We are using Okta Workforce Identity. We would like to configure Okta to send alerts to Red Canary. How is this done?
Red Canary and Okta Workforce Identity
First you will need to configure the Alert Source in Red Canary for Okta Workforce Identity:
- Login to your Red Canary and select the "Alert Sources" tab on the left menu bar
- Next, while in the Alert Sources page, you will need to type the name of the Alert Source you want to configure. In this case, type "Okta..." and the search bar will populate with the available Alert Collectors we have available. Okta Workforce Identity should show in the list.
- Select Okta Workforce Identity. It may take a second, but you should see the new Alert Source box populate below the search bar.
- Next, you will need to click on the name of the Alert Source in order to enter the Alert Source configuration page.
- Once you are in the Alert Source configuration page, you will need to click on the link that says "Activate it to begin processing alerts." This will activate the Alert Source and allow you to start the configuration.
- Next, you will need to click on the blue "Configure" button to enter the Alert Source configuration window.
- While in the configuration window, select the "Ingest Format/Method" drop-down box. Select the "Okta Workforce Identity via HTTP" (Webhook method).
- click "Save." Give the system a couple minutes to build the new Alert Source.
- Once again, click on the blue "Configure" button. This will open up the same configuration window, but this time you will see a new HTTP web-hook URL and port has been generated. This is the URL and port that you will need to enter in your Okta alert configuration, on the Okta side.
Now you will need to subscribe to Events in your Okta "Add Event Hook Endpoint" configuration in order to start sending Event data to Red Canary.
NOTE: This part will be broken into two phases. First, we will need to configure the Okta alerts that you want to send to Red Canary. Second, you will need to configure Okta to send those alerts to Red Canary.
PHASE I - Configure the alerts in Okta
- Login to your Okta Workforce Identity dashboard.
- Select Workflow > Event Hooks from the left menu bar
- Select the "Create Event Hook" button. This will open the "Add Event Hook Endpoint" window.
- Enter a descriptive Name for the Event Hook. See screenshot.
- Enter the URL that was generated in the Red Canary Alert Source in the URL bar
- Enter "Authorization" in the Authentication Field
- Create a password for the Authentication secret field. Be sure to save this password some place safe, like a password manager.
PHASE 2 - Configure your Okta alerts (Subscribe to Events).
- Now you will need to "subscribe" to the Okta Event Types you want to see. This is the Event data that will be sent over to Red Canary. We will then parse this data and present it in the form of alerts. In the "Add Event Hook Endpoint" window, go to the "Requests" section. Then click in the "Subscribe to Events" field and a list of Event types will start to populate.
- Select the Events you want, and then click "Save & Continue." Please see the screenshot for some examples of Events that can be added. NOTE: You will need to determine what types of Events you want to see based on your environment.
- The next window that will come up is the "Verify Endpoint Ownership" window. You will want to click the "Verify" button in order to activate the Event Hook.
That's it! The configuration may take a few minutes to start sending Event data to the Red Canary Alert Source collector. You should start to see alerts populating in your Okta Alert Source. If you do not see any alerts coming through, please be sure to let us know by opening a support case with us.