The workflow template "Detect Impossible Travels in Okta Logins" is designed for businesses looking to enhance their security by analyzing successful user logins across different locations within a short timeframe. This template helps in detecting impossible travel scenarios, suggesting potential account hijacking. It maintains a history of user logins, obtains geolocation for IPs, and compares distances between consecutive logins to identify suspicious activities. If a compromise is detected, it supports automated password resets and notifies administrators via Slack, enriching the IP reputation using VirusTotal and Recorded Future integrations. This serves the Identity and Access Management, and Suspicious User Activity use cases.
Trigger
Okta
Use Cases
Identity and Access Management , Suspicious User Activity
Workflow Breakdown
It triggers only on successful logins and maintains the user's login history using global variables.
It obtains the geolocation of the source IP and compares it with the geolocation of the last login to find the distance between the two locations.
It can use VirusTotal and Recorded Future to enrich the source IP reputation
When the password is reset, the user will receive a link by email to define a new password.
Vendors
Slack, Scripting, Utils, Okta, VirusTotal, HTTP, Jira Cloud, Recorded Future, Torq
Workflow Output
The administrator will receive the reputation of the source IP in a Slack message. If compromised passwords are detected, they can be automatically reset.