Okta Integration Guide

The following instructions are for configuring an Okta integration to facilitate log ingestion into Secureworks® Taegis™ XDR.

Note

Integrating Okta enables XDR to enhance monitoring data via Okta. It is not used for SSO into XDR.

Okta Requirements

An active Okta account with the Super Admin role is required to create a service app.

Data Provided from Integration

	Normalized Data	Out-of-the-Box Detections	Vendor-Specific Detections
Okta	CloudAudit	Auth

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Create the Service App in Okta

Note

XDR supports OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) tokens.

The following is required to add the Okta integration in XDR:

• Integration name
• Org URL — Refer to the vendor's documentation to find this value
• Client ID
• Key ID of the Public Key added for the Service App
• RSA Private Key in PEM format

Procedure

1. Create a service app integration in the Okta Admin console.

   

   Create the Service App

2. Use the following settings:

   • Client Authentication — Public Key / Private Key
   • Public Key Configuration — Save keys in Okta

3. Generate a JWK key pair or use an existing key pair.

   

   Add the Key Pair

   

   Create the Key Pair

4. Grant allowed scopes. The okta.logs.read scope is required.

   

   Okta API Scopes

   

   Grant the okta.logs.read Scope

5. Assign admin role. The Report Administrator role is required.

   

   Grant the Required Role

   

   Grant the Required Role

Add Integration in XDR

1. From the Taegis Menu, select Integrations → Cloud APIs.

2. Select Add an Integration from the top of the page.

   

   Add an Integration

3. From the Optimized tab, select Okta.

   

   Create the Okta Integration

4. Enter the following fields:

   • Integration Name — Any unique string
   • Org URL/Issuer URL — The URL instance of your Okta account

   Note

   The Org URL is found in your browser’s address bar after logging in to your Okta portal and takes the format https://xxxxxxxx.okta.com, https://xxxxxxxx.okta-emea.com, or https://xxxxxxxx.oktapreview.com.

   • Client ID — Generated when the service app was created
   • Key ID (KID) — KID that specifies the Public Key used when the service app was created

5. Upload the Private Key created in the previous section.

6. Select Done. The Manage Integrations page displays with the successfully added Okta integration listed under Cloud API Integrations.

   Tip

   You can use the Integration Name defined in step 3 above to identify the integration within the Cloud API Integrations table.

Events Received from Okta

The following ingest events are received from Okta integrations and normalized to the auth schema:

• app.oauth2.as.authorize.code
• app.oauth2.as.token.grant.access_token
• app.oauth2.as.token.grant.id_token
• app.oauth2.as.token.grant.refresh_token
• inline_hook.response.processed
• policy.evaluate_sign_on
• policy.lifecycle.activate
• policy.lifecycle.create
• policy.lifecycle.deactivate
• policy.lifecycle.update
• policy.rule.add
• policy.rule.deactivate
• policy.rule.update
• user.account.privilege.grant
• user.account.reset_password
• user.account.update_password
• user.account.update_profile
• user.authentication.auth_via_mfa
• user.authentication.sso
• user.authentication.verify
• user.mfa.factor.activate
• user.mfa.factor.deactivate
• user.mfa.factor.reset_all
• user.session.clear
• user.session.end
• user.session.start
• system.sms.send_phone_verification_message
• system.voice.send_phone_verification_call

The following ingest events are received from Okta integrations and normalized to the cloudaudit schema:

• system.api_token.create
• system.api_token.create.revoke
• application.user_membership.add
• application.user_membership.change_password
• application.user_membership.remove
• user.session.access_admin_app
• user.lifecycle.activate
• user.lifecycle.create
• user.lifecycle.deactivate

The following ingest events are received from Okta integrations and normalized to the generic schema:

• application.provision.user.sync
• group.user_membership.add
• group.user_membership.remove
• policy.evaluate_sign_on
• system.import.complete
• system.import.start
• user.account.report_suspicious_activity_by_enduser
• user.account.update_password
• user.authentication.authenticate
• user.credential.enroll
• user.lifecycle.delete.initiated
• user.lifecycle.reactivate
• user.lifecycle.suspend
• user.lifecycle.unsuspend
• user.authentication.sso

Related Topics

For more detailed information about managing Okta integrations, see these related topics:

• Viewing API Integration Status and Health
• Delete an Integration