Links

Okta Profiles

Fetch and store Okta user and device data to use in detections and search

Overview

You can configure your Okta log source integration in Panther to pull user profiles and device profiles into Panther-managed Lookup Tables. This means you can use profile and device data in detection logic and search queries.
You can customize user profiles in Okta by following their documentation. You might consider adding custom attributes that would be useful in detection logic, such as the level of permissions expected for that user.
To view the data stored in your Okta profile tables, follow these instructions on how to view profile data in the Data Lake.

How to set up Okta user and device profiles in Panther

You can configure Okta user and device profiles while you are initially setting up your Okta log source integration in Panther, or later, by editing the source.
During either flow, you'll toggle the Okta profile pulling settings on, then set the cadence at which you'd like profile data to be refreshed.
In order to enable Okta user and/or device profiles in Panther, you must first (or concurrently) onboard Okta as a log source. It is not possible to set up an Okta device or user profiles integration without onboarding Okta as a log source in Panther.

Prerequisite for Okta device profiles

  • In order to pull Okta device profiles into Panther, you must have Okta Devices enabled.

Configure Okta profiles in Panther during Okta source setup

Configure Okta profiles in Panther after Okta source setup

You can set up Okta profiles after you've already created an Okta log source in Panther, either from the Enrichment Providers tab or the Log Sources tab in the Console.
Console: Enrichment Providers
Console: Log Sources

Configure Okta profiles after Okta log source setup from the Enrichment Providers screen

  1. 1.
    In the left-hand navigation bar of your Panther Console, click Configure > Enrichment Providers.
  2. 2.
    In the upper-right corner, click Create New.
  3. 3.
    Click Okta.
  4. 4.
    From the popup modal listing your already created Okta log sources in Panther, click the one you'd like to pull profile data from.
    An Available Okta Sources modal lists an Okta source called "test," which is circled. Below, there is a Done button.
  5. 5.
    On the Enrichment page, click the toggle to the right of User Profiles and/or Device Profiles ON.
    • For each of the toggles you turned ON, set a Refresh period (min). This represents the cadence at which Panther will update profile data with what is stored in Okta.
      In the Enrichment settings box, there are toggles for User Profiles and Device Profiles. Next to each is a Refresh period (min) field.
  6. 6.
    In the upper-right corner, click Save.

Configure Okta profiles after Okta log source setup from the Log Sources screen

  1. 1.
    In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
  2. 2.
    Locate the Okta log source for which you'd like to set up profiles, and click its name.
  3. 3.
    In the upper right corner of the log source page, click Configuration, then Edit.
    The Okta Sand Box log source page has Overview, Schemas, Health, and Filters tabs. On the right side, there is a Configuration button, with an arrow pointing from it to an Edit button.
  4. 4.
    In the upper-right corner, click Enrichment.
  5. 5.
    On the Enrichment page, click the toggle to the right of User Profiles and/or Device Profiles ON.
    • For each of the toggles you turned ON, set a Refresh period (min). This represents the cadence at which Panther will update profile data with what is stored in Okta.
      In the Enrichment settings box, there are toggles for User Profiles and Device Profiles. Next to each is a Refresh period (min) field.
  6. 6.
    In the upper-right corner, click Save.

Supported profile types

Panther supports pulling user profiles and device profiles from Okta. Below are the schemas for how the data for each profile type is structured.

Okta.Users

schema: Okta.Users
description: Panther managed Okta user profiles
referenceURL: https://developer.okta.com/docs/reference/api/users/#list-users
fields:
- name: match
description: Keys to match for the lookup table
type: array
element:
type: string
- name: id
description: Okta internal id for this user
type: string
indicators:
- actor_id
- name: created
description: Create time for user record
type: timestamp
timeFormats:
- rfc3339
- name: activated
description: Activation time for user record
type: timestamp
timeFormats:
- rfc3339
- name: statusChanged
description: Time when user status changed
type: timestamp
timeFormats:
- rfc3339
- name: lastLogin
description: Time of last authentication
type: timestamp
timeFormats:
- rfc3339
- name: lastUpdated
description: Time of last record update
type: timestamp
timeFormats:
- rfc3339
- name: passwordChanged
description: Time of last password change
type: timestamp
timeFormats:
- rfc3339
- name: status
description: Status of the user
type: string
- name: profile
description: Okta user profile
type: json

Okta.Devices

schema: Okta.Devices
description: Panther managed Okta device profile
referenceURL: https://developer.okta.com/docs/reference/api/devices/#list-devices
fields:
- name: match
description: Keys to match for the lookup table
type: array
element:
type: string
- name: id
description: Okta internal id for this device
type: string
- name: created
description: Create time for device record
type: timestamp
timeFormats:
- rfc3339
- name: lastUpdated
description: Time of last record update
type: timestamp
timeFormats:
- rfc3339
- name: status
description: Status of the device
type: string
- name: resourceType
description: Type of the device
type: string
- name: resourceDisplayName
description: Name of the device
type: object
fields:
- name: value
description: Name of the device
type: string
- name: sensitive
description: True if sensitive
type: boolean
- name: resourceId
description: External id of the device
type: string
- name: resourceAlternateId
description: Alternate external id of the device
type: string
- name: profile
description: Okta device profile
type: json
- name: users
description: Associated users of this device
type: array
element:
type: object
fields:
- name: id
description: Okta internal id for this user
type: string
indicators:
- actor_id
- name: emails
description: Emails associated with this user
type: array
element:
type: string
indicators:
- email

Example: Using Okta profile data in a detection

Once you have set up an Okta user or device profile, and it has fetched data, you can start referencing that data in detection logic.
Given this Okta user profile:
{
"activated": "2023-02-22 20:14:57",
"created": "2023-02-22 20:14:57",
"id": "00u7364cqlAxlJrgX1d7",
"lastlogin": "2023-02-22 20:28:05",
"lastupdated": "2023-02-22 20:27:57",
"match": [
"00u7364cqlAxlJrgX1d7",
],
"p_any_actor_ids": [
"00u7364cqlAxlJrgX1d7"
],
"p_any_emails": [
],
"p_event_time": "2023-06-01 20:48:36.12",
"p_log_type": "Okta.Users",
"p_parse_time": "2023-06-01 20:48:36.12",
"p_row_id": "623cde25b9568494cebbdfc118a310",
"p_schema_version": 0,
"passwordchanged": "2023-02-22 20:27:57",
"profile": {
"email": "[email protected]",
"firstName": "Henry",
"lastName": "Ford",
"login": "[email protected]",
"manager": "Joe Jacobs",
"mobilePhone": null,
"secondEmail": null
},
"status": "ACTIVE",
"statuschanged": "2023-02-22 20:27:57"
}
And this incoming event:
{
"actorEmail": "[email protected]",
"action": "deleted_file"
}
The event will be enriched with Okta profile data to become:
{
"actorEmail": "[email protected]",
"action": "deleted_file",
"p_enrichment": {
"okta_users": {
"actorEmail": {
"p_match": "[email protected]",
"activated": "2023-02-22 20:14:57",
"created": "2023-02-22 20:14:57",
"id": "00u7364cqlAxlJrgX1d7",
"lastlogin": "2023-02-22 20:28:05",
"lastupdated": "2023-02-22 20:27:57",
"match": [
"00u7364cqlAxlJrgX1d7",
],
"p_any_actor_ids": [
"00u7364cqlAxlJrgX1d7"
],
"p_any_emails": [
],
"passwordchanged": "2023-02-22 20:27:57",
"profile": {
"email": "[email protected]",
"firstName": "Henry",
"lastName": "Ford",
"login": "[email protected]",
"manager": "Joe Jacobs",
"mobilePhone": null,
"secondEmail": null
},
"status": "ACTIVE",
"statuschanged": "2023-02-22 20:27:57"
}
}
}
}
You can then write a detection that references Okta profile data, like this:
Python
YAML
def rule(event):
userManager = deep_get(event, 'p_enrichment', 'okta_users', 'actorEmail', 'profile', 'manager')
return userManager == 'Joe Jacobs'
Detection:
- Enrichment:
Table: okta_users
Selector: actorEmail
FieldPath: profile.manager
Condition: Equals
Value: Joe Jacobs