Okta Single Sign-On (using Azure Functions) connector for Microsoft Sentinel
The Okta Single Sign-On (SSO) connector provides the capability to ingest audit and event logs from the Okta API into Microsoft Sentinel. The connector provides visibility into these log types in Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities.
Connector attributes
| Connector attribute | Description |
|---|---|
| Log Analytics table(s) | Okta_CL |
| Data collection rules support | Not currently supported |
| Supported by | Microsoft Corporation |
Query samples
Top 10 Active Applications
Okta_CL
| mv-expand todynamic(target_s)
| where target_s.type == "AppInstance"
| summarize count() by tostring(target_s.alternateId)
| top 10 by count_
Top 10 Client IP Addresses
Okta_CL
| summarize count() by client_ipAddress_s
| top 10 by count_
Prerequisites
To integrate with Okta Single Sign-On (using Azure Functions) make sure you have:
- Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. See the documentation to learn more about Azure Functions.
- Okta API Token: An Okta API Token is required. See the documentation to learn more about the Okta System Log API.
Vendor installation instructions
Note
This connector uses Azure Functions to connect to Okta SSO to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the Azure Functions pricing page for details.
Note
This connector has been updated, if you have previously deployed an earlier version, and want to update, please delete the existing Okta Azure Function before redeploying this version.
(Optional Step) Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. Follow these instructions to use Azure Key Vault with an Azure Function App.
STEP 1 - Configuration steps for the Okta SSO API
Follow these instructions to create an API Token.
Note - For more information on the rate limit restrictions enforced by Okta, please refer to the documentation.
STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function
IMPORTANT: Before deploying the Okta SSO connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Okta SSO API Authorization Token, readily available.
Next steps
For more information, go to the related solution in the Azure Marketplace.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for