Why is it important for Threat Hunting?
For organizations that utilize Okta as their SSO provider, it is usually a crucial component in providing regulated access for all organizational users to all relevant Cloud and SaaS resources.
In some cases it is even used to manage access to internal organizational resources.
As such, it is an high-value target for attackers, as the platform can be accessed from the internet, and through it to many other organizational resources.
Okta logs are pulled via the API, and provide several different types of logs and data, enabling detection and enrichment capabilities for this attack vector and more.
Supported data types
Okta Logs: these are the activity logs, and contain each event and action done by any user in Okta. These logs are required for detecting all suspicious and malicious behaviors that are relevant for the Okta platform or for other products and services that use Okta as their SSO.
Okta Users: this provides snapshot-in-time information about all users that exist in the system, and is crucial contextual information in automatic investigations throughout the entire organization (and not only in Okta), as the user identifiers are used to automatically correlate activities related to the same person in different platforms and products (with possibly different users and usernames)
- Okta Apps-Groups:
- Okta Apps-Users:
- Okta Events:
- Okta Groups:
- Okta Groups-Users:
Sending data to Hunters
Before you create an API token, make sure you are using a user with a READ ONLY ADMIN role, as the API Token inherits the permission level of the admin that has created it. If your role is not a Read-Only Administrator, follow this tutorial to grant read-only privileges.
Go to the Security tab, and choose the API option
Copy your Authentication Key and Okta Host and save them in a secure location.
Creating a Dataflow
After getting your Authentication Key according to the tutorial in the prerequisites section, login into the Hunters Portal, go to the "Data Flows" section in the leftside bar, and click the "Add Data Flows" button.
In the Product box, choose Okta
Insert your Authentication Key and Okta Host
the host can be either a domain
www.your-org-okta.coor the full url
Click the "Test Connection" button and than "Submit"