This article outlines leveraging Torq cases to efficiently handle suspicious activity alerts from identity and access management services like Okta.
Suspicious Activity Detection and Pre-Processing
Upon detecting suspicious activity, use events from an identity and access management service, such as Okta, to trigger a workflow.
Retrieve the suspected user's group memberships to check whether the user is a VIP (power user with elevated privileges). The incident should be treated as more urgent if the user is a VIP.
Use the Query cases step to check if there are existing cases for the user:
If cases exist, update the most recent one with new event details.
If no prior cases exist, create a new one, adding the user and the implicated IP address as observables.
If the user is identified as a VIP:
Increase the case severity.
Adjust the resolution SLA to reflect the increased urgency.
Notify key stakeholders promptly.
Enrich the Observables: Automatically Close the Ticket or Assign It
Use the New case created trigger to run a workflow when the case is created.
Extract observables from the case and enrich them. In this example, the relevant observable is an IP address.
Depending on the enrichment verdict:
If benign, update the case accordingly and resolve it.
If malicious, update the case with detailed findings, elevate severity, and update the case status to In progress.
Case Assignment and Progression
Use the State changed trigger to run a workflow when the case state is updated to In Progress.
Assign the case to a team member selected randomly from eligible assignees.
Notify the assigned team member and other relevant stakeholders to ensure timely action.