Set up the Okta User Login Failures from Multiple IPs playbook

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 1 minute to read

    • Use the following steps to set up the Okta User Login Failures from Multiple IPs playbook.

    Before you begin

    Make sure you have installed Security Operations Spoke (sn_sec_spoke).

    Role required:
    • sn_si.admin
    • flow_designer

    Procedure

    1. Login as a user with the sn_si.user and flow_designer roles.
    2. Navigate to All > Flow Designer and select the Okta User Login Failures from Multiple IPs playbook.
    3. Optional: Create a copy of the Okta User Login Failures from Multiple IPs playbook flow and make the necessary modifications.

      If you plan to customize or make specific changes to the flow, then you must create a copy of the playbook's flow. Select the More actions menu icon and select Copy flow.

      Figure 1. Okta User Login Failures from Multiple IPs playbook
      Overview of the Okta User Login Failures from Multiple IPs playbook.
    4. Activate the playbooks.
      1. Activate the main flow to use the playbook available in the base system.
      2. Activate the copied flows after making the required changes.
    5. Set a Trigger Condition for the playbook.
      This playbook is triggered and associated with the security incident when the Category is Failed Login.
      Figure 2. Okta User Login Failures from Multiple IPs playbook trigger condition
      Trigger condition for Okta User Login Failures from Multiple IPs playbook.