The "Suspend User on Cyberhaven Incident" workflow template automates incident response by integrating Cyberhaven, Okta, and Slack. It polls Cyberhaven every 15 minutes for new incidents, evaluates their AI severity, and takes action if necessary. For critical or high-severity incidents, the workflow suspends the user's Okta account and adds them to a Cyberhaven risk group. It also checks for cumulative lower-severity incidents, ensuring timely user suspension and risk management, while notifying the security team via Slack.
Use Cases
DLP , Identity and Access Management
Workflow Breakdown
Poll Cyberhaven for new open incidents every 15 minutes
Loop through incidents and evaluate AI severity
Suspend user in Okta if severity is critical/high
Check cumulative incident threshold for lower severity incidents
Add user to Cyberhaven risk group
Close incident with automated response note
Notify security team via Slack
Vendors
Slack, Utils, Okta
Tips
Adjust the incident_threshold parameter to control how many open incidents in 24 hours trigger the cumulative response path
The Okta suspend step can be swapped for Google Workspace, Entra ID, or any other identity provider depending on your stack
The risk_group_id must be created in Cyberhaven first, use the List User Risk Groups step to find available group IDs