Okta Logs

Overview

Panther has the ability to fetch Okta events by querying the Okta System Log API. Panther will query the System Log API every 1 minute. In order for Panther to access the API you need to create a new API token or use an existing one.

You can also enable Okta user and device profiles.

Video Walkthrough

How to Onboard Okta logs to Panther

Step 1: Create a new Okta API token

1. Log in as Okta administrator.

2. In the Okta Admin Console, navigate to Security > API.

3. Click Create Token.

4. Enter a memorable name for your token, e.g. Panther API token

5. Copy the Token value and store it in a secure location. You will need it in the next steps.

   • Note: Okta will not display this value again.

Step 2: Create a new Okta source in Panther

1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

2. Click Create New.

3. Select Okta from the list of available log sources. Click Start Source Setup.

4. Fill in the following fields:

   • Name: Enter a descriptive name for the source e.g. My Okta logs.

   • Okta subdomain: Enter the subdomain of your Okta organization domain. You can refer to Okta documentation to find out more about your Okta org domain.

   • Okta domain: Select the appropriate domain name from the Okta domain drop-down.

   • API Token: Enter the token value from the previous section of our documentation.

   • Log Types: Select the log types you would like to monitor.

   • Enable user profiles: Select to retrieve user profile information.

     • Refresh period (min): Set the frequency at which you'd like to retrieve profile updates.

     Pulling Okta user profiles is in closed beta starting with Panther version 1.69.

   • Enable device profiles: select to retrieve device profile information. (Note the prerequisite for enabling Okta device profiles.)

     • Refresh period (min): Set the frequency at which you'd like to retrieve profile updates.

     Pulling Okta device profiles is in closed beta starting with Panther version 1.69.

5. Click Setup. You will be directed to a success screen:

   

   • You can optionally enable one or more Detection Packs.

   • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

     

Panther-Built Detections

See the Panther-built rules and investigative queries for Okta in panther-analysis in Github.

• Okta Admin Role Assigned - A user has been granted administrative privileges in Okta

• Okta API Key Created - A user created an API Key in Okta

• Okta API Key Revoked - A user has revoked an API Key in Okta

• Geographically Improbable Okta Login - A user has subsequent logins from two geographic locations that are very far apart

• Okta MFA Globally Disabled - Okta system-wide MFA has been disabled by an Admin user

• Okta Support Reset Credential - Okta Support reset a password or MFA for a user

• Okta Support Access Granted - Okta support access was granted

Have other Okta detections that can be used by other customers? Consider sharing detections back to the Panther Analysis repository or work with your Customer Success team!

Custom Detections

Suspicious Behavior Reported

Description: A user has reported suspicious behavior from their account

Below are some common functions and example deep_get() uses when writing custom detections for Okta. Explanations on different event types can be found in the Okta documentation.

Supported log types

Okta.SystemLog

The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems.

Reference: Okta Documentation on System Log APIs.