Ingest authentication logs and data from Okta for use in Cortex XDR authentication stories.
To receive logs and data from Okta, you must configure the Collection Integrations settings in Cortex XDR. After you set up data collection, Cortex XDR immediately begins receiving new logs and data from the source. The information from Okta is then searchable in XQL Search using the okta_sso_raw dataset. In addition, depending on the event type, data is normalized to either xdr_data or saas_audit_logs datasets.
You can collect all types of events from Okta. When setting up the Okta data collector in Cortex XDR , a field called Okta Filter is available to configure collection for events of your choosing. All events are collected by default unless you define an Okta API Filter expression for collecting the data, such as filter=eventType eq “user.session.start”.\n. For Okta information to be weaved into authentication stories, “user.authentication.sso” events must be collected.
Since the Okta API enforces concurrent rate limits, the Okta data collector is built with a mechanism to reduce the amount of requests whenever an error is received from the Okta API indicating that too many requests have already been sent. In addition, to ensure you are properly notified about this, an alert is displayed in the Notification Area and a record is added to the Management Audit Logs.
Before you begin configuring data collection from Okta, ensure your Okta user has administrator privileges with a role that can create API tokens, such as the read-only administrator, Super administrator, and Organization administrator. For more information, see the Okta Administrators Documentation.
To configure the Okta collection in Cortex XDR:
Perform the following steps in your Okta application:
Identify the domain name of your Okta service.
From the Dashboard of your Okta console, on the top right corner, click the down arrow under your name, and copy your Org URL. The Org URL is listed under your email and record it for future reference as you'll need it when specifying your OKTA DOMAIN in Cortex XDR as explained below.
For more information, see the Okta Documentation.
Obtain your authentication token in Okta.
Select → → → , and click Create token.
Set the following parameters for the token:
What do you want your token to be named?: Specify the name for your token, which is used for tracking API calls.
API calls made with this token must originate from: Select Any IP.
Click Create token, and you may need to login to Okta again using your MFA administrator credentials.
Your token is successfully created and you can now copy the Token Value and record it for future reference as you'll need it when specifying your TOKEN in Cortex XDR as explained in the following step. Once you close the dialog box by clicking Ok, got it, you won't be able to access the token again and will have to create a new one if you didn't record it.
Configure the Okta Collection Integrations settings in Cortex XDR
Select → → → .
In the Okta configuration, click Add Instance.
Integrate the Okta authentication service with Cortex XDR.
Specify the OKTA DOMAIN (Org URL) that you identified on your Okta console as explained in the previous step above.
Specify the TOKEN used to authenticate with Okta, which you recorded in Okta as explained in the previous step above.
Specify the Okta Filter to configure collection for events of your choosing. All events are collected by default unless you define an Okta API Filter expression for collecting the data, such as
filter=eventType eq “user.session.start”.\n. For Okta information to be weaved into authentication stories,“user.authentication.sso”events must be collected.Test the connection settings.
If successful, Enable Okta log collection.
Once events start to come in, a green check mark appears underneath the Okta configuration with the amount of data received.
After Cortex XDR begins receiving information from the service, you can Create an XQL Query to search for specific data. When including authentication events, you can also Create an Authentication Query to search for specific authentication data.