Skip to main content
All CollectionsTemplatesBasic
Okta event on MFA addition with user Verification (Okta) - Workflow Template
Okta event on MFA addition with user Verification (Okta) - Workflow Template

Receive event from Okta when a user adds a MFA method, lookup source IP with VirusTotal or ask user if this was intended, if not open issue.

Updated over 6 months ago

This workflow template assists in managing security incidents related to the addition of MFA methods to Okta user accounts. When an MFA method is added, it investigates the source IP using VirusTotal, and if the IP is not deemed malicious, it prompts the user for confirmation. Any unexpected addition triggers an automated response, including the creation of a Jira issue and a corresponding Slack channel to coordinate the response with on-call engineers. If necessary, the workflow also includes steps for suspending the user account, closing issues, and archiving the Slack channel to ensure a prompt and secure incident resolution.

Trigger

Okta

Use Cases

Identity and Access Management

Workflow Breakdown

  1. Receive an event on MFA method addtion to an Okta user

  2. Check if source IP is malicious/suspicious in VirusTotal, if not ask user if the action was intended

  3. If Yes, end workflow.

  4. If No, open a Jira issue and Slack channel, invite on-call engineers to channel

  5. Assign the issue to the engineer that ACKs the Slack message

  6. Suspend the user if needed, close the Jira issue and archive the Slack channel

Vendors

Slack, Utils, Okta, VirusTotal, Jira Cloud

Workflow Output

Jira issue with updates on new incident

Tips

Modify the first workflow variable step to match the integration names and details on the tenant.","Filter for the eventType equal to \"user.mfa.factor.activate\" in the trigger from Okta

Did this answer your question?