All use cases
SecOps

Access Anomaly Response

Detect unusual login and permission-change events, open an investigation, and suspend access pending human review with a full audit trail.

OktaElasticsearchSlack

The problem

Suspicious logins and unexpected permission changes surface in logs long after the fact, if anyone looks at all. Responding means manually correlating identity events with activity logs, deciding under pressure, and remembering to undo temporary measures later. Slow response widens the window an attacker has with a compromised account.

How it runs on Neblex

Okta events such as impossible-travel logins, MFA changes, or admin-role grants reach Neblex over webhooks or an event stream. The flow queries Elasticsearch for the recent activity of the affected account and applies your risk rules with conditional branching, using Data Tables for allowlists such as known travel patterns or service accounts.

High-risk events trigger containment: the flow suspends the account or revokes sessions in Okta and notifies the security channel in Slack. An approval step then pauses the run while an analyst reviews the evidence in the task inbox and decides whether to keep the suspension or restore access, with SLA timers escalating if no one responds. Saga-style compensation reverses the containment automatically when the review clears the user.

Every event, containment action, and human decision is written to a tamper-evident, hash-chained audit trail. Because detection, containment, and review are one flow, there is no gap where an account sits suspended with nobody assigned to look at it.

Step by step

1

Receive identity events

Okta sends login anomalies and permission changes to the flow via webhooks or an event stream.

2

Gather account context

The flow queries Elasticsearch for recent activity by the account and checks allowlists held in Data Tables.

3

Contain high-risk access

Conditional branching suspends the account or revokes sessions in Okta when risk rules match, and Slack alerts the security team.

4

Pause for human review

An approval step holds the run while an analyst reviews evidence in the task inbox, with SLA escalation if it stalls.

5

Restore or confirm

Saga-style compensation lifts the suspension when the analyst clears the user; confirmed incidents stay contained and documented.

Platform capabilities used

  • Webhook and event stream triggers
  • Conditional branching
  • Approval steps that pause the run
  • Saga-style compensation
  • SLA timers with escalation
  • Hash-chained audit trail

Common questions

Can containment run without waiting for a human?

Yes. Suspension happens as soon as risk rules match, and the human review happens after containment while the run is paused. That ordering keeps response quick without removing human judgment from the final decision.

What if the suspension was a false positive?

The analyst clears the user from the task inbox and saga-style compensation restores access as part of the same run. The event, the containment, and the reversal all appear on the audit trail.

Which events can start this flow?

Anything Okta emits, delivered over webhooks or an event stream such as Kafka. You can also start runs from scheduled Elasticsearch queries using poll-based change detection.

Want this running on your stack?

Neblex Integration Fabric is in beta: full platform, free while in beta. Bring this workflow and we will map it to your systems.