This workflow template assists in managing security incidents related to the addition of MFA methods to Okta user accounts. When an MFA method is added, it investigates the source IP using VirusTotal, and if the IP is not deemed malicious, it prompts the user for confirmation. Any unexpected addition triggers an automated response, including the creation of a Jira issue and a corresponding Slack channel to coordinate the response with on-call engineers. If necessary, the workflow also includes steps for suspending the user account, closing issues, and archiving the Slack channel to ensure a prompt and secure incident resolution.
Trigger
Okta
Use Cases
Identity and Access Management
Workflow Breakdown
Receive an event on MFA method addtion to an Okta user
Check if source IP is malicious/suspicious in VirusTotal, if not ask user if the action was intended
If Yes, end workflow.
If No, open a Jira issue and Slack channel, invite on-call engineers to channel
Assign the issue to the engineer that ACKs the Slack message
Suspend the user if needed, close the Jira issue and archive the Slack channel
Vendors
Slack, Utils, Okta, VirusTotal, Jira Cloud
Workflow Output
Jira issue with updates on new incident
Tips
Modify the first workflow variable step to match the integration names and details on the tenant.","Filter for the eventType equal to \"user.mfa.factor.activate\" in the trigger from Okta