Skip to main content
All CollectionsTemplatesBasic
Handle Panther Okta Alerts on User Action Detection - Workflow Template
Handle Panther Okta Alerts on User Action Detection - Workflow Template

On a new Panther alert from Okta, ask the user if the action was intended and if so mark the alert resolved. If not, open a Torq case.

Updated over 6 months ago

This workflow template provides a mechanism for responding to Okta alerts generated by Panther. Upon a new Okta alert, the workflow identifies the user in Slack. If the user confirms the legitimacy of the activity, the Panther alert is resolved. Otherwise, it opens a Torq case and clears any Okta sessions for security measures. Theworkflow enhances incident response efficiency and user compliance by integrating automated communications and case management.

Take Me to the Template

Trigger

Panther

Use Cases

Device & User Compliance

Workflow Breakdown

  1. Receive an alert from Panther on a new Okta alert

  2. Look for user in Slack, if found proceed. If not open a Tora case.

  3. If the user confirms the action was valid, resolve the alert in Panther and add a comment

  4. If the user does not acknowledge the action, open a Torq case and clear any Okta sessions.

  5. When a Torq case is opened add the email and ip address as observables to the Torq case.

Vendors

Slack, Utils, Okta, Torq Cases, Panther

Workflow Output

Updates to the Panther alert and Slack messages to the Okta user.

Related Articles
Okta event on MFA addition with user Verification (Okta) - Workflow Template
Enable AWS S3 Bucket Versioning on Lacework Alert - Workflow Template
Handle High Level CNC Threat Detected on Network (Armis) - Workflow Template
Okta Exposed Passwords in Failed Login Attempts - Workflow Template
Create Cases from SentinelOne Events found in Azure Sentinel - Workflow Template
Did this answer your question?