Ingest Logs and Data from Okta - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-05-12
Category
Administrator Guide
Abstract

Ingest authentication logs and data from Okta for use in Cortex XSIAM authentication stories.

To receive logs and data from Okta, you must configure the Data Sources settings in Cortex XSIAM. After you set up data collection, Cortex XSIAM immediately begins receiving new logs and data from the source. The information from Okta is then searchable in XQL Search using the okta_sso_raw dataset. In addition, depending on the event type, data is normalized to either xdr_data or saas_audit_logs datasets.

You can collect all types of events from Okta. When setting up the Okta data collector in Cortex XSIAM , a field called Okta Filter is available to configure collection for events of your choosing. All events are collected by default unless you define an Okta API Filter expression for collecting the data, such as filter=eventType eq “user.session.start”.\n. For Okta information to be weaved into authentication stories, “user.authentication.sso” events must be collected.

Since the Okta API enforces concurrent rate limits, the Okta data collector is built with a mechanism to reduce the amount of requests whenever an error is received from the Okta API indicating that too many requests have already been sent. In addition, to ensure you are properly notified about this, an alert is displayed in the Notification Area and a record is added to the Management Audit Logs.

Before you begin configuring data collection from Okta, ensure your Okta user has administrator privileges with a role that can create API tokens, such as the read-only administrator, Super administrator, and Organization administrator. For more information, see the Okta Administrators Documentation.

To configure the Okta collection in Cortex XSIAM:

  1. Identify the domain name of your Okta service.

    From the Dashboard of your Okta console, note your Org URL.

    For more information, see the Okta Documentation.

    okta-identify-domain.png
  2. Obtain your authentication token in Okta.

    1. Select APITokens.

    2. Create Token and record the token value.

      This is your only opportunity to record the value.

  3. Select SettingsConfigurationsData CollectionData Sources.

  4. Integrate the Okta authentication service with Cortex XSIAM .

    1. Specify the OKTA DOMAIN (Org URL) that you identified on your Okta console.

    2. Specify the TOKEN used to authenticate with Okta.

    3. Specify the Okta Filter to configure collection for events of your choosing. All events are collected by default unless you define an Okta API Filter expression for collecting the data, such as filter=eventType eq “user.session.start”.\n. For Okta information to be weaved into authentication stories, “user.authentication.sso” events must be collected.

    4. Test the connection settings.

    5. If successful, Enable Okta log collection.

      Once events start to come in, a green check mark appears underneath the Okta configuration with the amount of data received.

  5. After Cortex XSIAM begins receiving information from the service, you can Create an XQL Query to search for specific data. When including authentication events, you can also Create an Authentication Query to search for specific authentication data.