Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / Okta Suspicious Login Detection

Documentation

Okta Suspicious Login Detection

Project-Agent / library/workflows/okta-suspicious-login/README.md

Project-Agent repo-root library/workflows/okta-suspicious-login/README.md

Analyzes Okta system logs for impossible travel patterns (logins from geographically distant locations within a short time window), sends Slack alerts to the security team, and optionally revokes sessions via HITL gate.

Maturity: L4+ (Governed and up)  ·  See the 5-level maturity model for where this workflow fits in your program.

Time Saved

~30 minutes per day of manual log review for suspicious login activity.

Connectors

| Connector | Operations | Risk Level | |-----------|-----------|------------| | Okta | logs:read | Low — read-only | | Okta | sessions:revoke | High — terminates user sessions | | Slack | chat:write, reactions:read | Low — HITL approval channel |

How It Works

  1. Query Okta system logs for successful authentication events.
  2. Group login events by user and analyze geographic patterns.
  3. Detect impossible travel (distance/time ratio exceeding threshold).
  4. Post a Slack alert with the suspicious login details.
  5. Offer HITL option to revoke the user's active sessions.
  6. On approval, revoke all sessions for the affected user.

ARX Governance

Risk Classification

  • logs:readLow. Read-only log query.
  • sessions:revokeHigh. Terminates all active sessions for a user.
  • chat:write / reactions:readLow. HITL channel communication.

HITL Gate Configuration

  • Operation: sessions:revoke — requires approval before execution.
  • Channel: SLACK_SECURITY_CHANNEL (configurable in arx.yaml).
  • Timeout: 30 minutes. If no approval is received, the action is skipped.
  • Approvers: Members of the security-team Slack user group.

Policy Rules

  • logs:readpermit — automated, no approval needed.
  • sessions:revokeescalate — requires HITL approval via Slack.
  • chat:writepermit — notification only.
  • Revocation of executive/VIP accounts — deny — must be handled manually.

Audit Trail

  • Okta user ID, login timestamps, and geographic coordinates for each event.
  • Calculated travel speed and threshold comparison.
  • Approver identity, approval timestamp, and Slack message link.
  • Session revocation confirmation status from Okta.
  • Full event log written to arx.audit_log.

> See arx.yaml for the full governance configuration.

Setup Instructions

  1. Configure Okta and Slack connectors.
  2. Set environment variables:
  • OKTA_DOMAIN, OKTA_API_TOKEN
  • SLACK_BOT_TOKEN, SLACK_SECURITY_CHANNEL
  1. Adjust max_speed_kmh (default 900 km/h — faster than commercial flight).
  2. Adjust lookback_hours for the analysis window.
  3. Deploy with arx deploy okta-suspicious-login.

Schedule

Runs every 30 minutes.