Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=okta-overview

OKta integration

API Identity

You can integrate Okta with Sophos Central.

You can configure two kinds of integration:

  • A Data Ingest integration sends Okta authentication and authorization data to Sophos for analysis.
  • A Response Action integration lets you use Okta actions to resolve detected issues. See Response actions.

This page gives you an overview of the integration.

Okta product overview

Okta's IAM tool is a cloud-based service that simplifies and secures user access to applications, systems, and data. It works by providing a centralised platform for managing user identities, authentification, authorisation, and Single Sign-On (SSO) across various applications and systems.

Sophos documents

Integrate Okta

What we ingest

Sample alerts seen by Sophos:

  • security.authenticator.lifecycle.activate
  • security.authenticator.lifecycle.create
  • security.authenticator.lifecycle.deactivate
  • security.authenticator.lifecycle.update
  • security.device.add_request_blacklist_policy

Alerts ingested in full

We ingest alerts via the Okta System Log API where the event type is one of the following:

  • security.authenticator.lifecycle.activate
  • security.authenticator.lifecycle.create
  • security.authenticator.lifecycle.deactivate
  • security.authenticator.lifecycle.update
  • security.device.add_request_blacklist_policy
  • security.device.remove_request_blacklist_policy
  • security.device.temporarily_disable_blacklisting
  • security.internal.threat.detected
  • security.request.blocked
  • security.session.detect_client_roaming
  • security.threat.configuration.update
  • security.threat.detected
  • security.voice.add_country_blacklist
  • security.voice.remove_country_blacklist\\
  • security.zone.make_blacklist
  • security.zone.remove_blacklist

Filtering

We query the auth logs endpoint. See System Log API

We filter the results to confirm the format only.

Sample threat mappings

The alert type is defined by the Okta field eventType.

Sample alerts:

{"alertType": "application.user_membership.add", "threatId": "T1484.001", "threatName": "Group Policy Modification"}
{"alertType": "application.user_membership.change_password", "threatId": "T1098", "threatName": "Account Manipulation"}
{"alertType": "system.agent.ad.read_ldap", "threatId": "T1087", "threatName": "Account Discovery"}

Response actions

You can configure an integration that lets you use Okta actions to resolve detected issues.

The available actions are as follows:

  • Suspend user
  • Unsuspend user
  • Expire user password
  • Expire user session

Vendor documentation

System Log API

Helpful information

If you're using a trial account, make sure that the URL hasn't expired.

If you're an MDR customer, your selected threat response mode, for example collaboration with our MDR analysts, overrides actions you set up in a Response Actions integration.

API tokens inherit the privilege level of the admin account used to create them. The recommended least privilege administrator roles are as follows:

  • For a Data Ingest integration: Report Admin.
  • For a Response Actions integration: Org Admin.

For more information on creating Okta API tokens, administrator roles, and permissions, see: Create an API token.