Integrating Okta Logs With Blumira

Okta provides secure identity management with single sign-on, multi-factor authentication, lifecycle management and more.

 

Once configured and integrated with Okta, Blumira’s modern SIEM platform ingests and parses log data in order to provide advanced threat detection and automated, actionable response.

Okta Log Collection Configuration

The Okta System Log API [1] provides a stream of Okta event data which can be consumed by Blumira. To configure Blumira to ingest your Okta logs, follow these steps.

Preparing Okta:

You will need an API token from Okta to provide access to your Okta event data. Follow the instructions here [2] to create a token.

Configuring Blumira

Next, you will need to enable your Blumira sensor to connect to Okta, using the API token you obtained. This connection is managed through the Okta Module, which you will install on one of your Blumira sensors. You can add the module to any one of your existing sensors, or you can create an additional dedicated sensor for such external API modules (if you choose that route, be sure to run it on a different host than runs an existing sensor).

Here’s how to add the Okta module to a Blumira sensor:

  1. Once you have chosen or installed a sensor you’d like to add Okta log collection to, access that sensor’s detail page through the sensor UI (Infrastructure > Sensors > {click on a sensor}).
  2. In the Modules section for your sensor, click on the Add Module button.
  3. In the Module drop-down, find the Okta API Module, and select the latest available version.
  4. Fill in the “Module Configuration” form, shown here:These fields should be configured as follows:
    • Okta account name: The domain you use to login to Okta. For example, if you login to “mycompany.okta.com”, then this field should be “mycompany”.
    • Okta SSWS Token: The API token you obtained in the “Configuring Okta” section
    • Log Source Name: An optional string to identify the Okta log source
  5. You can leave Log Source Name empty, or, optionally, set it to a short, alphanumeric string, without spaces, that will help identify this instance of the Okta integration, in case you later have multiple (e.g. “main” or “primary”).
  6. Press Install and wait a few seconds for the system to process your request.

Within minutes of completing these steps, the module will be operational, and will ingest Okta logs from the last 90 days into the Blumira platform. The module will then continuously monitor the Okta service for the latest available logs.

[1] https://developer.okta.com/docs/reference/api/system-log/

[2] https://developer.okta.com/docs/guides/create-an-api-token/overview