Okta Logs

Overview

Panther has the ability to fetch Okta events by querying the Okta System Log API. Panther will query the System Log API every 1 minute. In order for Panther to access the API you need to create a new API token or use an existing one.

You can also enable Okta user and device profiles.

Video walkthrough

How to onboard Okta logs to Panther

Step 1: Create a new Okta API token

1. Log in as Okta administrator.

2. In the Okta Admin Console, navigate to Security > API.

3. Navigate to the Tokens tab.

4. Click Create token.

5. Enter a descriptive name for your token, e.g., Panther API token.

6. Copy the Token value and store it in a secure location. You will need it in the next steps.

   • Note: Okta will not display this value again.

Step 2: Create a new Okta source in Panther

1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

2. Click Create New.

3. Search for “Okta,” then click its tile.

4. On the slide-out panel, click Start Setup.

5. On the Configuration page, fill in the following fields:

   • Name: Enter a descriptive name for the source, e.g. My Okta logs.

   • Okta subdomain: Enter the subdomain of your Okta organization domain. You can refer to Okta documentation to find out more about your Okta org domain.

   • Okta domain: Select the appropriate domain name from the Okta domain drop-down.

   • API Token: Enter the token value you generated in the previous step.

6. Click Setup.

7. On the Enrichment page, if you would like to enable Okta Identity Profiles, to the right of User Profiles and/or Device Profiles, click the toggle ON.

   • Note the prerequisite for enabling Okta device profiles.

   • For each of the toggles set to ON, set a Refresh period (min). This represents the cadence at which Panther will update profile data with what is stored in Okta.

   
8. Click Setup. You will be directed to a success screen:\

   

   • You can optionally enable one or more Detection Packs.

   • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.\

     

Panther-managed detections

See Panther-managed rules for Okta in the panther-analysis GitHub repository. These include:

• Okta Admin Role Assigned - A user has been granted administrative privileges in Okta

• Okta API Key Created - A user created an API Key in Okta

• Okta API Key Revoked - A user has revoked an API Key in Okta

• Geographically Improbable Okta Login - A user has subsequent logins from two geographic locations that are very far apart

• Okta MFA Globally Disabled - Okta system-wide MFA has been disabled by an Admin user

• Okta Support Reset Credential - Okta Support reset a password or MFA for a user

• Okta Support Access Granted - Okta support access was granted

Custom detections

Suspicious behavior reported example

A user has reported suspicious behavior from their account:

Custom detection patterns

Below are some common functions and example deep_get() uses when writing custom detections for Okta logs. Find more information on the various event types in the Okta documentation.

Supported log types

Okta.SystemLog

The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems.

Reference: Okta Documentation on System Log APIs.