Okta Monitoring

Updated Oct 30, 2023

Configure Okta for Arctic Wolf monitoring

You can configure Okta® to send the necessary logs to Arctic Wolf® for security monitoring.

Requirements

Before you begin

See Security Administrators for more information.

Steps

  1. Create an Okta API token.
  2. Configure Okta ThreatInsight to exclude trusted IP addresses.
  3. Enable Security Notification emails.
  4. (Optional) Enable phishing-resistant authentication.
  5. Provide your Okta credentials to Arctic Wolf.

Step 1: Create an Okta API token

  1. Sign in to Okta with administrator permissions.

  2. In the API menu, click Security.

  3. Click Tokens, and then click Create Token.

  4. Enter a name for the token. For example, Arctic Wolf - Log Monitoring.

  5. Click Create Token.

  6. Copy the Token value, and then save it in a safe, encrypted location. You will provide it to Arctic Wolf later.

    Note: You cannot retrieve the token value after dismissing this form.

  7. Click OK, got it.

    The new token appears in the list of active API tokens.

    Tip: Click the trash can to revoke a token.

Step 2: Configure Okta ThreatInsight to exclude trusted IP addresses

  1. In the Admin Console, click SecurityGeneral.

  2. Click Okta ThreatInsight settings.

  3. Click Edit.

  4. Select Log authentication attempts from malicious IPs.

    Okta ThreatInsight is permitted to log information about potentially malicious sign-in attempts.

    Tip: You can alternatively select Log and enforce security based on threat level if you have configured trusted IP addresses, including network gateways or Okta agents.

  5. In the Exempt Zones field, enter and select the names of the network zones that contain the IP addresses you trust and want Okta ThreatInsight to allow.

    See Network zones for more information.

  6. Click Save.

Step 3: Enable Security Notification emails

  1. In the Admin Console, click SecurityGeneral.
  2. In the Security notification emails section, click Edit.
  3. In the Report suspicious activity via email list, click Enabled.
  4. Click Save.

Step 4: Enable phishing-resistant authentication

This step is optional.

  1. Configure WebAuthn and Okta Verify.

    See Configure the FIDO2 (WebAuthn) authenticator and Configure the Okta Verify authenticator for more information.

  2. Configure Okta FastPass.

    See Configure Okta FastPass for more information.

  3. Configure authenticator enrollment policies for Okta FastPass and WebAuthn.

    See Create an authenticator enrollment policy for more information.

  4. Configure authentication policies that require either WebAuthn or Okta FastPass as a phishing-resistant possession factor.

    See Add an authentication policy rule for more information.

Step 5: Provide your Okta credentials to Arctic Wolf

Note: Unused API tokens automatically expire after 30 days. You must provide the token credentials to Arctic Wolf before the expiry date. After Arctic Wolf provisions the API token, it is consistently in use and does not expire.

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, in the Account Type list, select Cloud Detection and Response.

  5. In the Cloud Services list, select Okta.

  6. On the Add Account page, configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • URL — Enter the Okta URL for your organization. For example, https://<company name>.okta.com.

    • API Token — Enter the API token obtained in Create an Okta API token.

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

  7. Click Test and submit credentials.

    After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.

See also