Okta Profiles
Fetch and store Okta user and device data to use in detections and search
You can configure your Okta log source integration in Panther to pull user profiles and device profiles into Panther-managed Lookup Tables. This means you can use profile and device data in detection logic and search queries.
You can customize user profiles in Okta by following their documentation. You might consider adding custom attributes that would be useful in detection logic, such as the level of permissions expected for that user.
To view the data stored in your Okta profile tables, follow these instructions on how to view profile data in the Data Lake.
You can configure Okta user and device profiles while you are initially setting up your Okta log source integration in Panther, or later, by editing the source.
During either flow, you'll toggle the Okta profile pulling settings on, then set the cadence at which you'd like profile data to be refreshed.
In order to enable Okta user and/or device profiles in Panther, you must first (or concurrently) onboard Okta as a log source. It is not possible to set up an Okta device or user profiles integration without onboarding Okta as a log source in Panther.
- Follow these instructions on how to create a new Okta source in Panther, paying close attention to the Enable user profiles and Enable device profiles fields.
You can set up Okta profiles after you've already created an Okta log source in Panther, either from the Enrichment Providers tab or the Log Sources tab in the Console.
Console: Enrichment Providers
Console: Log Sources
- 1.In the left-hand navigation bar of your Panther Console, click Configure > Enrichment Providers.
- 2.In the upper-right corner, click Create New.
- 3.Click Okta.
- 4.From the popup modal listing your already created Okta log sources in Panther, click the one you'd like to pull profile data from.
- If you have not already set up an Okta log source, instead follow the How to onboard Okta logs to Panther instructions.
- 5.On the Enrichment page, click the toggle to the right of User Profiles and/or Device Profiles
ON.- For each of the toggles you turned
ON, set a Refresh period (min). This represents the cadence at which Panther will update profile data with what is stored in Okta.
- 6.In the upper-right corner, click Save.
- 1.In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
- 2.Locate the Okta log source for which you'd like to set up profiles, and click its name.
- 3.In the upper right corner of the log source page, click Configuration, then Edit.
- 4.In the upper-right corner, click Enrichment.
- 5.On the Enrichment page, click the toggle to the right of User Profiles and/or Device Profiles
ON.- For each of the toggles you turned
ON, set a Refresh period (min). This represents the cadence at which Panther will update profile data with what is stored in Okta.
- 6.In the upper-right corner, click Save.
Panther supports pulling user profiles and device profiles from Okta. Below are the schemas for how the data for each profile type is structured.
schema: Okta.Users
description: Panther managed Okta user profiles
referenceURL: https://developer.okta.com/docs/reference/api/users/#list-users
fields:
- name: match
description: Keys to match for the lookup table
type: array
element:
type: string
- name: id
description: Okta internal id for this user
type: string
indicators:
- actor_id
- name: created
description: Create time for user record
type: timestamp
timeFormats:
- rfc3339
- name: activated
description: Activation time for user record
type: timestamp
timeFormats:
- rfc3339
- name: statusChanged
description: Time when user status changed
type: timestamp
timeFormats:
- rfc3339
- name: lastLogin
description: Time of last authentication
type: timestamp
timeFormats:
- rfc3339
- name: lastUpdated
description: Time of last record update
type: timestamp
timeFormats:
- rfc3339
- name: passwordChanged
description: Time of last password change
type: timestamp
timeFormats:
- rfc3339
- name: status
description: Status of the user
type: string
- name: profile
description: Okta user profile
type: json
schema: Okta.Devices
description: Panther managed Okta device profile
referenceURL: https://developer.okta.com/docs/reference/api/devices/#list-devices
fields:
- name: match
description: Keys to match for the lookup table
type: array
element:
type: string
- name: id
description: Okta internal id for this device
type: string
- name: created
description: Create time for device record
type: timestamp
timeFormats:
- rfc3339
- name: lastUpdated
description: Time of last record update
type: timestamp
timeFormats:
- rfc3339
- name: status
description: Status of the device
type: string
- name: resourceType
description: Type of the device
type: string
- name: resourceDisplayName
description: Name of the device
type: object
fields:
- name: value
description: Name of the device
type: string
- name: sensitive
description: True if sensitive
type: boolean
- name: resourceId
description: External id of the device
type: string
- name: resourceAlternateId
description: Alternate external id of the device
type: string
- name: profile
description: Okta device profile
type: json
- name: users
description: Associated users of this device
type: array
element:
type: object
fields:
- name: id
description: Okta internal id for this user
type: string
indicators:
- actor_id
- name: emails
description: Emails associated with this user
type: array
element:
type: string
indicators:
- email
Once you have set up an Okta user or device profile, and it has fetched data, you can start referencing that data in detection logic.
Given this Okta user profile:
{
"activated": "2023-02-22 20:14:57",
"created": "2023-02-22 20:14:57",
"id": "00u7364cqlAxlJrgX1d7",
"lastlogin": "2023-02-22 20:28:05",
"lastupdated": "2023-02-22 20:27:57",
"match": [
"00u7364cqlAxlJrgX1d7",
],
"p_any_actor_ids": [
"00u7364cqlAxlJrgX1d7"
],
"p_any_emails": [
],
"p_event_time": "2023-06-01 20:48:36.12",
"p_log_type": "Okta.Users",
"p_parse_time": "2023-06-01 20:48:36.12",
"p_row_id": "623cde25b9568494cebbdfc118a310",
"p_schema_version": 0,
"passwordchanged": "2023-02-22 20:27:57",
"profile": {
"email": "[email protected]",
"firstName": "Henry",
"lastName": "Ford",
"login": "[email protected]",
"manager": "Joe Jacobs",
"mobilePhone": null,
"secondEmail": null
},
"status": "ACTIVE",
"statuschanged": "2023-02-22 20:27:57"
}
And this incoming event:
The event will be enriched with Okta profile data to become:
{
"actorEmail": "[email protected]",
"action": "deleted_file",
"p_enrichment": {
"okta_users": {
"actorEmail": {
"p_match": "[email protected]",
"activated": "2023-02-22 20:14:57",
"created": "2023-02-22 20:14:57",
"id": "00u7364cqlAxlJrgX1d7",
"lastlogin": "2023-02-22 20:28:05",
"lastupdated": "2023-02-22 20:27:57",
"match": [
"00u7364cqlAxlJrgX1d7",
],
"p_any_actor_ids": [
"00u7364cqlAxlJrgX1d7"
],
"p_any_emails": [
],
"passwordchanged": "2023-02-22 20:27:57",
"profile": {
"email": "[email protected]",
"firstName": "Henry",
"lastName": "Ford",
"login": "[email protected]",
"manager": "Joe Jacobs",
"mobilePhone": null,
"secondEmail": null
},
"status": "ACTIVE",
"statuschanged": "2023-02-22 20:27:57"
}
}
}
}
You can then write a detection that references Okta profile data, like this:
Python
YAML
def rule(event):
userManager = deep_get(event, 'p_enrichment', 'okta_users', 'actorEmail', 'profile', 'manager')
return userManager == 'Joe Jacobs'
Detection:
- Enrichment:
Table: okta_users
Selector: actorEmail
FieldPath: profile.manager
Condition: Equals
Value: Joe Jacobs
Last modified 1mo ago