link (or link to investigate if incident creation failed)

We’ll combine those with the rest of the risk event details we send by default with every user.risk.detect event, and send our notification.

 

AD 4nXdsYbfu wnzdjW1Wxw4QTntdJ0wdksJjEizzFlrehSqDRk7wRQFLhMQRtx2ai56eWz2ockWZCqHcnuUHJTCLIoc2lNzeQ oS iFYi qLEWGGbstB5lThPKe0x4eFOeYmGNbcexUTyjTXpFA3OGSSE5xT9Er?key=uFuTXEnPsH78U95C4D3gkg

AD 4nXf0tCszeJiEZiDsqoveD7s56sczYQDm2L zXwMtyohbjmSFXxYC14ZxlKuyinf4Hv3oVvqNTn3R0cdL1nM19CTclc3Q XJquwK1QMUc5 dntNzNGERooiL9cxO1kwSuU OoZB2uuivba39VBiXpngVRDUM4?key=uFuTXEnPsH78U95C4D3gkgAD 4nXedJJ oGh0B5gk8SnwtubLE1 JZ1W1okQg3hgUltPh07EXCfNqUMJ7jNh1UWazh0hlKioCIRuSb fh7qNYqn LFaaFVnZpqSA2nrP9M3sw0Zjw2LZlAAT7NFnffy7fyI1SJe3XrGbJyN3uImk9kQxe3eEU?key=uFuTXEnPsH78U95C4D3gkg

 

Implementing a flow like this leverages the power of Workflows and Okta Identity Threat Protection to give your team continuous real-time visibility into risk signals detected in your Okta tenant. It allows you to integrate different platforms you use to send notifications, create tickets, and automate responses, like quarantining the user in a high-risk group or triggering an incident with an SLA for response in another platform. 

The “High Risk” Okta group could be subject to strict policies that limit a user's access until your team has had a chance to investigate. Adding users to the group could trigger other flows, or you could even have stricter policies within Identity Threat Protection that apply to the group. 

2. Checking user risk on high-risk application assignment

In this example, we have a high-risk application in Okta (such as the PAM product, Okta Advanced Server Access), and when a user is assigned to this application, we want to check the user risk level. If the user has a Low risk level, app access is allowed. Access is allowed if the risk is Medium, but a Slack message is written to highlight this. If the risk is High, the application access is rolled back.

 

AD 4nXfTieXDI7Ym5Qmm tkBegfabgCpcsIRUBHatHtSMmZz5I kpdkHP07uAZdz K3y2ZFY4JxFtPeqGF5u0QCiG E6UJ6ExzVRayUBJpF7kfBKnjCnwDHOGLr mGMzS2OPiCaZZoD3p HYYcKXZVCZXWdLL6Tf?key=uFuTXEnPsH78U95C4D3gkg

 

The workflow will:

 

  • Be triggered by the application.user_membership.add event in the Okta system log. This is a standard event built into the Okta Workflows connector
  • Look up the user by ID to get details in case a Slack message is required
  • Determine user risk. In this case, it is doing a lookup of the user's groups to see if they are in a High or Medium risk group, then
    • If the user risk is Low, it allows the app access (i.e., it does nothing)
    • If the user risk is Medium, it allows the app access but formats and sends a Slack message to the admin team
    • If the user risk is High, it removes the user assignment to the application.

Let's walk through the flow. First, we have an event to indicate that a user, John Smith, has been added to the Okta Advanced Server Access app.

 

AD 4nXfkPGz9eCLAkS48nv SWreBY p63a1uJE0YVyMjHio0HI3D5TrQt5TIvUFy9aiybqFP ymgxnbHC1rXj87gxd3SJXljvjGQ2iw9 96vR1CiniQJYuCL Vter46BsngcEOSSii8a3Asyt06mryyabOI8L aL?key=uFuTXEnPsH78U95C4D3gkg

 

It looks up John’s details and the groups he belongs to so as to determine his risk.

 

AD 4nXcYs9h411xfC1ZoiNPfjAl2KYcaYgCB0jXybT5tKaTPd0 J5cYs JcRJaWs5WDQE4IIvEzuueabScnHeTL9a8EHQ57IviCs JqJHfyQHzpN7NA7ByvY3zS7pJcLWJBMSLaxS9kIoNQ1dCsUIkxSK il H74?key=uFuTXEnPsH78U95C4D3gkg

 

If John is medium risk, and is thus in the corresponding Medium risk group (assigned by Workflows when his risk changed to Medium from some Identity Threat Protection event), a message will be written to Slack.

 

AD 4nXdr93ExlQp9a9vdUUjr89aHJ3Ew8HxRnf5dM3BWzKZyWnq7X x CJs6qRbShPJAXwO4y2r7PGOvTGMuS4ftEV2K1Ry NGbhCN1T1Uqb2aflZ8MlBSz Lio gscra9FbVVz 8tVwSbkqEj2mhDnHIhD33OCv?key=uFuTXEnPsH78U95C4D3gkg

 

If John is high risk and in the corresponding high-risk group, his assignment will be reverted by using another Okta action.
 

AD 4nXfVXbFnozKYOhxD0MDbW48rFnCF0NT9Y8LM mfXIUccFfZ svwuBDLBG3S19vlbKvQ8n2n VthWOBuUiLcUZ8yODMi1YCcd7sAYq8n13gqyT28244U6O14hhm54tv0lKAoO7Gg4rEISa0WV49ItKILbCww?key=uFuTXEnPsH78U95C4D3gkg

 

This can be seen in the Okta system log events for the application (or user).

 

AD 4nXdU9OaAajdcYq0w2I0JQ65UyTaTkfR2aajvPJfGi1IzT6qG Ab9Plz4VSmNxBEi50qfEoeJnoF641v4Ys8dqf94 QCx4M RrrZwFUy  XejKTaUW0Ay6iz8fAP9x xooZtkHQIaINXRJNqHvHuPAES78ZU?key=uFuTXEnPsH78U95C4D3gkg

 

This is a fairly simple — and very powerful — example of using user risk to manage application risk.

3. Checking user risk on high-risk application assignment with user access review

Next, we will extend the previous scenario. Rather than automatically revoking access when a high-risk user is given access to a high-risk application, we will now raise a User Access Review in Okta Identity Governance.

 

AD 4nXeImtZxEHBjePL83BodH8WdYFctBENy91HrxGYrJhqRfMfKYak9mhA1QDkIzoESQOLEc nWGgme fSkrqkx4MFpCdh3YizIRDRUqhr HihKdgZYg i6GCvQYGINB23xBRjeIWAvIJWl4xyE19phwhfP2AY?key=uFuTXEnPsH78U95C4D3gkg

 

The flow is basically the same as before, but rather than removing app access in the last step, the workflow will create and launch a user access review (access certification) using the Campaigns API in Okta Identity Governance and the Custom API action card on the Okta Connector (the details are buried in a helper flow).

As before, when the user is assigned to the app, the user risk level (High) routes the workflow to a helper flow that builds the relative URL and requestBody needed to create and launch the Access Certification campaign.

 

AD 4nXfX dTaVXQyiXnZArf3QQFiYMC4eMsLELspbQmGZf51p3Z7xWrvoibE 9Nl UIGaNNhKp4Z6Elv9MYPGjjapSV0s8ayDM0ocV 1z3Qw4l0zf64AvTtOWEZVaLmFZeTt7CxEJkcMMFDA Z4LMte0JIoOGz2W?key=uFuTXEnPsH78U95C4D3gkg

 

This is assigned to the user's manager to review, and when the manager logs into Okta, they see there is a campaign to review.

 

AD 4nXd7uvmk1L da92oPJq86qFGf 0ZZQ81IW9GbajjKlkJdNtN0NHC6NaAwqmAO8IIGXaYl3MHhwnaKns5oNUB85HEtGnYtetIQTbCJhMobXuZ wXspqKIa1Yah1k8nt25xX8B7U5 YpcyW Dl Ux39w j27QF?key=uFuTXEnPsH78U95C4D3gkg

On checking the details, they see all applications assigned to John Smith.

 

AD 4nXexHB4H9GEs2xi31QVe9M1PbjOfPGgeiaxCvImYsb1xRjEZgvdX7TkY5z5SZpngpPFxOm8OMoO3U 2tBHOw84Znf0dG4pSmsGz1TBgZO33tPIVIHK E674uFXO3XSD7 3HDa6RIg1XtQPXC5rqjseMHuhGj?key=uFuTXEnPsH78U95C4D3gkg

 

They review the access, decide John doesn’t need the Okta Advanced Server Access app, and click the Revoke button.

 

AD 4nXfg9CXwWMTjViJXCv0BOgwGIXOHJZ2ixiLZEJXTXZhOsk0YVFi4xXMs1Q7XEdcqgjKLUTMXI 8XMGN4XGNUlK049sSNMRdzMUNYzXZLw29zNQFmTV 4IPWYjTy0vsRILAsFCGjX0ihwDXfHCPEuG47aT8XF?key=uFuTXEnPsH78U95C4D3gkg

 

This causes the removal of the application as shown in the system log events.

 

AD 4nXf0xFhmiAxzOy07TCOO Oymeg0ZmcwJuhwVi1laBtItimGsMTH2mMkCfBRRLov UW6WhdaHaRkeKrAF0eJSiOyni3A3hCA8jcpZwaJua 0Wge0pIv17MImI9CKaSXaEjDJZdRS2Q4py59OajxaSIUm903E?key=uFuTXEnPsH78U95C4D3gkg

 

This approach provides more flexibility. Users might have a legitimate reason to access a high-risk application, so having a user access review by their manager is an audit-friendly way to manage it (of course, you could apply Access Request flows, but that’s a conversation for another article).

Staying ahead of the threat landscape

By leveraging these Okta capabilities, you can achieve higher security and operational efficiency, aligning your security protocols with your business goals. Whether enforcing MFA for suspicious activities, deactivating or quarantining compromised accounts, or notifying security teams of potential breaches, Okta Identity Threat Protection and Workflows enable your organization to remain resilient against identity-based attacks.

As we navigate the complexities of modern cybersecurity, Okta Identity Threat Protection with Okta AI stands out as a critical tool in your security arsenal. It better protects your organization and enhances your ability to respond to threats swiftly and effectively. By integrating these services, you are not just keeping up with the evolving threat landscape — you are staying ahead of it.

Embrace the future of identity security with Okta and enable your organization to handle today's and tomorrow's challenges. With Okta Identity Threat Protection and Okta Workflows, you can better secure your digital landscape, help protect your valuable assets, and confidently pursue your business objectives.

Learn more about Okta Identity Threat Protection with Okta AI and Okta Workflows.

These materials are intended for general informational purposes only and are not intended to be legal, privacy, security, compliance, or business advice.