Configure Okta for Arctic Wolf monitoring

You can configure Okta® to send the necessary logs to Arctic Wolf® for security monitoring.

These resources are required:

(Optional) An Okta account to view Okta documentation.

These actions are required:

Sign in to Okta as a user with administrator permissions. The Read Only Admin, Super Admin, and Org Admin roles have these permissions.
Arctic Wolf recommends that you use a dedicated Read Only Admin role to create the Okta API token.
Note:
- Before the API token can retrieve the required Okta audit sign-in information, the user creating the API token must have these Okta permissions:
  - View users
  - View groups
  - View System Log
  API token permissions match the permissions of the user that creates the token. If the user permissions change, the API token permissions also change.
- This user must remain active for as long as the API token is in use.

For more information, see Security Administrators.

Create an Okta API token

Sign in to Okta with administrator permissions.
In the Security menu, click API.
Click the Tokens tab, and then click Create token.
Enter a name for the token. For example, Arctic Wolf - Log Monitoring.
In the API calls made with this token must originate from list, select Any IP.
Click Create token.
Copy the Token value, and then save it in a safe, encrypted location.
You will provide it to Arctic Wolf later.
Note:
You cannot retrieve the token value after dismissing this form.
Click OK, got it.

The new token appears in the list of active API tokens.

Tip:
Click the trash can to revoke a token.

Configure Okta ThreatInsight to exclude trusted IP addresses

In the Admin Console, click SecurityGeneral.
Click Okta ThreatInsight settings.
Click Edit.
Select Log authentication attempts from malicious IPs.

Okta ThreatInsight is permitted to log information about potentially malicious sign-in attempts.

Tip:
You can alternatively select Log and enforce security based on threat level if you have configured trusted IP addresses, including network gateways or Okta agents.
In the Exempt Zones field, enter and select the names of the network zones that contain the IP addresses you trust and want Okta ThreatInsight to allow.

See Network zones for more information.
Click Save.

Enable Security Notification emails

In the Admin Console, click SecurityGeneral.
In the Security notification emails section, click Edit.
In the Report suspicious activity via email list, click Enabled.
Click Save.

Enable phishing-resistant authentication

This step is optional.

Configure WebAuthn and Okta Verify.

See Configure the FIDO2 (WebAuthn) authenticator and Configure the Okta Verify authenticator for more information.
Configure Okta FastPass.

See Configure Okta FastPass for more information.
Configure authenticator enrollment policies for Okta FastPass and WebAuthn.

See Create an authenticator enrollment policy for more information.
Configure authentication policies that require either WebAuthn or Okta FastPass as a phishing-resistant possession factor.

See Add an authentication policy rule for more information.

Provide Okta credentials to Arctic Wolf

Note:

Unused API tokens automatically expire after 30 days. You must provide the token credentials to Arctic Wolf before the expiry date. After Arctic Wolf provisions the API token, it is consistently in use and does not expire.

Sign in to the Arctic Wolf Unified Portal.
In the navigation menu, click Data Collection > Cloud Sensors.
Click Add Account +.
On the Add Account page, click Okta.
Configure these settings:
- Account Name — Enter a unique and descriptive name for the account.
- URL — Enter the Okta URL for your organization. For example, https://company name.okta.com.
- API Token — Enter the API token obtained in Create an Okta API token.
- Credential Expiry — (Optional) Enter the credential expiration date, if applicable.
Click Test and submit credentials.

Active Response, Log Forwarding, and Security Monitoring