Configure Okta for Arctic Wolf Active Response

With the Active Response service, Arctic Wolf® can can perform identity-based response actions in your network using Okta.

Okta supports these response actions:

Disable/Enable a user
Note: Arctic Wolf cannot take identity-based actions on Okta user accounts with super administrator permissions.
Close user connections
Add/Remove a user from a security group
Force a password reset

For more information, see Response action descriptions.

Note:

Configure this integration with your primary identity provider in a cloud-based environment. Arctic Wolf does not support hybrid or on-premises environments for identity-based response actions.

These resources are required:

A user account with Super Administrator permissions
Note:
This user must remain active for as long as the API token is in use.

Contact your CST to validate the Active Response integration. Have an account or environment ready that Arctic Wolf can use to validate the desired response actions without causing interruptions.

Create a custom Okta user for Active Response

You must create a custom user to generate the API token and a resource set for all of the users that you want to be accessible for response actions.

Sign in to the Okta Admin Console.
Create a resource set:
1. Navigate to Security > Administrators.
2. Click the Resources tab.
3. Click Create new resource set.
4. On the Create new resource set page, configure these settings:
  - Name — Enter a unique and descriptive name.
  - Description — Enter a meaningful description.
5. Click Add resource.
6. In the Add Resource dialog, click inside the search field, and then select Users.
7. Click All users.
8. Click Save selection.
Create a role:
1. Navigate to Security > Administrators.
2. Click the Roles tab.
3. Click Create new role.
4. On the Create new role page, configure these settings:
  - Name — Enter a name for the role.
  - Description — Enter a description for the role.
5. In the Select permissions settings section, select these settings:
  - User > Manage users > Edit users' lifecycle states > Clear users' sessions
  - User > Manage Users > Edit users' lifecycle states > Suspend users
  - User > Manage Users > Edit users' lifecycle states > Unsuspend users
  - User > Manage Users > Edit users' authenticator operations > Set users' temporary password
  - User > Manage Users > Edit users' group membership
  - User > Manage Users > View users and their details
  - Group > Manage groups > Manage group membership
6. Click Save role.
Create the custom user:
1. Navigate to Directory > People.
2. Click Add person.
3. On the Add Person page, complete these steps:
  - User type — Select User.
  - First name — Enter the first name of the user.
  - Last name — Enter the last name of the user.
  - Username — Enter a user name.
  - Primary email — Enter a valid email that you have access to.
4. In the Activation section, select the I will set password checkbox.
5. Enter a password, and then save the password securely using a password manager.
6. Click Save.
Assign the role to the custom user:
1. Navigate to Security > Administrators.
2. Click the Admins List tab.
3. Click Add administrator.
4. Click in the Select admin field, and then type in the email for the custom user that you created.
5. Click the custom user.
6. In the Role list, select the role that you created.
7. In the Resource set list, click the resource set that you created.
8. Click Add assignment.
9. In the Role list, select Read-only Administrator.
  This setting ensures that the role is able to generate an API token.
10. Click Save changes.
Sign out of the Okta Admin Console.

Create an Okta API token for Active Response

Sign in to the Okta Admin Console using the credentials that you created in Create a custom Okta user for Active Response.

Note: This procedure must be performed from the restricted user account.
Navigate to Security > API.
Click the Tokens tab.
Click Create token.
In the What do you want your token to be named? field, enter a unique and descriptive name. For example, Arctic Wolf Active Response.
Select the origin for the API calls using one of these methods:
- Do not specify an IP address range — In the API calls from this token must originate from list, select Any IP.
- Specify an IP address range — To select an IP address range:
  1. In the API calls from this token must originate from list, select In any network zone defined in Okta.
  2. Sign in to the Arctic Wolf Unified Portal.
  3. Click > Allowlist Requirements.
  4. In the Cloud Sensors section, record the values in the IP Addresses Range column.
  5. Complete Edit the network zones that API call can come from.
In the Okta Admin Console, in the Create token dialog, click Create token.
Copy the token and save it in a safe, encrypted location.
You will provide this value to Arctic Wolf later.
Sign out of the Okta Admin Console.

Revoke privileges for the custom Okta user

After generating the API token, the custom user no longer requires read-only Administrator privileges.

Sign in to the Okta Admin Console using the Super Administrator credentials.
Navigate to Security > Administrators.
Click the Admins List tab.
Locate the custom user that you created in Create a custom Okta user for Active Response, and then click Edit > Edit assignments.
Click Delete for the Read-only Administrator role assignment.

Provide Okta Active Response credentials to Arctic Wolf

Sign in to the Arctic Wolf Unified Portal.
In the navigation menu, click Organization Profile > Integrations.
On the Active Response tab, click New Active Response Integration +.
Click Okta.
On the New Active Response Integration page, configure these settings:
- Integration Name — Enter a unique and descriptive name for the integration, including the tenant name. For example, <tenant_name> Okta Active Response Integration.
- API Base URL — Enter the base URL of your Okta domain. For example, https://dev-47990634-admin.okta.com.
- API Token — Enter the API token that you generated in Create an Okta API token for Active Response.
Click Save Integration.

Active Response, Log Forwarding, and Security Monitoring