If you're having trouble at any stage please contact us at firstname.lastname@example.org.
Okta is an identity provider as a service (aka IDaaS), to manage the organization’s identities and manage the authentication in a central and secure way across multiple applications (SSO). Okta service is delivered as a cloud service. Okta helps organizations move faster with infinite scalability and lower cost for their identity management and provider needs. But at the same time, the public cloud Software as a Service (SaaS) model presents the organization with new security challenges.
The main challenges and needs are to:
- Get and retain full audit of activities in Okta account
- Retrieve the Okta account activities as users’ access, permissions changes, 2FA events, Okta applications changes and more.
- The granular activities should be available at the organization’s central log or event management system for compliance, investigation or forensic needs.
- Detect security threats and policy violations in Okta account
What is it
SkyFormation Cloud Connector for Okta, is part of the SkyFormation Cloud Connectors module. It continuously ingests audit events from multiple audit sources in the Okta account, unify the events into a common application events format, enrich the events with needed detection context and send the events to any existing SIEM/SOC system.
How it works
SkyFormation Cloud Connector for Okta retrieves the events from the Okta service through the service APIs. Before sending the events to the existing SIEM/SOC system the connector will
- Unify the events into the SkyFormation unified application events format
- Embed the origin event into the SkyFormation event
- Complement the event with missing information
- Enrich the event with detection context as AD identity information
- Encode the resulted event into a standard format as CEF
- Send the event to the existing SIEM/SOC system over syslog
Okta Audit Sources & Events Supported
|Audit Source (API)||Service/Module Covered||Event Types||Events included|
|Events||Authentication||Application Authentication, Delegated Authentication, Rich Client Authentication, User Authentication, User MFA Authentication, User RADIUS Authentication||Represents authentication events from apps, users, systems etc.|
|Application User Management||update user password, update user profile, add/remove user from app, verify app user, de/activate app user, de/activate API user in app, update APP API credentials etc.||Represents events related to application users’ management activities|
|Application Group Management||add/remove group from app, update group membership, create group mapping from rule, de/activate app group, group admin granted/revoked etc.||Represents events related to Okta applications groups’ management|
|Application Management||app user added/removed, app de/activated, app config updated, app user updated, app user credentials updated, app instance config changed etc.||Represents events related to Okta applications management|
|Credentials Management||Credentials recovered by app/individual||Represents events related to credentials management|
|User Management||password updated, user de/activated, password reseted, user added/removed||Represents events related to user management activities|
|User Impersonation||session started, session ended, impersonation granted/revoked etc.||Represents events related to user impersonation sessions|