Okta

With this playbook app, you can automate processes during an internal security investigation when it’s critical to quickly get user information or suspend users involved with a security incident.

• As part of a security process orchestration, get user account information, including groups and applications the user has access to. This information can be used for making automated decisions about next steps to take in the investigation as well as help analysts have the information they need without having to collect it manually.
• During a security investigation it’s often necessary to suspend a user’s account for a period of time while the investigation takes place and analysts can confirm that the account is not compromised. This action can be automated as part of a Workflow or Playbook. Later in the process, the account can be unsuspended and the password can be reset automatically.

The Playbook app contains the following actions:

• Get User – This action fetches a user from your Okta Organization.
• Get User Applications – This action fetches appLinks for all direct or indirect (via group membership) assigned applications.
• Get User Groups – This action fetches the groups of which the user is a member.
• Reset Password – This action generates a one-time token (OTT) that can be used to reset a user’s password. The OTT link can be automatically emailed to the user or returned to the API caller and distributed using a custom flow. This operation will transition the user to the status of RECOVERY, and the user will not be able to log in or initiate a forgot-password flow until they complete the reset flow.
• Suspend User – This action suspends a user. This operation can be performed only on users with an ACTIVE status. The user will have a status of SUSPENDED when the process is complete.

This app is a set of actions to interact with the Okta API. For full details on using the Okta API, please see here.

This app can be found in the ThreatConnect App Catalog under the name: Okta.