Okta Logs

Overview

Panther has the ability to fetch Okta events by querying the Okta System Log API. Panther will query the System Log API every 1 minute. In order for Panther to access the API you need to create a new API token or use an existing one.

You can also enable Okta user and device profiles.

Video Walkthrough

How to onboard Okta logs to Panther

Step 1: Create a new Okta API token

1. Log in as Okta administrator.

2. In the Okta Admin Console, navigate to Security > API.

3. Click Create Token.

4. Enter a memorable name for your token, e.g. Panther API token.

5. Copy the Token value and store it in a secure location. You will need it in the next steps.

   • Note: Okta will not display this value again.

Step 2: Create a new Okta source in Panther

1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

2. Click Create New.

3. Search for “Okta,” then click its tile.

4. On the slide-out panel, click Start Setup.

5. On the Configuration page, fill in the following fields:

   • Name: Enter a descriptive name for the source, e.g. My Okta logs.

   • Okta subdomain: Enter the subdomain of your Okta organization domain. You can refer to Okta documentation to find out more about your Okta org domain.

   • Okta domain: Select the appropriate domain name from the Okta domain drop-down.

   • API Token: Enter the token value you generated in the previous step.

6. Click Setup.

7. On the Enrichment page, if you would like to enable Okta Identity Profiles, to the right of User Profiles and/or Device Profiles, click the toggle ON.

   • Note the prerequisite for enabling Okta device profiles.

   • For each of the toggles set to ON, set a Refresh period (min). This represents the cadence at which Panther will update profile data with what is stored in Okta.

   
8. Click Setup. You will be directed to a success screen:

   

   • You can optionally enable one or more Detection Packs.

   • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

     

Panther-Built Detections

See the Panther-built rules and investigative queries for Okta in panther-analysis in Github.

• Okta Admin Role Assigned - A user has been granted administrative privileges in Okta

• Okta API Key Created - A user created an API Key in Okta

• Okta API Key Revoked - A user has revoked an API Key in Okta

• Geographically Improbable Okta Login - A user has subsequent logins from two geographic locations that are very far apart

• Okta MFA Globally Disabled - Okta system-wide MFA has been disabled by an Admin user

• Okta Support Reset Credential - Okta Support reset a password or MFA for a user

• Okta Support Access Granted - Okta support access was granted

Have other Okta detections that can be used by other customers? Consider sharing detections back to the Panther Analysis repository or work with your Customer Success team!

Custom Detections

Suspicious Behavior Reported

Description: A user has reported suspicious behavior from their account

Below are some common functions and example deep_get() uses when writing custom detections for Okta. Explanations on different event types can be found in the Okta documentation.

Supported log types

Okta.SystemLog

The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems.

Reference: Okta Documentation on System Log APIs.