Integrate Okta Workforce Identity with Red Canary

1. From your Red Canary homepage, click Integrations. If you do not see the required integration, click See all integrations.

   

2. In the search bar, type and then select Okta Workforce Identity.

   

3. Click Configure.

4. Enter a name for your Okta Domain.

5. Enter your Okta API Token. Learn more about creating an Okta API Token.

6. Click Save.

The integration between Red Canary’s Managed Detection and Response (MDR) service and Okta’s Workforce Identity platform helps organizations detect and respond to credential compromise before it results in a data breach.

Stolen credentials are a common path for attackers to gain initial access, and while multi-factor authentication (MFA) can help mitigate this risk, adversaries have found ways to circumvent it. Red Canary’s integration with Okta Workforce Identity allows users to correlate Okta alerts with data from other security tools to quickly identify potential credential compromise incidents. Additionally, Red Canary has developed custom detections to identify threats, such as MFA fatigue attacks, that Okta’s out-of-the-box alerts may miss.

Red Canary collects events from the Okta Workforce Identity System Log API.

Additionally, Red Canary polls the List Users API once per day to retrieve the total number of users for licensing purposes.

Red Canary ingests System Log activities from Okta as telemetry and analyzes this data for suspicious activity, the data we collect and analyze is listed below.

What data is Red Canary collecting from Okta? 

• Application Activity:

  • app.generic.unauth_app_access_attempt

  • application.lifecycle.create

  • application.policy.lifecycle.create

  • application.user_membership.add

• Device Activity:

  • device.enrollment.create

  • device.user.add

• Group Activity:

  • group.user_membership.add

• Policy Activity:

  • policy.lifecycle.create

  • policy.evaluate_sign_on

• System Activity:

  • system.api_token.create

  • system.email.new_device_notification.sent_message

  • system.idp.lifecycle.create

  • system.mfa.factor.deactivate

  • system.sms.send_*_message

  • system.voice.send_*_call

  • user.account.lock

  • user.account.privilege.grant

  • user.account.reset_password

  • user.account.update_password

• User Authentication Activity:

  • user.authentication.auth_via_AD_agent

  • user.authentication.auth_via_IDP

  • user.authentication.auth_via_inbound_delauth

  • user.authentication.auth_via_inbound_SAML

  • user.authentication.auth_via_iwa

  • user.authentication.auth_via_LDAP_agent

  • user.authentication.auth_via_radius

  • user.authentication.auth_via_richclient

  • user.authentication.auth_via_social

  • user.authentication.authenticate

• User Lifecycle Activity:

  • user.lifecycle.activate

  • user.lifecycle.deactivate

  • user.lifecycle.suspend

• User Multi-Factor Authentication (MFA) Activity:

  • user.mfa.factor.activate

  • user.mfa.factor.deactivate

  • user.mfa.factor.reset_all

  • user.mfa.factor.update

  • User Session Activity:

  • user.session.access_admin_app

  • user.session.end

  • user.session.start

• Zone Activity:

  • zone.create

  • Zone.update

The following Okta Event Types are treated as alerts in the Red Canary platform:

• security.threat.detected

• user.account.report_suspicious_activity_by_enduser

• user.mfa.attempt_bypass