Skip to main content
All CollectionsTemplatesBasic
Add Malicious IPs to Network Block Zone from Okta System Logs - Workflow Template
Add Malicious IPs to Network Block Zone from Okta System Logs - Workflow Template

On a schedule pull Okta system logs for specific event types, extract any IPv4 address and if found malicious update the block zone in Okta.

Updated over 6 months ago

This workflow automates the security monitoring process by periodically examining Okta system logs for specific event types, identifying IPv4 addresses, and cross-referencing them with VirusTotal to detect malicious activity. If a malicious IP is discovered, the workflow updates Okta's network block list and notifies administrators via email. This ensures timely protection against potential threats and maintains robust access management.

Take Me to the Template

Use Cases

Identity and Access Management

Workflow Breakdown

  1. Pull system logs in Okta for specific event type

  2. Extract any IPv4 addresses that are found in the logs

  3. If the IPv4 addresses are not in the block list, lookup IP in VirusTotal

  4. If the IPv4 address is found to be malicious add it to the block list in Okta

  5. Send a confirmation email that the block list was updated including the new IPs and total number in the list.

Vendors

Utils, Okta, VirusTotal, Microsoft Outlook, Microsoft 365

Workflow Output

Updated list of malicious IP addresses as identified by VirusTotal in the System logs and added to the Network Zone.

Related Articles
Query Okta System Logs by Actor Activity - Workflow Template
Create IOCs on Malicious Files from a CrowdStrike Incident - Workflow Template
Create IOCs on Malicious Files from a CrowdStrike Detection - Workflow Template
Check if IPv4 Address is Part of an AWS IP Network Block - Workflow Template
VirusTotal IPv4 Address Enrichment with Cache - Workflow Template
Did this answer your question?