SachinK.88192 (Customer) asked a question.
Okta workflows Detection when user travel to new country
Hey All- we have some hard time to create Okta workflows when user travel to new country. we have identified query from system logs below(please review and advise) which we want to set them as workflow detections when it occurs.
(debugContext.debugData.behaviors co "New City=POSITIVE" and debugContext.debugData.behaviors co "New Country=POSITIVE") and not(securityContext.isProxy eq "true") and (debugContext.debugData.risk eq "{reasons=Anomalous Location, level=MEDIUM}" or debugContext.debugData.risk eq "{reasons=Anomalous Location, level=HIGH}") and displayMessage eq "User login to Okta" and not(debugContext.debugData.behaviors co "New ASN=BAD_REQUEST")
@SachinK.88192 (Customer) This is typically the type of scenario where you would want to leverage an Event Hook for. So assuming the eventType you want to leverage is event-hook-eligible what you are attempting to do is likely possible.
Okta events:
https://developer.okta.com/docs/reference/api/event-types/#catalog
I would recommend setting the Event Hook up through the Okta Admin Console using "Event Hook Filtering" (I believe this is still an EA feature). Event Hook filtering allows you to filter on some of the criteria in an eventType. This may allow you to filter down the total events that would be delivered to Workflows.
You would then perform additional processing on the received events JSON payload to determine if it fits your criteria. Then if the condition is met perform what ever action you desire.
This setup would take a minimum of 2 active flows.
Alternatively, you can create a Scheduled flow that runs every (5) minutes at a minimum and searches the system log with your filtered criteria. You would want to also include the eventType in the search criteria. While this wouldn't be real time it may cut way down on the total results you need to process.