OKta integration
You can integrate Okta with Sophos Central.
You can configure two kinds of integration:
- A Data Ingest integration sends Okta authentication and authorization data to Sophos for analysis.
- A Response Action integration lets you use Okta actions to resolve detected issues. See Response actions.
This page gives you an overview of the integration.
Okta product overview
Okta's IAM tool is a cloud-based service that simplifies and secures user access to applications, systems, and data. It works by providing a centralised platform for managing user identities, authentification, authorisation, and Single Sign-On (SSO) across various applications and systems.
Sophos documents
What we ingest
Sample alerts seen by Sophos:
security.authenticator.lifecycle.activate
security.authenticator.lifecycle.create
security.authenticator.lifecycle.deactivate
security.authenticator.lifecycle.update
security.device.add_request_blacklist_policy
Alerts ingested in full
We ingest alerts via the Okta System Log API where the event type is one of the following:
security.authenticator.lifecycle.activate
security.authenticator.lifecycle.create
security.authenticator.lifecycle.deactivate
security.authenticator.lifecycle.update
security.device.add_request_blacklist_policy
security.device.remove_request_blacklist_policy
security.device.temporarily_disable_blacklisting
security.internal.threat.detected
security.request.blocked
security.session.detect_client_roaming
security.threat.configuration.update
security.threat.detected
security.voice.add_country_blacklist
security.voice.remove_country_blacklist\\
security.zone.make_blacklist
security.zone.remove_blacklist
Filtering
We query the auth logs endpoint. See System Log API
We filter the results to confirm the format only.
Sample threat mappings
The alert type is defined by the Okta field eventType
.
Sample alerts:
{"alertType": "application.user_membership.add", "threatId": "T1484.001", "threatName": "Group Policy Modification"}
{"alertType": "application.user_membership.change_password", "threatId": "T1098", "threatName": "Account Manipulation"}
{"alertType": "system.agent.ad.read_ldap", "threatId": "T1087", "threatName": "Account Discovery"}
Response actions
You can configure an integration that lets you use Okta actions to resolve detected issues.
The available actions are as follows:
- Suspend user
- Unsuspend user
- Expire user password
- Expire user session
Vendor documentation
Helpful information
If you're using a trial account, make sure that the URL hasn't expired.
If you're an MDR customer, your selected threat response mode, for example collaboration with our MDR analysts, overrides actions you set up in a Response Actions integration.
API tokens inherit the privilege level of the admin account used to create them. The recommended least privilege administrator roles are as follows:
- For a Data Ingest integration: Report Admin.
- For a Response Actions integration: Org Admin.
For more information on creating Okta API tokens, administrator roles, and permissions, see: Create an API token.