Okta
The JSA DSM for Okta collects events by using the Okta REST API.
The following table identifies the specifications for the Okta DSM:
Table 1: Okta DSM Specifications
Specification | Value |
---|---|
Manufacturer | Okta |
DSM name | Okta |
RPM file name |
|
Protocol | Okta REST API |
Event format | JSON |
Recorded event types | All |
Automatically discovered? | No |
Includes identity? | Yes |
Includes custom properties? | No |
More information | Okta website (https://www.okta.com/) |
To integrate Okta with JSA, complete the following steps:
If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA console:
Protocol Common
Okta REST API Protocol RPM
Okta DSM RPM
If multiple DSM RPMs are required, the integration sequence must reflect the DSM RPM dependency.
Configure the required parameters by using the following table for the Okta log source specific parameters:
Table 2: Okta DSM Log Source Parameters
Parameter
Value
Log Source type
Okta
Protocol Configuration
Okta REST API
IP or Hostname
oktaprise.okta.com
Authentication Token
A single authentication token that is generated by the Okta console and must be used for all API transactions.
Use Proxy
When a proxy is configured, all traffic for the log source travels through the proxy for JSA to access Okta.
Configure the Proxy IP or Hostname, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, you can leave the Proxy Username and Proxy Password fields blank.
Automatically Acquire Server Certificate(s)
If you select Yes from the list, JSA downloads the certificate and begins trusting the target server.
Recurrence
You can specify when the log source collects data. The format is M/H/D for Months/Hours/Days. The default is 1 M.
EPS Throttle
The maximum limit for the number of events per second.
The following table provides a sample event message for the Okta DSM:
Table 3: Okta Sample Message Supported by the Okta Device
Event name | Low level category | Sample log message |
---|---|---|
Core-User Auth-Login Success | User Login Success | {"eventId":"teveLnptWDqSfKg 2Gq8oO-eVg146522980aaaa"," sessionId":"101V8yTdKXcQ9a9pj a1uzaaaa","requestId":"V1Wh6 MUxWNbrLROUi3K0jAaaaa", "published":"2016-04-06T16: 16:40.000Z","action":{ "message":"Sign-in successful","categories": ["Sign-in Success"],"object Type":"core.user_auth.login _success","requestUri":"/api /v1/authn"},"actors":[{"id": "00uzysse4pPSPXWNaaaa", "displayName":"User","login": "account@oktaprise.com", "objectType":"User"},{"id": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/ 20100101 Firefox/45.0", "displayName":"FIREFOX", "ipAddress":"1.2.3.4", "objectType":"Client"}], "targets":[{"id":"00uzysse 4pPSPXWNaaaa","displayName": "User","login":"account@ oktaprise.com","objectType": "User"}]} |
Core-User Auth-Login Failed | User Login Failure | {"eventId":"tev7UdwtYhTSkGVA_ rmMJgeJQ1440004117000","sessionId" :"","requestId":"VdS4FTWJxk6c4mX2wB1 -@wAAA9I","published":"2015-08- 19T17:08:37.000Z","action": {"message":"Sign-in Failed - Not Specified","categories":["Sign-in Failure","Suspicious Activity"], "objectType":"core.user_auth. login_failed","requestUri":"/ login/do-login"},"actors":[{"id" :"Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko","displayName":"x x", "ipAddress":"1.1.1.1","objectType" :"Client"}],"targets":[{"id":"", "objectType":"User"}]} |