Skip to main content

Okta - User Investigation

This Playbook is part of the Okta Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook performs an investigation on a specific user, using queries and logs from Okta.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


  • Okta v2


  • CountArraySize
  • Set
  • GetTime


  • okta-get-logs

Playbook Inputs#

NameDescriptionDefault ValueRequired
UserEmailThe user email to search Okta logs.Optional
LoginCountryThe Country code from which the user logged in.
Country Code Alpha 2 (Example: US)
ASNThe ASN from which the user logged in.Optional

Playbook Outputs#

PermanentCountryTrue if the user work from a permanent country. False if else.unknown
UserDevicesDevices used by the user.unknown
NumOfOktaSuspiciousActivitiesNumber of Suspicious Activities for the user.unknown
SuspiciousUserActivitiesSuspicious Activities for the user.unknown
NumOfOktaSuspiciousUserAgentNumber of Suspicious User Agent.unknown
SuspiciousUserAgentSuspicious User Agent.unknown
UserApplicationApplications used by the user.unknown
NumOfOktaFailedLogonNumber of failed login.unknown
NumOfFailedLogonASNNumber of failed login from ASN by all users.unknown
LogonCountriesThe countries from which the user logged in.unknown

Playbook Image#

Okta - User Investigation