Help Documentation

Cloud Detection and Response

Okta Monitoring

Updated Sep 27, 2023

Configure Okta monitoring

This document describes how to configure an Okta API token with the necessary permissions for Arctic Wolf® to monitor Okta® audit logs using the Okta administration web user interface (UI).

After you complete this process, you must provide this information to Arctic Wolf on the Arctic Wolf Portal:

Before you begin

To complete the steps below, sign in to Okta as a user with administrator privileges. An Okta API token has the same permissions as the user who creates it, and if the user permissions change, the API token permissions also change. The user creating the API token must have the following Okta permissions so that token is capable of retrieving the required Okta audit sign information:

The Read Only Admin, Super Admin, and Org Admin roles have these permissions. However, Arctic Wolf recommends creating the API token as a user with the Read Only Admin role, as this provides the API token with the minimum set of permissions required for the task.

You may create a dedicated Read Only Admin user for generating the API token if there is not already a user with this role available.

Note: This user must remain active for as long as the API token is in use.

See Security Administrators in the Okta documentation for more information about the various administrator roles available in Okta and instructions on how to create a new admin user.

Note: You need an Okta account to view Okta documentation.

Create the Okta API token

  1. Sign in to Okta as a user with the appropriate permissions.

  2. From the API menu, select Security.

  3. Click Tokens, and then select Create Token.

  4. Enter a name for the token, such as Arctic Wolf - Log Monitoring, and then click Create Token.

  5. Copy the Token value contents to submit to Arctic Wolf later.

    Note: You cannot retrieve the token value after dismissing this form.

  6. Click OK, got it. The newly created token appears in the list of active API tokens.

    Tip: Click on the trash can to revoke a token.

  7. Proceed to Provide credentials to Arctic Wolf.

    Note: Since unused API tokens automatically expire after 30 days, you must provide the token credentials to Arctic Wolf promptly. Once Arctic Wolf provisions the token, the API token is consistently in use and does not expire.

Provide credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.

  2. In the menu bar, click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, from the Account Type list, select Cloud Detection and Response.

  5. From the list of cloud services, select Okta.

  6. On the Add Account page, complete these steps:

    1. Account Name — Enter a unique and descriptive name for the account.
    2. In the URL field, enter the Okta URL for your organization, such as https://<company name>.okta.com.
    3. In the API Token field, enter the API token obtained earlier.
    4. Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.

  7. Click Test and Submit Credentials.

    After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.