Okta SSO provides audit logging for user authentication and resource access. Netenrich utilizes this information to track for user behaviours.
.Chronicle also supports user context and aliasing for this data source. This functionality aliases different identities together using automated data sources to provide a unified timeline of combined endpoint and network activity. This functionality will be turned on with initial deployment of the Okta data source integration.
Data Types
Okta Audit Logs
|
- Hostname, API Token, The following key: value must be passed Authorization: {API Token}. - Permissions: None |
Okta User Context
|
- Hostname, API Token - Permissions: manager_id_reference_field |
Configuration
Okta currently creates API token with the permission set of the user creating the API token. If having limited permission for the API token is preferred, create an admin user account with a Read Only permissions set and generate the API token from that account.
- In the Okta Admin console, navigate to Security -> API
- Select the Tokens option
- Select Create Token
- Name the token and select Create Token
- Record the Token Value
Configuring a feed in Chronicle
Complete the following steps to configure a feed in Chronicle to ingest the Okta logs:
- From the Chronicle home page, go to Settings at the top right corner and click Feeds.
- Click Add New.
3. In Source Type, select Third Party API.
4. In Log Type, select Okta.
5. Click Next.
6. Provide Authentication HTTP Header token and API Hostname.
7. Click Next and Finish.
Comments
0 comments
Please sign in to leave a comment.