Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / Phishing Response

Documentation

Phishing Response

arxsec-site / library/workflows/phishing-response/README.md

arxsec-site repo-root library/workflows/phishing-response/README.md

Automates the phishing incident response playbook: ingests Splunk phishing alerts, checks active Okta sessions for the targeted user, queries CrowdStrike for host status, and creates a Jira incident ticket with full context.

Maturity: L4+ (Governed and up)  ·  See the 5-level maturity model for where this workflow fits in your program.

Time Saved

~45 minutes per phishing incident of manual triage and investigation.

Connectors

| Connector | Operations | Risk Level | |-----------|-----------|------------| | Splunk | search:execute | Low — read-only | | Okta | sessions:revoke | High — terminates user sessions | | CrowdStrike | hosts:read | Low — read-only | | Jira | issues:create | Low — creates tickets only |

How It Works

  1. Receive a Splunk phishing alert with targeted user email and indicators.
  2. Look up the user in Okta and check for active sessions.
  3. Query CrowdStrike for the user's assigned host and recent detections.
  4. Request HITL approval to revoke active Okta sessions.
  5. On approval, revoke all active sessions for the targeted user.
  6. Create a Jira incident ticket with all enrichment data.

ARX Governance

Risk Classification

  • search:execute (Splunk) — Low. Read-only alert ingestion.
  • sessions:revoke (Okta) — High. Terminates all active sessions for a user.
  • hosts:read (CrowdStrike) — Low. Read-only host enrichment.
  • issues:create (Jira) — Low. Creates tracking tickets.

HITL Gate Configuration

  • Operation: sessions:revoke — requires approval before execution.
  • Channel: SLACK_CHANNEL (configurable in arx.yaml).
  • Timeout: 15 minutes. If no approval is received, the action is skipped and a PagerDuty escalation is created.
  • Approvers: Members of the security-team Slack user group.

Policy Rules

  • search:executepermit — automated, no approval needed.
  • hosts:readpermit — automated enrichment.
  • sessions:revokeescalate — requires HITL approval via Slack.
  • issues:createpermit — non-destructive ticket creation.
  • Revocation of executive/VIP accounts — deny — must be handled manually.

Audit Trail

  • Splunk alert ID, phishing indicators, and targeted user email.
  • Okta user ID, session count, and active session details.
  • CrowdStrike host ID, hostname, and detection summary.
  • Approver identity, approval timestamp, and Slack message link.
  • Session revocation confirmation status from Okta.
  • Jira ticket key and linked incident references.
  • Full event log written to arx.audit_log.

> See arx.yaml for the full governance configuration.

Setup Instructions

  1. Configure all four connectors in arx.yaml.
  2. Set environment variables:
  • SPLUNK_URL, SPLUNK_TOKEN
  • OKTA_DOMAIN, OKTA_API_TOKEN
  • CS_CLIENT_ID, CS_CLIENT_SECRET
  • JIRA_URL, JIRA_API_TOKEN, JIRA_PROJECT_KEY
  • SLACK_BOT_TOKEN, SLACK_CHANNEL
  1. Configure the Splunk saved search name in arx.yaml.
  2. Deploy with arx deploy phishing-response.

Schedule

Event-driven — triggered by Splunk alert webhook.