Panther has the ability to fetch Okta events by querying the Okta System Log API. Panther will query the System Log API every 1 minute. In order for Panther to access the API you need to create a new API token or use an existing one.
For each of the toggles set to ON, set a Refresh period (min). This represents the cadence at which Panther will update profile data with what is stored in Okta.
Click Setup. You will be directed to a success screen:
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Have other Okta detections that can be used by other customers? Consider sharing detections back to the Panther Analysis repository or work with your Customer Success team!
Custom Detections
Suspicious Behavior Reported
Description: A user has reported suspicious behavior from their account
def rule(event):
if event.get('eventtype') == 'user.account.report_suspicious_activity_by_enduser':
return True
Below are some common functions and example deep_get() uses when writing custom detections for Okta. Explanations on different event types can be found in the Okta documentation.
#Okta has many event types that are listed here. You can begin your detection based on one of these eventtypes
#https://developer.okta.com/docs/reference/api/event-types/
event.get('eventtype')
#To access the city, state, lat, lon etc.
deep_get(event, 'client', 'geographicalContext', 'city')
deep_get(event, 'client', 'geographicalContext', 'state')
deep_get(event, 'client', 'geographicalContext', 'country')
deep_get(event, 'client', 'geographicalContext', 'geolocation', 'lon')
deep_get(event, 'client', 'geographicalContext', 'geolocation', 'lat')
#Details on the source of the event
deep_get(event, 'client' 'device')
deep_get(event, 'client', 'ipAddress')
deep_get(event, 'client', 'userAgent')
deep_get(event, 'actor', 'alternateId')
deep_get(event, 'actor', 'displayName')
## Global helpers that may be useful with Okta
# within panther_base_helpers
def okta_alert_context(event: dict):
"""Returns common context for automation of Okta alerts"""
return {
"ips": event.get("p_any_ip_addresses", []),
"actor": event.get("actor", ""),
"target": event.get("target", ""),
"client": event.get("client", ""),
}
# within panther_base_helpers
def is_ip_in_network(ip_addr, networks):
"""Check that a given IP is within a list of IP ranges"""
return any(ip_address(ip_addr) in ip_network(network) for network in networks)
Supported log types
Okta.SystemLog
The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems.
schema:Okta.SystemLogdescription:| The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems.referenceURL:https://developer.okta.com/docs/reference/api/system-log/fields: - name:uuidrequired:truedescription:Unique identifier for an individual eventtype:string - name:publishedrequired:truedescription:Timestamp when event was publishedtype:timestamptimeFormat:rfc3339isEventTime:true - name:eventTyperequired:truedescription:Type of event that was publishedtype:string - name:versionrequired:truedescription:Versioning indicatortype:string - name:severityrequired:truedescription:'Indicates how severe the event is: DEBUG, INFO, WARN, ERROR'type:string - name:legacyEventTypedescription:Associated Events API Action objectType attribute valuetype:string - name:displayMessagedescription:The display message for an eventtype:string - name:actordescription:Describes the entity that performed an actiontype:objectfields: - name:idrequired:truedescription:ID of actortype:string - name:typerequired:truedescription:Type of actortype:string - name:alternateIddescription:Alternative id of the actortype:stringindicators: - email - name:displayNamedescription:Display name of the actortype:string - name:detailsdescription:Details about the actortype:json - name:detailEntrydescription:Detail entrytype:json - name:clientdescription:The client that requested an actiontype:objectfields: - name:iddescription:For OAuth requests this is the id of the OAuth client making the request. For SSWS token requests, this is the id of the agent making the request.type:string - name:userAgentdescription:The user agent used by an actor to perform an actiontype:objectfields: - name:browserdescription:If the client is a web browser, this field identifies the type of web browser (e.g. CHROME, FIREFOX)type:string - name:osdescription:The Operating System the client runs on (e.g. Windows 10)type:string - name:rawUserAgentdescription:A raw string representation of the user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field.type:string - name:geographicalContextdescription:The physical location where the client made its request fromtype:objectfields: - name:geolocationdescription:Contains the geolocation coordinates (latitude, longitude)type:objectfields: - name:latdescription:Latitudetype:float - name:londescription:Longitudetype:float - name:citydescription:The city encompassing the area containing the geolocation coordinates, if available (e.g. Seattle, San Francisco)type:string - name:statedescription:Full name of the state/province encompassing the area containing the geolocation coordinates (e.g. Montana, Incheon)type:string - name:countrydescription:Full name of the country encompassing the area containing the geolocation coordinates (e.g. France, Uganda)type:string - name:postalCodedescription:Full name of the country encompassing the area containing the geolocation coordinates (e.g. France, Uganda)type:string - name:zonedescription:The name of the Zone that the client's location is mapped totype:string - name:ipAddressdescription:Ip address that the client made its request fromtype:stringindicators: - ip - name:devicedescription:Type of device that the client operated from (e.g. Computer)type:string - name:requestdescription:The request that initiated an actiontype:objectfields: - name:ipChaindescription:If the incoming request passes through any proxies, the IP addresses of those proxies will be stored here in the format (clientIp, proxy1, proxy2, ...).type:arrayelement:type:objectfields: - name:ipdescription:IP addresstype:stringindicators: - ip - name:geographicalContextdescription:Geographical context of the IP addresstype:objectfields: - name:geolocationdescription:Contains the geolocation coordinates (latitude, longitude)type:objectfields: - name:latdescription:Latitudetype:float - name:londescription:Longitudetype:float - name:citydescription:The city encompassing the area containing the geolocation coordinates, if available (e.g. Seattle, San Francisco)type:string - name:statedescription:Full name of the state/province encompassing the area containing the geolocation coordinates (e.g. Montana, Incheon)type:string - name:countrydescription:Full name of the country encompassing the area containing the geolocation coordinates (e.g. France, Uganda)type:string - name:postalCodedescription:Full name of the country encompassing the area containing the geolocation coordinates (e.g. France, Uganda)type:string - name:versiondescription:IP versiontype:string - name:sourcedescription:Details regarding the sourcetype:string - name:outcomedescription:The outcome of an actiontype:objectfields: - name:resultdescription:'Result of the action: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN'type:string - name:reasondescription:Reason for the result, for example INVALID_CREDENTIALStype:string - name:targetdescription:Zero or more targets of an actiontype:arrayelement:type:objectfields: - name:idrequired:truedescription:ID of targettype:string - name:typerequired:truedescription:Type of targettype:string - name:alternateIddescription:Alternative id of the targettype:string - name:displayNamedescription:Display name of the targettype:string - name:detailsdescription:Details about the targettype:json - name:detailEntrydescription:Detail entrytype:json - name:transactiondescription:The transaction details of an actiontype:objectfields: - name:iddescription:Unique identifier for this transaction.type:string - name:typedescription:Describes the kind of transaction. WEB indicates a web request. JOB indicates an asynchronous task.type:string - name:detaildescription:Details for this transaction.type:json - name:debugContextdescription:The debug request data of an actiontype:objectfields: - name:debugDatadescription:Dynamic field containing miscellaneous information dependent on the event type.type:json - name:authenticationContextdescription:The authentication data of an actiontype:objectfields: - name:authenticationProviderdescription:The system that proves the identity of an actor using the credentials provided to ittype:string - name:authenticationStepdescription:The zero-based step number in the authentication pipeline. Currently unused and always set to 0.type:int - name:credentialProviderdescription:A credential provider is a software service that manages identities and their associated credentials. When authentication occurs via credentials provided by a credential provider, that credential provider will be recorded here.type:string - name:credentialTypedescription:The underlying technology/scheme used in the credentialtype:string - name:issuerdescription:The specific software entity that created and issued the credential.type:objectfields: - name:iddescription:Varies depending on the type of authentication. If authentication is SAML 2.0, id is the issuer in the SAML assertion. For social login, id is the issuer of the token.type:string - name:typedescription:Information regarding issuer and source of the SAML assertion or token.type:string - name:externalSessionIddescription:A proxy for the actor's session IDtype:string - name:interfacedescription:The third party user interface that the actor authenticates through, if any.type:string - name:authenticatorProviderdescription:'DEPRECATED: This field is kept here for backwards compatibility.'type:string - name:securityContextdescription:The security data of an actiontype:objectfields: - name:asNumberdescription:Autonomous system number associated with the autonomous system that the event request was sourced totype:bigint - name:asOrgdescription:Organization associated with the autonomous system that the event request was sourced totype:string - name:ispdescription:Internet service provider used to sent the event's requesttype:string - name:domaindescription:The domain name associated with the IP address of the inbound event requesttype:stringindicators: - domain - name:isProxydescription:Specifies whether an event's request is from a known proxytype:boolean