Okta Integration Guide
The following instructions are for configuring an Okta integration to facilitate log ingestion into Secureworks® Taegis™ XDR.
Note
Integrating Okta enables XDR to enhance monitoring data via Okta. It is not used for SSO into XDR.
Okta Requirements ⫘
An active Okta account with the Super Admin role is required to create a service app.
Data Provided from Integration ⫘
Auth | CloudAudit | DNS | HTTP | Netflow | NIDS | Process | Thirdparty | |
---|---|---|---|---|---|---|---|---|
Okta | D | Y |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Create the Service App in Okta ⫘
The following is required to add the Okta integration in XDR:
- Integration name
- Org URL — Refer to the vendor's documentation to find this value
- Client ID
- Key ID of the Public Key added for the Service App
- RSA Private Key in PEM format
Procedure ⫘
- Create a service app integration in the Okta Admin console.
Create the Service App
- Use the following settings:
- Client Authentication — Public Key / Private Key
- Public Key Configuration — Save keys in Okta
- Generate a JWK key pair or use an existing key pair.
Create the Key Pair
Add the Key Pair
- Grant allowed scopes. The
okta.logs.read
scope is required.
Grant the Required Scope
- Assign admin role. The
Report Administrator
role is required.
Grant the Required Role
Add Integration in XDR ⫘
Create the Integration
- From the XDR left-hand side navigation, select Integrations → Cloud APIs → Add API Integration.
- Choose Set up Okta Integrations.
-
Enter the following fields:
- Integration Name — Any unique string
- Org URL/Issuer URL — The URL instance of your Okta account
Note
The Org URL is found in your browser’s address bar after logging in to your Okta portal and takes the format
https://xxxxxxxx.okta.com
,https://xxxxxxxx.okta-emea.com
, orhttps://xxxxxxxx.oktapreview.com
.- Client ID — Generated when the service app was created
- Key ID (KID) — KID that specifies the Public Key used when the service app was created
-
Upload the Private Key created in the previous section.
-
Select Done. The Manage Integrations page displays with the successfully added Okta integration listed under Cloud API Integrations.
Tip
You can use the Integration Name defined in step 3 above to identify the integration within the Cloud API Integrations table.
Events Received from Okta ⫘
The following ingest events are received from Okta integrations and normalized to the auth
schema:
policy.lifecycle.activate
policy.lifecycle.create
policy.lifecycle.deactivate
policy.lifecycle.update
policy.rule.add
policy.rule.deactivate
policy.rule.update
user.account.privilege.grant
user.account.reset_password
user.account.update_profile
user.mfa.factor.activate
user.mfa.factor.deactivate
user.mfa.factor.reset_all
user.session.clear
user.session.end
user.session.start
system.sms.send_phone_verification_message
system.voice.send_phone_verification_call
The following ingest events are received from Okta integrations and normalized to the cloudaudit
schema:
system.api_token.create
system.api_token.create.revoke
application.user_membership.add
application.user_membership.change_password
application.user_membership.remove
user.session.access_admin_app
user.lifecycle.activate
user.lifecycle.create
user.lifecycle.deactivate
The following ingest events are received from Okta integrations and normalized to the generic
schema:
application.provision.user.sync
group.user_membership.add
group.user_membership.remove
policy.evaluate_sign_on
system.import.complete
system.import.start
user.account.report_suspicious_activity_by_enduser
user.account.update_password
user.authentication.authenticate
user.credential.enroll
user.lifecycle.delete.initiated
user.lifecycle.reactivate
user.lifecycle.suspend
user.lifecycle.unsuspend
user.authentication.sso
Related Topics ⫘
For more detailed information about managing Okta integrations, see these related topics: