Ingest authentication logs and data from Okta for use in Cortex XSIAM authentication stories.
To receive logs and data from Okta, you must configure the Data Sources settings in Cortex XSIAM. After you set up data collection, Cortex XSIAM immediately begins receiving new logs and data from the source. The information from Okta is then searchable in XQL Search using the okta_sso_raw dataset. In addition, depending on the event type, data is normalized to either xdr_data or saas_audit_logs datasets.
You can collect all types of events from Okta. When setting up the Okta data collector in Cortex XSIAM , a field called Okta Filter is available to configure collection for events of your choosing. All events are collected by default unless you define an Okta API Filter expression for collecting the data, such as filter=eventType eq “user.session.start”.\n. For Okta information to be weaved into authentication stories, “user.authentication.sso” events must be collected.
Since the Okta API enforces concurrent rate limits, the Okta data collector is built with a mechanism to reduce the amount of requests whenever an error is received from the Okta API indicating that too many requests have already been sent. In addition, to ensure you are properly notified about this, an alert is displayed in the Notification Area and a record is added to the Management Audit Logs.
Before you begin configuring data collection from Okta, ensure your Okta user has administrator privileges with a role that can create API tokens, such as the read-only administrator, Super administrator, and Organization administrator. For more information, see the Okta Administrators Documentation.
To configure the Okta collection in Cortex XSIAM:
Perform the following steps in your Okta application:
Identify the domain name of your Okta service.
From the Dashboard of your Okta console, on the top right corner, click the down arrow under your name, and copy your Org URL. The Org URL is listed under your email and record it for future reference as you'll need it when specifying your OKTA DOMAIN in Cortex XSIAM as explained below.
For more information, see the Okta Documentation.
Obtain your authentication token in Okta.
Select → → → , and click Create token.
Set the following parameters for the token:
What do you want your token to be named?: Specify the name for your token, which is used for tracking API calls.
API calls made with this token must originate from: Select Any IP.
Click Create token, and you may need to login to Okta again using your MFA administrator credentials.
Your token is successfully created and you can now copy the Token Value and record it for future reference as you'll need it when specifying your TOKEN in Cortex XSIAM as explained in the following step. Once you close the dialog box by clicking Ok, got it, you won't be able to access the token again and will have to create a new one if you didn't record it.
Configure the Okta Data Sources settings in Cortex XSIAM
Select → .
On the Data Sources page, click Add Data Source, search for and select Okta, and click Connect.
Integrate the Okta authentication service with Cortex XSIAM.
Specify the OKTA DOMAIN (Org URL) that you identified on your Okta console as explained in the previous step above.
Specify the TOKEN used to authenticate with Okta, which you recorded in Okta as explained in the previous step above.
Specify the Okta Filter to configure collection for events of your choosing. All events are collected by default unless you define an Okta API Filter expression for collecting the data, such as
filter=eventType eq “user.session.start”.\n. For Okta information to be weaved into authentication stories,“user.authentication.sso”events must be collected.Test the connection settings.
If successful, Enable Okta log collection.
Once events start to come in, a green check mark appears underneath the Okta configuration with the amount of data received.
After Cortex XSIAM begins receiving information from the service, you can Create an XQL Query to search for specific data. When including authentication events, you can also Create an Authentication Query to search for specific authentication data.