Okta Integration

Use Sysdig’s Okta integration to pull logs from your enterprise’s Okta installation into Sysdig Secure for threat detection and processing.

Okta, which manages internal and external access to systems with a single login, is the leading platform in Identity-as-a-Service. As such, it has been the target of malicious attacks which may expose users’ most critical assets and services. Enterprises can protect this area of their infrastructure using Sysdig’s log analysis Okta integration.

The Okta integration is in Technical Preview status.

Prerequisites

  • Sysdig Secure SaaS and admin permissions
  • An Okta organization
  • Super administrator Okta account permissions

Add Integration

The integration toggles between the Sysdig Secure UI and the Okta UI.

Starting from Sysdig Secure

  1. Log in to Sysdig Secure as admin and select Integrations > Data Sources|Events and Logs.

  2. Select Add Integration.

  3. Enter your Okta organization name or the URL for your Okta organization and click Launch Okta.

  4. You are transferred to the Okta admin dashboard, to install the Sysdig API Service Integration.

  5. By clicking on “Install & Authorize”, you will be provided with a Client Secret. The authentication secret is periodically rotated for an additional layer of security.

    Copy it and go back to Sysdig to paste it in the installation wizard.

  6. Now return to Okta and do the same with the Client ID.

  7. Click Validate Connection in the Sysdig wizard.

  8. When connection is established, click Complete as prompted.

    Logs from your Okta organization will be live-streamed to Sysdig. Sysdig performs threat detection through the configured policies and detections are reported as Runtime Events.

Starting from Okta

When you install the API Service Integration app for Sysdig from Okta’s Admin Dashboard, the installation will prompt you to copy your Client Secret and Client ID. Save these to use on the Sysdig side.

Now:

  1. Log in to Sysdig Secure SaaS as admin.

  2. Go to Integrations > Events and Logs > Okta and choose the option If you’ve already installed the Sysdig API Integration.

  3. Enter the Client Secret, Okta Domain, and Client ID you saved from Okta (toggling back to the Okta interface if needed).

  4. Click Validate Connection, and Complete.

Troubleshoot the Installation

If the installation is failing, you can:

  • Ensure that among the API Service integrations listed on Okta, the one you chose is called “Sysdig”.
  • Repeat the flow starting from Okta if you previously started from Sysdig, or vice-versa.
  • Re-install the Sysdig API Service integration on Okta and copy all the values to Sysdig.
  • Check that your Okta organization hasn’t already reached the maximum number of allowed Event Hooks.

Validate

Review Okta Policies and Rules

You can review the suite of Okta-related managed policies delivered out-of-the-box and/or create custom policies of the type Okta.

To see the standard managed policies:

  1. In Sysdig Secure, select Policies > Threat Detection | Runtime Policies.

  2. Filter by Managed Type: Managed Policies and Policy Type: Okta.

    The list of default managed policies is displayed. Select one to review the rules that comprise it.

    If desired, you can create custom Okta policies in the usual way.

Check Event Feed for Okta Entries

  1. In Sysdig Secure, select Events > Event Feed.

  2. Enter Okta in the free-text search. Select any resulting policies in the list to drill into event details.

Events should arrive immediately after successful integration. If nothing appears within five minutes, check the status of Sysdig SaaS on https://sysdig.com/company/sysdig-status/.

Delete an Integration

If you delete a configured integration:

  • The listiing is removed from the Events and Logs page
  • Sysdig stops receiving logs from Okta
  • Any created runtime events remain in the Events feed

Appendix: Okta Setup

Sysdig relies on an API Service Integration to connect with your Okta organization. The integration provisions an Event Hook configured to send Sysdig the following events categories:

  • application.user_membership.add
  • group.user_membership.add
  • system.api_token.create
  • system.org.rate_limit.violation
  • user.account.lock
  • user.account.privilege.grant
  • user.account.reset_password
  • user.account.update_password
  • user.authentication.auth_via_mfa
  • user.authentication.sso
  • user.lifecycle.activate
  • user.lifecycle.create
  • user.lifecycle.deactivate
  • user.lifecycle.suspend
  • user.lifecycle.unsuspend
  • user.mfa.factor.deactivate
  • user.mfa.factor.reset_all
  • user.session.start