Okta Profiles (Beta)

Fetch and store Okta user and device data to use in detections and search

Overview

Pulling Okta user and device profiles is in closed beta starting with Panther version 1.69.

You can configure your Okta log source integration in Panther to pull user profiles and device profiles into Panther-managed Lookup Tables. This means you can use profile and device data in detection logic and search queries.

You can customize user profiles in Okta by following their documentation. You might consider adding custom attributes that would be useful in detection logic, such as the level of permissions expected for that user.

To view the data stored in your Okta profile tables, follow these instructions on how to view profile data in the Data Lake.

How to set up Okta user and device profiles in Panther

You can configure Okta user and device profiles while you are initially setting up your Okta log source integration in Panther, or later, by editing the source.

During either flow, you'll toggle the Okta profile pulling settings on, then set the cadence at which you'd like profile data to be refreshed.

Prerequisite for Okta device profiles

  • In order to pull Okta device profiles into Panther, you must have Okta Devices enabled.

Configure Okta profiles in Panther during Okta source setup

Configure Okta profiles in Panther after Okta source setup

To set up Okta profiles after you've already created an Okta log source in Panther:

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Locate the Okta log source for which you'd like to set up profiles, and click its name.

  3. In the upper right corner of the log source page, click Configuration, then Edit.

  4. On the Configure page for your Okta log source, click the Enable user profiles and/or Enable device profiles checkboxes.

    • For each profile you enable, set the Refresh period (min) value. This represents the cadence at which Panther will update profile data with what is stored in Okta.

  5. In the upper-right corner, click Save.

Supported profile types

Panther supports pulling user profiles and device profiles from Okta. Below are the schemas for how the data for each profile type is structured.

Okta.Users

schema: Okta.Users
description: Panther managed Okta user profiles
referenceURL: https://developer.okta.com/docs/reference/api/users/#list-users
fields:
    - name: match
      description: Keys to match for the lookup table
      type: array
      element:
        type: string
    - name: id
      description: Okta internal id for this user
      type: string
      indicators:
        - actor_id
    - name: created
      description: Create time for user record
      type: timestamp
      timeFormats:
        - rfc3339
    - name: activated
      description: Activation time for user record
      type: timestamp
      timeFormats:
        - rfc3339
    - name: statusChanged
      description: Time when user status changed
      type: timestamp
      timeFormats:
        - rfc3339
    - name: lastLogin
      description: Time of last authentication
      type: timestamp
      timeFormats:
        - rfc3339
    - name: lastUpdated
      description: Time of last record update
      type: timestamp
      timeFormats:
        - rfc3339
    - name: passwordChanged
      description: Time of last password change
      type: timestamp
      timeFormats:
        - rfc3339
    - name: status
      description: Status of the user
      type: string
    - name: profile
      description: Okta user profile
      type: json

Okta.Devices

schema: Okta.Devices
description: Panther managed Okta device profile
referenceURL: https://developer.okta.com/docs/reference/api/devices/#list-devices
fields:
    - name: match
      description: Keys to match for the lookup table
      type: array
      element:
        type: string
    - name: id
      description: Okta internal id for this device
      type: string
    - name: created
      description: Create time for device record
      type: timestamp
      timeFormats:
        - rfc3339
    - name: lastUpdated
      description: Time of last record update
      type: timestamp
      timeFormats:
        - rfc3339
    - name: status
      description: Status of the device
      type: string
    - name: resourceType
      description: Type of the device
      type: string
    - name: resourceDisplayName
      description: Name of the device
      type: object
      fields:
        - name: value
          description: Name of the device
          type: string
        - name: sensitive
          description: True if sensitive
          type: boolean
    - name: resourceId
      description: External id of the device
      type: string
    - name: resourceAlternateId
      description: Alternate external id of the device
      type: string
    - name: profile
      description: Okta device profile
      type: json
    - name: users
      description: Associated users of this device
      type: array
      element:
        type: object
        fields:
            - name: id
              description: Okta internal id for this user
              type: string
              indicators:
                - actor_id
            - name: emails
              description: Emails associated with this user
              type: array
              element:
                type: string
                indicators:
                    - email

Example: Using Okta profile data in a detection

Once you have set up an Okta user or device profile, and it has fetched data, you can start referencing that data in detection logic.

Given this Okta user profile:

{
    "activated": "2023-02-22 20:14:57",
    "created": "2023-02-22 20:14:57",
    "id": "00u7364cqlAxlJrgX1d7",
    "lastlogin": "2023-02-22 20:28:05",
    "lastupdated": "2023-02-22 20:27:57",
    "match": [
        "00u7364cqlAxlJrgX1d7",
	"[email protected]"
    ],
    "p_any_actor_ids": [
	"00u7364cqlAxlJrgX1d7"
    ],
    "p_any_emails": [
	"[email protected]"
    ],
    "p_event_time": "2023-06-01 20:48:36.12",
    "p_log_type": "Okta.Users",
    "p_parse_time": "2023-06-01 20:48:36.12",
    "p_row_id": "623cde25b9568494cebbdfc118a310",
    "p_schema_version": 0,
    "passwordchanged": "2023-02-22 20:27:57",
    "profile": {
	"email": "[email protected]",
	"firstName": "Henry",
	"lastName": "Ford",
	"login": "[email protected]",
	"manager": "Joe Jacobs",
	"mobilePhone": null,
	"secondEmail": null
	},
    "status": "ACTIVE",
    "statuschanged": "2023-02-22 20:27:57"
}

And this incoming event:

{
    "actorEmail": "[email protected]",
    "action": "deleted_file"
}

The event will be enriched with Okta profile data to become:

{
    "actorEmail": "[email protected]",
    "action": "deleted_file",
    "p_enrichment": {
    	"okta_users": {
    	    "actorEmail": {
    		"p_match": "[email protected]",
                "activated": "2023-02-22 20:14:57",
	        "created": "2023-02-22 20:14:57",
		"id": "00u7364cqlAxlJrgX1d7",
		"lastlogin": "2023-02-22 20:28:05",
		"lastupdated": "2023-02-22 20:27:57",
		"match": [
		    "00u7364cqlAxlJrgX1d7",
		    "[email protected]"
		],
		"p_any_actor_ids": [
		    "00u7364cqlAxlJrgX1d7"
		],
		"p_any_emails": [
		    "[email protected]"
		],
		"passwordchanged": "2023-02-22 20:27:57",
		"profile": {
		    "email": "[email protected]",
		    "firstName": "Henry",
		    "lastName": "Ford",
		    "login": "[email protected]",
		    "manager": "Joe Jacobs",
		    "mobilePhone": null,
		    "secondEmail": null
		},
	        "status": "ACTIVE",
		"statuschanged": "2023-02-22 20:27:57"
    	    }
    	}
    }
}

You can then write a detection that references Okta profile data, like this:

def rule(event):
  userManager = deep_get(event, 'p_enrichment', 'okta_users', 'actorEmail', 'profile', 'manager')
  
  return userManager == 'Joe Jacobs'

Last updated

Was this helpful?

#1935: [1.78] Add filtering section

Change request updated