Add and configure an Okta connector

You can add an Okta connection to your Endpoint Defense console to view Okta alerts in the Alerts view. The Alerts view allows administrators to view Okta authorization and access alerts from one unified interface. The Okta connector uses the Okta events API to display event telemetry in the Alerts view. The Okta user anomaly events that are aggregated in the Alerts view include suspicious user login attempts and blocked security request events. By aggregating Okta events into these categories, you will have greater visibility into login attempts by third parties, erroneous logins by users, and login attempts from suspicious source IP addresses.

You can add an Okta connection to your Endpoint Defense console to view Okta alerts in the Alerts view. The Alerts view allows administrators to view Okta authorization and access alerts from one unified interface. The Okta connector uses the Okta events API to display event telemetry in the Alerts view. The Okta user anomaly events that are aggregated in the Alerts view include suspicious user login attempts and blocked security request events. By aggregating Okta events into these categories, you will have greater visibility into login attempts by third parties, erroneous logins by users, and login attempts from suspicious source IP addresses.

The Alerts view aggregates requests from banned IP addresses across your company's user base to provide insight into possible patterns or campaigns. The surfaced data can also contain information on the source device of the access attempt, allowing you to determine if the request was made by a human or machine.

For more information about configuringOkta to generate alerts that can be viewed in the Alerts view, see:

For more information about the Alerts view, see Managing alerts across Aurora Endpoint Security services in the Administration content.

  1. Prepare your Okta account:

    1. Document the Okta base URL.

      You must document the Okta base URL for your environment to use it during configuration of the Okta connector. The Okta base URL will be the production URL of your Okta server.

      For more information on locating your Okta base URL, see Find your Okta Domain in the Okta documentation.

    2. Create an Okta administrator

      You must create an Okta administrator to use the Okta API. Arctic Wolf recommends creating a dedicated user that is linked to the API token in step 3. This step is recommended because it aids in auditing workflows and is the best practice to make sure other Okta users do not have tokens that are created and used for security operation workflows.

      For more information about creating an Okta administrator, see Create an admin role assignment using an admin in the Okta documentation.

    3. Create an Okta API token

      You must create an Okta API token to authenticate requests to the Okta API.

      For more information on creating an Okta API token, see API token management in the Okta documentation.

  2. In the Endpoint Defense console, on the menu bar, click Settings > Connectors.
  3. Click Add Connector > Okta.
  4. In the General Information section, type a name for the connector.
  5. In the Okta Configuration section, specify the Okta service API URL, the Okta API token, and the polling frequency.
    注: Arctic Wolf recommends leaving the polling frequency at it's default value unless you have a specific rate limit requirement for your organization.
  6. Click Test Connection.
  7. Click Save.
View and manage alerts in the Alerts view. See Managing alerts acrossEndpoint Defenseservices in the Administration content.