Say hello to ext-okta — a new extension that connects LimaCharlie to your Okta org so your D&R rules and AI agents can contain an account compromise the moment it’s detected.
What you can do with it:
- Contain a compromised user in one move — suspend the account (fully reversible), and unsuspend when the dust settles.
- Cut off the attacker’s access completely — expire or reset the password, reset MFA factors to force re-enrollment, and clear all sessions.
- Close the gap most tools miss — killing sessions usually leaves OAuth tokens and app grants alive, which is exactly how attackers stay in after a “response.” Here, clear_user_sessions revokes OAuth tokens by default, and revoke_user_grants cuts app grants too.
- Quarantine with groups — drop a user into (or pull them out of) a containment group to swap their policies instantly.
- Investigate first — look up a user’s status, MFA factors, group memberships, admin roles, and OAuth grants, or query the Okta System Log, before you act.
Anything we haven’t wrapped in a typed action is still reachable via the generic api_call passthrough to the full Okta management API.
As with all our response extensions, every action requires an explicit target user — an org-wide response can never fire by accident.
Getting started:
- In Okta, create an API token (or, recommended, an API Services app with least-privileged okta.* scopes — the README has the list).
- Subscribe to ext-okta in the LimaCharlie Marketplace.
- Store the credential in Secrets Manager and configure the extension with your org URL and a reference to the secret.
Detections in, identity containment out. We’d love to hear what you build with it — feedback welcome in this thread! ![]()