You can configure your Okta log source integration in Panther to pull and into Panther-managed Lookup Tables. This means you can use profile and device data in detection logic and search queries.
You can customize user profiles in Okta by following . You might consider adding custom attributes that would be useful in detection logic, such as the level of permissions expected for that user.
To view the data stored in your Okta profile tables, follow
How to set up Okta user and device profiles in Panther
You can configure Okta user and device profiles while you are initially setting up your Okta log source integration in Panther, or later, by editing the source.
During either flow, you'll toggle the Okta profile pulling settings on, then set the cadence at which you'd like profile data to be refreshed.
In order to enable Okta user and/or device profiles in Panther, you must first (or concurrently) onboard Okta as a log source. It is not possible to set up an Okta device or user profiles integration without onboarding Okta as a log source in Panther.
Prerequisite for Okta device profiles
In order to pull Okta device profiles into Panther, you must have enabled.
Configure Okta profiles in Panther during Okta source setup
Follow , paying close attention to the Enable user profiles and Enable device profiles fields.
Configure Okta profiles in Panther after Okta source setup
Configure Okta profiles after Okta log source setup from the Enrichment Providers screen
In the left-hand navigation bar of your Panther Console, click Configure > Enrichment Providers.
In the upper-right corner, click Create New.
Click Okta.
On the Enrichment page, click the toggle to the right of User Profiles and/or Device ProfilesON.
For each of the toggles you turned ON, set a Refresh period (min). This represents the cadence at which Panther will update profile data with what is stored in Okta.
In the upper-right corner, click Save.
Configure Okta profiles after Okta log source setup from the Log Sources screen
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Locate the Okta log source for which you'd like to set up profiles, and click its name.
In the upper-right corner, click Enrichment.
On the Enrichment page, click the toggle to the right of User Profiles and/or Device ProfilesON.
For each of the toggles you turned ON, set a Refresh period (min). This represents the cadence at which Panther will update profile data with what is stored in Okta.
In the upper-right corner, click Save.
Supported profile types
Okta.Users
schema: Okta.Users
description: Panther managed Okta user profiles
referenceURL: https://developer.okta.com/docs/reference/api/users/#list-users
fields:
- name: match
description: Keys to match for the lookup table
type: array
element:
type: string
- name: id
description: Okta internal id for this user
type: string
indicators:
- actor_id
- name: created
description: Create time for user record
type: timestamp
timeFormats:
- rfc3339
- name: activated
description: Activation time for user record
type: timestamp
timeFormats:
- rfc3339
- name: statusChanged
description: Time when user status changed
type: timestamp
timeFormats:
- rfc3339
- name: lastLogin
description: Time of last authentication
type: timestamp
timeFormats:
- rfc3339
- name: lastUpdated
description: Time of last record update
type: timestamp
timeFormats:
- rfc3339
- name: passwordChanged
description: Time of last password change
type: timestamp
timeFormats:
- rfc3339
- name: status
description: Status of the user
type: string
- name: profile
description: Okta user profile
type: json
Okta.Devices
schema: Okta.Devices
description: Panther managed Okta device profile
referenceURL: https://developer.okta.com/docs/reference/api/devices/#list-devices
fields:
- name: match
description: Keys to match for the lookup table
type: array
element:
type: string
- name: id
description: Okta internal id for this device
type: string
- name: created
description: Create time for device record
type: timestamp
timeFormats:
- rfc3339
- name: lastUpdated
description: Time of last record update
type: timestamp
timeFormats:
- rfc3339
- name: status
description: Status of the device
type: string
- name: resourceType
description: Type of the device
type: string
- name: resourceDisplayName
description: Name of the device
type: object
fields:
- name: value
description: Name of the device
type: string
- name: sensitive
description: True if sensitive
type: boolean
- name: resourceId
description: External id of the device
type: string
- name: resourceAlternateId
description: Alternate external id of the device
type: string
- name: profile
description: Okta device profile
type: json
- name: users
description: Associated users of this device
type: array
element:
type: object
fields:
- name: id
description: Okta internal id for this user
type: string
indicators:
- actor_id
- name: emails
description: Emails associated with this user
type: array
element:
type: string
indicators:
- email
Example: Using Okta profile data in a detection
Once you have set up an Okta user or device profile, and it has fetched data, you can start referencing that data in detection logic.
