Transcript
In this video, we are going to remediate a critical identity threat by processing a real-time signal from Okta Identity Threat Protection, i.e. ITP, using an event hook. Firstly, we will build the remediation logic in Okta workflows using an API endpoint to define the automated response when the user's status is high risk. Then we will configure an event hook to link the threat detection to the workflow, ensuring the remediation is invoked automatically to restore a secure state. Post that, we will test this flow. Let's get started. We will create a new flow. You can assign any name to the flow and save all the data that passes through the flow. We begin by adding the API endpoint card as a trigger. This card acts as a webhook listener that receives the incoming data payload from Okta. We will be using the invoke URL later on while creating the event hook. And to set the security level, I am choosing here Secure with Client Token. Next step is to add the object getCard so that we can isolate the specific user from the payload. Drag the body from API endpoint to object getCard and in the path field, enter data.events.0.target.0.id Next, add the date and time card to the flow. The moment workflow reaches this step, it automatically generates a timestamp, which we can use to create an accurate log. Next we will add Okta clear user sessions card. The objective is when the user status risk is high, we want to clear their session. So we need Okta clear user session card. Map the output of object getCard as an id on clear user sessions card and set the revoke OAuth tokens to true. When this card gets executed, this terminates every active web session the user has open in Okta and revokes their access token. Next we want to add the tables createRowCard. It will ask us to choose a table. Since we have not created any table, right in the current folder, we will click on new table. It will create a new table for us, I'm naming it as ITP table and save. I want to record the user ID as well as the date, that is timestamp. Once the table is created, you can go to choose table, go to the respective folder and select the table. You can map the ID and the date. Now the flow is created. The next step is to create the event hook in the admin console. Make sure you save this flow. To create the event hook in Okta admin console, navigate to workflow and select event hooks. You will notice that there is an event hook already created, but its status is inactive. In order to create a new event hook, click create event hook. You can provide any name. You can grab the URL from the API endpoint card. From the workflow, there is a card API endpoint. Click on endpoint settings and you can copy the invoke URL. Once you copy the invoke URL, you can go back to the add event hook endpoint and paste that URL here. The next task is to subscribe to the events. We are selecting here indicates the user risk was detected and indicates a user risk level has changed. Once you have subscribed to these events, save and continue. You will notice that ITP test and event hook has been created and its status is active. To test whether our workflow and event hooks are connected, whether they are working fine or not, we are going to manually increase the risk level of a user so that it fires an event hook. And then we will check the Okta workflows execution history, whether the workflow has executed or not. Go to the user, go to more actions and elevate their entity risk level to elevate their entity risk level. It should trigger the workflow. Make sure that the workflow is activated. Once the user risk level is elevated successfully, the workflow should have triggered automatically. Go to the execution history of the workflow. You will notice that it has returned the status success. You can verify whether it has cleared the session of the same user or not by matching the user ID of clear user sessions with the user ID mentioned on the admin console. You will notice that it should create a row in the table which we have associated with this workflow. To check the table, you can go to the folder and there is one table. You will notice that it has created a user ID and the corresponding date. So we have successfully built a workflow and associated it with Okta Identity Threat Protection. Thank you.