Skip to content

Okta

Overview

Why is it important for Threat Hunting?

For organizations that utilize Okta as their SSO provider, it is usually a crucial component in providing regulated access for all organizational users to all relevant Cloud and SaaS resources.
In some cases it is even used to manage access to internal organizational resources.
As such, it is an high-value target for attackers, as the platform can be accessed from the internet, and through it to many other organizational resources.

Okta logs are pulled via the API, and provide several different types of logs and data, enabling detection and enrichment capabilities for this attack vector and more.

Supported data types

  • Okta Logs: these are the activity logs, and contain each event and action done by any user in Okta. These logs are required for detecting all suspicious and malicious behaviors that are relevant for the Okta platform or for other products and services that use Okta as their SSO.

  • Okta Users: this provides snapshot-in-time information about all users that exist in the system, and is crucial contextual information in automatic investigations throughout the entire organization (and not only in Okta), as the user identifiers are used to automatically correlate activities related to the same person in different platforms and products (with possibly different users and usernames)

  • Okta Apps:

  • Okta Apps-Groups:
  • Okta Apps-Users:
  • Okta Events:
  • Okta Groups:
  • Okta Groups-Users:

Sending data to Hunters

Prerequisites

  1. Before you create an API token, make sure you are using a user with a READ ONLY ADMIN role, as the API Token inherits the permission level of the admin that has created it. If your role is not a Read-Only Administrator, follow this tutorial to grant read-only privileges.

  2. Go to the Security tab, and choose the API option okta okta

Copy your Authentication Key and Okta Host and save them in a secure location.

Creating a Dataflow

After getting your Authentication Key according to the tutorial in the prerequisites section, login into the Hunters Portal, go to the "Data Flows" section in the leftside bar, and click the "Add Data Flows" button.

  1. In the Product box, choose Okta okta-product

  2. Insert your Authentication Key and Okta Host

    Note

    the host can be either a domain www.your-org-okta.co or the full url https://www.your-org-okta.com

    okta

  3. Click the "Test Connection" button and than "Submit" okta okta