Okta Profiles

Fetch and store Okta user and device data to use in detections and search

Overview

You can configure your Okta log source integration in Panther to pull user profiles and device profiles into Panther-managed Lookup Tables. This means you can use profile and device data in detection logic and search queries.

You can customize user profiles in Okta by following their documentation. You might consider adding custom attributes that would be useful in detection logic, such as the level of permissions expected for that user.

To view the data stored in your Okta profile tables, follow these instructions on how to view profile data in the Data Lake.

How to set up Okta user and device profiles in Panther

You can configure Okta user and device profiles while you are initially setting up your Okta log source integration in Panther, or later, by editing the source.

During either flow, you'll toggle the Okta profile pulling settings on, then set the cadence at which you'd like profile data to be refreshed.

In order to enable Okta user and/or device profiles in Panther, you must first (or concurrently) onboard Okta as a log source. It is not possible to set up an Okta device or user profiles integration without onboarding Okta as a log source in Panther.

Prerequisite for Okta device profiles

In order to pull Okta device profiles into Panther, you must have Okta Devices enabled.

Configure Okta profiles in Panther during Okta source setup

Follow these instructions on how to create a new Okta source in Panther, paying close attention to the Enable user profiles and Enable device profiles fields.

Configure Okta profiles in Panther after Okta source setup

You can set up Okta profiles after you've already created an Okta log source in Panther, either from the Enrichment Providers tab or the Log Sources tab in the Console.

Configure Okta profiles after Okta log source setup from the Enrichment Providers screen

In the left-hand navigation bar of your Panther Console, click Configure > Enrichment Providers.
In the upper-right corner, click Create New.
Click Okta.
From the popup modal listing your already created Okta log sources in Panther, click the one you'd like to pull profile data from.
- If you have not already set up an Okta log source, instead follow the How to onboard Okta logs to Panther instructions.
On the Enrichment page, click the toggle to the right of User Profiles and/or Device Profiles ON.
- For each of the toggles you turned ON, set a Refresh period (min). This represents the cadence at which Panther will update profile data with what is stored in Okta.
In the upper-right corner, click Save.

Configure Okta profiles after Okta log source setup from the Log Sources screen

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Locate the Okta log source for which you'd like to set up profiles, and click its name.
In the upper right corner of the log source page, click Configuration, then Edit.
In the upper-right corner, click Enrichment.
On the Enrichment page, click the toggle to the right of User Profiles and/or Device Profiles ON.
- For each of the toggles you turned ON, set a Refresh period (min). This represents the cadence at which Panther will update profile data with what is stored in Okta.
In the upper-right corner, click Save.

Supported profile types

Panther supports pulling user profiles and device profiles from Okta. Below are the schemas for how the data for each profile type is structured.

Okta.Users

schema: Okta.Users
description: Panther managed Okta user profiles
referenceURL: https://developer.okta.com/docs/reference/api/users/#list-users
fields:
    - name: match
      description: Keys to match for the lookup table
      type: array
      element:
        type: string
    - name: id
      description: Okta internal id for this user
      type: string
      indicators:
        - actor_id
    - name: created
      description: Create time for user record
      type: timestamp
      timeFormats:
        - rfc3339
    - name: activated
      description: Activation time for user record
      type: timestamp
      timeFormats:
        - rfc3339
    - name: statusChanged
      description: Time when user status changed
      type: timestamp
      timeFormats:
        - rfc3339
    - name: lastLogin
      description: Time of last authentication
      type: timestamp
      timeFormats:
        - rfc3339
    - name: lastUpdated
      description: Time of last record update
      type: timestamp
      timeFormats:
        - rfc3339
    - name: passwordChanged
      description: Time of last password change
      type: timestamp
      timeFormats:
        - rfc3339
    - name: status
      description: Status of the user
      type: string
    - name: profile
      description: Okta user profile
      type: json

Okta.Devices

schema: Okta.Devices
description: Panther managed Okta device profile
referenceURL: https://developer.okta.com/docs/reference/api/devices/#list-devices
fields:
    - name: match
      description: Keys to match for the lookup table
      type: array
      element:
        type: string
    - name: id
      description: Okta internal id for this device
      type: string
    - name: created
      description: Create time for device record
      type: timestamp
      timeFormats:
        - rfc3339
    - name: lastUpdated
      description: Time of last record update
      type: timestamp
      timeFormats:
        - rfc3339
    - name: status
      description: Status of the device
      type: string
    - name: resourceType
      description: Type of the device
      type: string
    - name: resourceDisplayName
      description: Name of the device
      type: object
      fields:
        - name: value
          description: Name of the device
          type: string
        - name: sensitive
          description: True if sensitive
          type: boolean
    - name: resourceId
      description: External id of the device
      type: string
    - name: resourceAlternateId
      description: Alternate external id of the device
      type: string
    - name: profile
      description: Okta device profile
      type: json
    - name: users
      description: Associated users of this device
      type: array
      element:
        type: object
        fields:
            - name: id
              description: Okta internal id for this user
              type: string
              indicators:
                - actor_id
            - name: emails
              description: Emails associated with this user
              type: array
              element:
                type: string
                indicators:
                    - email

Example: Using Okta profile data in a detection

Once you have set up an Okta user or device profile, and it has fetched data, you can start referencing that data in detection logic.

Given this Okta user profile:

{
    "activated": "2023-02-22 20:14:57",
    "created": "2023-02-22 20:14:57",
    "id": "00u7364cqlAxlJrgX1d7",
    "lastlogin": "2023-02-22 20:28:05",
    "lastupdated": "2023-02-22 20:27:57",
    "match": [
        "00u7364cqlAxlJrgX1d7",
	"[email protected]"
    ],
    "p_any_actor_ids": [
	"00u7364cqlAxlJrgX1d7"
    ],
    "p_any_emails": [
	"[email protected]"
    ],
    "p_event_time": "2023-06-01 20:48:36.12",
    "p_log_type": "Okta.Users",
    "p_parse_time": "2023-06-01 20:48:36.12",
    "p_row_id": "623cde25b9568494cebbdfc118a310",
    "p_schema_version": 0,
    "passwordchanged": "2023-02-22 20:27:57",
    "profile": {
	"email": "[email protected]",
	"firstName": "Henry",
	"lastName": "Ford",
	"login": "[email protected]",
	"manager": "Joe Jacobs",
	"mobilePhone": null,
	"secondEmail": null
	},
    "status": "ACTIVE",
    "statuschanged": "2023-02-22 20:27:57"
}

And this incoming event:

{
    "actorEmail": "[email protected]",
    "action": "deleted_file"
}

Before going through detections, the event will be enriched with Okta profile data to become:

{
    "actorEmail": "[email protected]",
    "action": "deleted_file",
    "p_enrichment": {
    	"okta_users": {
    	    "actorEmail": {
    		"p_match": "[email protected]",
                "activated": "2023-02-22 20:14:57",
	        "created": "2023-02-22 20:14:57",
		"id": "00u7364cqlAxlJrgX1d7",
		"lastlogin": "2023-02-22 20:28:05",
		"lastupdated": "2023-02-22 20:27:57",
		"match": [
		    "00u7364cqlAxlJrgX1d7",
		    "[email protected]"
		],
		"p_any_actor_ids": [
		    "00u7364cqlAxlJrgX1d7"
		],
		"p_any_emails": [
		    "[email protected]"
		],
		"passwordchanged": "2023-02-22 20:27:57",
		"profile": {
		    "email": "[email protected]",
		    "firstName": "Henry",
		    "lastName": "Ford",
		    "login": "[email protected]",
		    "manager": "Joe Jacobs",
		    "mobilePhone": null,
		    "secondEmail": null
		},
	        "status": "ACTIVE",
		"statuschanged": "2023-02-22 20:27:57"
    	    }
    	}
    }
}

You can then write a detection that references Okta profile data, like this:

def rule(event):
  userManager = deep_get(event, 'p_enrichment', 'okta_users', 'actorEmail', 'profile', 'manager')
  
  return userManager == 'Joe Jacobs'

Detection:
  - Enrichment:
      Table: okta_users
      Selector: actorEmail
      FieldPath: profile.manager
    Condition: Equals
    Value: Joe Jacobs

PreviousIdentity Provider Profiles NextGoogle Workspace Profiles

Last updated 7 months ago