In this blog post, I’ll showcase how you can integrate Okta with Microsoft Azure Sentinel to achieve Security orchestration, automation and response, or SOAR capabilities using Identity events/signals captured by Okta.
What is Microsoft Azure Sentinel?
“Microsoft Sentinel is a scalable, cloud-native solution that provides:
- Security information and event management (SIEM)
- Security orchestration, automation, and response (SOAR)
Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise. With Microsoft Sentinel, you get a single solution for attack detection, threat visibility, proactive hunting, and threat response.
Microsoft Sentinel is your bird’s-eye view across the enterprise alleviating the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution time frames.” –https://learn.microsoft.com/en-us/azure/sentinel/overview
Why integrate Okta and Azure Sentinel?
By integrating Okta with Azure Sentinel, you can correlate and pinpoint system-related attacks that may have been initiated via account takeovers, suspicious behaviour, MFA push bombs and other identity-related attacks.
This also allows you to proactively quartine, prevent and contain any further/collateral damage that could happen if the risky event wasn’t handled appropriately and timely.
How to integrate Okta and Azure Sentinel? (The Walkthrough process)
Step 1: Enable Azure Sentinel within your Azure tenant.
Step 2: Create a new workspace
Step 3: Under Configuration, Click Data Connectors
Step 4: Search for Okta within the Data Connectors page. Click the Okta Single Sign-On (Preview) Connector.
Step 5: Login as an Administrator in your Okta service, navigate to Security-> API Tokens, and create/obtain an API token. Note down your newly generated Okta API token, as you will use this later as part of the integration with Azure Sentinel.
Step 6: Click Open Connector Page. Take note of the Workspace ID and Primary Key. Click Deploy to Azure. A new tab will be open as part of the process.
Step 7: Enter the workspace ID, primary key and Okta API token you noted earlier. Click Review and create. Click Create and Wait for the deployment to finish.
Step 8: Once the deployment is finished, navigate to the resource group you’ve used to create the Sentinel and Okta data connector resources. You should see additional resources deployed within the resource group.
Step 9: Let’s try to manually test the Okta connector by running the Function app that will query and pull the System Logs from Okta.
Navigate to Functions->Funcitons. Click the Function
Under Developer, Click Code + Test. Click Test/Run
Step 10: Let’s query the recently pulled data from Okta in Azure Sentinel. Navigate back to your Azure Sentinel page and Go to Logs. You should see a section called Custom Logs. Expand that, and you should see an entry called Okta CL. Within the query editor, just enter Okta_CL and click Run.
Step 11: Congratulations! You’ve successfully integrated Okta System Logs with Azure Sentinel.
(Optional) You may want to deploy Workbooks within Azure Sentinel using the Okta System Logs you’ve recently ingested to achieve a SOAR strategy. I would like to refer and recommend you guys to this blog by Cryptsus . The blog fully articulates several workbook plays like More than 10 failed Okta login attempts, MFA Bombing attempts, Okta user changing their MFA method/password from a different country, etc.. I thoroughly recommend you look at their blog to detect, prevent and defend your organisation from risky events captured by your Okta system logs.
Example: Workbook that checks any Administrator logging in outside business hours
If you decide to implement workbooks, you can also create automation rules using the workbooks you’ve designed.
Here is a video showcasing the end-to-end integration and SOAR action between Azure Sentinel and Okta