Configuring Monitoring for Okta

Configuration Guide

Overview

This document describes how to configure an Okta API token with the necessary permissions for Arctic Wolf® to monitor Okta audit logs using the Okta administration web user interface (UI).

After you complete this process, you must provide the following information to Arctic Wolf on the Arctic Wolf Portal:

Before you begin

To complete the steps below, sign in to Okta as a user with administrator privileges. An Okta API token has the same permissions as the user who creates it, and if the user permissions change, the API token permissions also change. The user creating the API token must have the following Okta permissions so that token is capable of retrieving the required Okta audit log information:

The Read Only Admin, Super Admin, and Org Admin roles have these permissions. However, Arctic Wolf recommends creating the API token as a user with the Read Only Admin role, as this provides the API token with the minimum set of permissions required for the task.

You may create a dedicated Read Only Admin user for generating the API token if there is not already a user with this role available.

Note: This user must remain active for as long as the API token is in use.

See Security Administrators in the Okta documentation for more information about the various administrator roles available in Okta and instructions on how to create a new admin user.

Note: You need an Okta account to view Okta documentation.

Creating the Okta API token

To create the Okta API token:

  1. Sign in to Okta as a user with the appropriate permissions.

  2. From the API menu, select Security.

  3. Select Tokens, and then select Create Token.

  4. Enter a name for the token, such as Arctic Wolf - Log Monitoring, and then select Create Token.

  5. Copy the Token value contents to submit to Arctic Wolf later.

    Note: You cannot retrieve the token value after dismissing this form.

  6. Select OK, got it. The newly created token appears in the list of active API tokens.

    Tip: Click on the trash can to revoke a token.

  7. Proceed to Providing credentials to Arctic Wolf.

    Note: Since unused API tokens automatically expire after 30 days, you must provide the token credentials to Arctic Wolf promptly. Once Arctic Wolf provisions the token, the API token is consistently in use and does not expire.

Providing credentials to Arctic Wolf

To provide the API token and the Okta URL of your organization to Arctic Wolf:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select + Add Account to open the Add Account form.

  4. Select Cloud Threat Detection as the Account Type.

  5. Select Okta from the list of cloud services, and fill in the form:

    1. Enter a descriptive name for the credentials.

    2. Copy the Okta URL for your organization, such as https://<company name>.okta.com into the URL text box.

    3. Copy the API token obtained earlier into the API Token text box.

      Okta credential form

  6. Click Submit to CST.

  7. When prompted with the confirmation message, review your submission and then click Done. This returns you to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team provisions security monitoring for your Okta application, the status of your Okta credentials changes to Connected.