Monitor unauthorized SaaS logins of offboarded users

paragbaxi
paragbaxi Member, Administrator, Moderator, Oomnitza Team admin
edited August 29 in Workflow library

Deprovisioning SaaS access for offboarded users is not a set it and forget it. Offboarded users could have their access accidentally reactivated, or an inside attacker could serve a more malicious threat. It's critical to monitor these logins to enforce your organization's security policies. Oomnitza can automate this process, and notify relevant teams and users to secure your environment.


The systems/services being acted upon

  • Oomnitza

Credentials required & how/where to obtain

  • Oomnitza API

Additional Oomnitza field required/recommended

  • Offboarded date

Blocks required and suggested

  • Begin
  • API
  • Conditional Threshold
  • Notification
  • End

Commands and calls

  • BeginOffboarding
  • Oomnitza APICollect the Oomnitza User SaaS login from Oomnitza (captured leveraging SaaS integration)
  • Workflow Variable for latest login(s)
  • Compare to Offboarding date
    • NotificationSuccessMessage
    • FailureMessage “Offboarded user logged into SaaS"
  • End

Results

IT will be notified of any unauthorized logins of offboarded users.

Caveats

None.

Troubleshooting/Error Codes?

None.