Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Automate Identity Threat Response with Okta ITP

Okta
07/09/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


In this video, we are going to remediate a critical identity threat by processing a real-time signal from Okta Identity Threat Protection, i.e. ITP, using an event hook. Firstly, we will build the remediation logic in Okta workflows using an API endpoint to define the automated response when the user's status is high risk. Then we will configure an event hook to link the threat detection to the workflow, ensuring the remediation is invoked automatically to restore a secure state. Post that, we will test this flow. Let's get started. We will create a new flow. You can assign any name to the flow and save all the data that passes through the flow. We begin by adding the API endpoint card as a trigger. This card acts as a webhook listener that receives the incoming data payload from Okta. We will be using the invoke URL later on while creating the event hook. And to set the security level, I am choosing here Secure with Client Token. Next step is to add the object getCard so that we can isolate the specific user from the payload. Drag the body from API endpoint to object getCard and in the path field, enter data.events.0.target.0.id Next, add the date and time card to the flow. The moment workflow reaches this step, it automatically generates a timestamp, which we can use to create an accurate log. Next we will add Okta clear user sessions card. The objective is when the user status risk is high, we want to clear their session. So we need Okta clear user session card. Map the output of object getCard as an id on clear user sessions card and set the revoke OAuth tokens to true. When this card gets executed, this terminates every active web session the user has open in Okta and revokes their access token. Next we want to add the tables createRowCard. It will ask us to choose a table. Since we have not created any table, right in the current folder, we will click on new table. It will create a new table for us, I'm naming it as ITP table and save. I want to record the user ID as well as the date, that is timestamp. Once the table is created, you can go to choose table, go to the respective folder and select the table. You can map the ID and the date. Now the flow is created. The next step is to create the event hook in the admin console. Make sure you save this flow. To create the event hook in Okta admin console, navigate to workflow and select event hooks. You will notice that there is an event hook already created, but its status is inactive. In order to create a new event hook, click create event hook. You can provide any name. You can grab the URL from the API endpoint card. From the workflow, there is a card API endpoint. Click on endpoint settings and you can copy the invoke URL. Once you copy the invoke URL, you can go back to the add event hook endpoint and paste that URL here. The next task is to subscribe to the events. We are selecting here indicates the user risk was detected and indicates a user risk level has changed. Once you have subscribed to these events, save and continue. You will notice that ITP test and event hook has been created and its status is active. To test whether our workflow and event hooks are connected, whether they are working fine or not, we are going to manually increase the risk level of a user so that it fires an event hook. And then we will check the Okta workflows execution history, whether the workflow has executed or not. Go to the user, go to more actions and elevate their entity risk level to elevate their entity risk level. It should trigger the workflow. Make sure that the workflow is activated. Once the user risk level is elevated successfully, the workflow should have triggered automatically. Go to the execution history of the workflow. You will notice that it has returned the status success. You can verify whether it has cleared the session of the same user or not by matching the user ID of clear user sessions with the user ID mentioned on the admin console. You will notice that it should create a row in the table which we have associated with this workflow. To check the table, you can go to the folder and there is one table. You will notice that it has created a user ID and the corresponding date. So we have successfully built a workflow and associated it with Okta Identity Threat Protection. Thank you.

TL;DR

  • Okta Workflows can be configured with an API endpoint trigger to automatically clear user sessions and revoke OAuth tokens the moment Okta ITP flags a high-risk user.
  • An event hook connects Okta Identity Threat Protection signals — specifically risk detected and risk level changed events — directly to the remediation workflow without manual intervention.
  • A built-in table card logs the affected user ID and timestamp at execution time, creating an audit trail for every automated remediation action taken.

Summary

This tutorial from Okta demonstrates how to build an automated identity threat remediation workflow using Okta Identity Threat Protection (ITP) and Okta Workflows. Presented by Shabnam Sharma, the walkthrough covers three core steps: constructing the remediation logic in Okta Workflows via an API endpoint trigger, configuring an event hook to link ITP threat detection signals to that workflow, and validating the end-to-end automation through a live test. The workflow is designed to respond automatically when a user's risk status is flagged as high — immediately clearing all active web sessions and revoking OAuth tokens to eliminate unauthorized access. An object get card isolates the at-risk user from the incoming payload, a date-time card generates an audit timestamp, and a table row card logs the user ID and event time for compliance tracking. The event hook subscribes to two specific ITP events — risk detected and risk level changed — ensuring the remediation fires without manual intervention. The demo concludes with a successful end-to-end test, confirming that elevating a user's entity risk level automatically triggers session termination and creates a corresponding audit log entry. This pattern is directly applicable to security operations teams looking to reduce mean time to respond to identity-based threats.

Chapters

0:00 - Introduction & Overview
0:40 - Building the Workflow
2:03 - Session Clearance & Logging
3:41 - Configuring the Event Hook
5:09 - End-to-End Testing

Key Quotes

0:03 "We are going to remediate a critical identity threat by processing a real-time signal from Okta Identity Threat Protection, i.e. ITP, using an event hook."
2:07 "The objective is when the user status risk is high, we want to clear their session."
2:34 "When this card gets executed, this terminates every active web session the user has open in Okta and revokes their access token."
6:39 "So we have successfully built a workflow and associated it with Okta Identity Threat Protection."

FAQ

What triggers the Okta Workflows remediation flow in this setup?

An event hook configured in the Okta admin console triggers the workflow. It subscribes to two ITP events — 'indicates the user risk was detected' and 'indicates a user risk level has changed' — and fires the workflow automatically when either event occurs.

What actions does the workflow take when a high-risk user is detected?

The workflow clears all active web sessions for the identified user and revokes their OAuth tokens, effectively terminating access across every open session. It also logs the user ID and a timestamp to an ITP audit table for record-keeping.


Categories:
  • » Cybersecurity » Zero Trust
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Identity & Access
  • Security Operations
  • Zero Trust
  • How-To
  • Demo
  • Technical Deep Dive
  • Identity Threat Protection
  • Okta Workflows
  • Event Hooks
  • Session Management
  • Automated Remediation
  • OAuth Token Revocation
  • Risk-Based Access Control
  • Security Automation
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Automate Identity Threat Response with Okta ITP

              Upcoming Webinar Calendar

              • 07/09/2026
                01:00 PM
                07/09/2026
                The HUMAN Experience: Empowering Agentic Trust in Practice
                https://www.truthinit.com/index.php/channel/2026/the-human-experience-empowering-agentic-trust-in-practice/
              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting a Championship-Worthy Security Team for Unmatched Defense
                https://www.truthinit.com/index.php/channel/2025/crafting-a-championship-worthy-security-team-for-unmatched-defense/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-safeguarding-ai-accessible-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Strategies for Effective Data Privacy and Protection
                https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-for-effective-data-privacy-and-protection/
              • 07/22/2026
                01:00 PM
                07/22/2026
                Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue
                https://www.truthinit.com/index.php/channel/2029/insights-from-attackers-during-the-fifa-world-cup-a-human-dialogue/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 07/29/2026
                12:00 PM
                07/29/2026
                Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
              • 07/29/2026
                01:00 PM
                07/29/2026
                Ask Your Cloud Anything: Unlocking Governance Silos in your Environments
                https://www.truthinit.com/index.php/channel/2048/ask-your-cloud-anything-unlocking-governance-silos-in-your-environments/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                09

                The HUMAN Experience: Empowering Agentic Trust in Practice

                07/09/202601:00 PM ET
                • Jul
                  14

                  Crafting a Championship-Worthy Security Team for Unmatched Defense

                  07/14/202601:00 PM ET
                  • Jul
                    14

                    Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data

                    07/14/202602:00 PM ET
                    • Jul
                      21

                      Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                      07/21/202604:00 AM ET
                      • Jul
                        22

                        Insights and Strategies for Effective Data Privacy and Protection

                        07/22/202606:30 AM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version