Okta Single Sign-On (using Azure Functions) connector for Microsoft Sentinel

The Okta Single Sign-On (SSO) connector provides the capability to ingest audit and event logs from the Okta API into Microsoft Sentinel. The connector provides visibility into these log types in Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities.

This is autogenerated content. For changes, contact the solution provider.

Connector attributes

Connector attribute Description
Log Analytics table(s) Okta_CL
Data collection rules support Not currently supported
Supported by Microsoft Corporation

Query samples

Top 10 Active Applications

Okta_CL 

| mv-expand todynamic(target_s)  

| where target_s.type == "AppInstance"  

| summarize count() by tostring(target_s.alternateId)  

| top 10 by count_

Top 10 Client IP Addresses

Okta_CL 

| summarize count() by client_ipAddress_s 

| top 10 by count_

Prerequisites

To integrate with Okta Single Sign-On (using Azure Functions) make sure you have:

Vendor installation instructions

Note

This connector uses Azure Functions to connect to Okta SSO to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the Azure Functions pricing page for details.

Note

This connector has been updated, if you have previously deployed an earlier version, and want to update, please delete the existing Okta Azure Function before redeploying this version.

(Optional Step) Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. Follow these instructions to use Azure Key Vault with an Azure Function App.

STEP 1 - Configuration steps for the Okta SSO API

Follow these instructions to create an API Token.

Note - For more information on the rate limit restrictions enforced by Okta, please refer to the documentation.

STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function

IMPORTANT: Before deploying the Okta SSO connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Okta SSO API Authorization Token, readily available.

Next steps

For more information, go to the related solution in the Azure Marketplace.