Skip to main content
All CollectionsBuild AutomationsCasesUse Cases
Leverage Torq Cases for Identity and Access Management
Leverage Torq Cases for Identity and Access Management

Learn how to manage suspicious activity alerts with Torq cases for quick resolution and stakeholder updates.

Updated over 5 months ago

This article outlines leveraging Torq cases to efficiently handle suspicious activity alerts from identity and access management services like Okta.

Suspicious Activity Detection and Pre-Processing

  1. Upon detecting suspicious activity, use events from an identity and access management service, such as Okta, to trigger a workflow.

  2. Retrieve the suspected user's group memberships to check whether the user is a VIP (power user with elevated privileges). The incident should be treated as more urgent if the user is a VIP.

  3. Use the Query cases step to check if there are existing cases for the user:

    • If cases exist, update the most recent one with new event details.

    • If no prior cases exist, create a new one, adding the user and the implicated IP address as observables.

    use case IAM pre-processing
    use case IAM create or update a case
  4. If the user is identified as a VIP:

    • Increase the case severity.

    • Adjust the resolution SLA to reflect the increased urgency.

    • Notify key stakeholders promptly.

Enrich the Observables: Automatically Close the Ticket or Assign It

  1. Use the New case created trigger to run a workflow when the case is created.

  2. Extract observables from the case and enrich them. In this example, the relevant observable is an IP address.

    Case created 1 extract indicators
  3. Depending on the enrichment verdict:

    • If benign, update the case accordingly and resolve it.

    • If malicious, update the case with detailed findings, elevate severity, and update the case status to In progress.

    case created 2 raise the case severity

Case Assignment and Progression

Use the State changed trigger to run a workflow when the case state is updated to In Progress.

  • Assign the case to a team member selected randomly from eligible assignees.

  • Notify the assigned team member and other relevant stakeholders to ensure timely action.

case in progress assign the case
Did this answer your question?