Integrate Okta Workforce Identity Alerts with Red Canary.

Prerequisites

To connect Okta Workforce Identity to Red Canary, we highly recommend configuring the following Okta settings to ensure Red Canary receives the correct alert activity from Okta.

From your Okta administration dashboard, click the Security dropdown, and then click General.
1. Under Security Notification Emails, enable the following:
  1. New sign-on notification email
  2. Authenticator enrolled notification email
  3. Authenticator reset notification email
  4. Report Suspicious activity via email
2. Under Okta Threat Insight Settings, select either of the following:
  1. Action: Log authentication attempts from malicious IPs
  2. Action: Log and enforce security based on threat level

Alert types

Okta offers the following alert types to Red Canary:

Integrate Red Canary with Okta Workforce Identity

To send Okta Workforce Identity alerts to Red Canary, you’ll need to…

Have an Okta account with a Read-Only Administrator role.
Obtain an Okta API key.
Connect the API key to Red Canary.

Step 1: Okta–Create a user account

Note: If you already have an Okta account with a Read-Only Administrator role, see Get an Okta API key later on in this article.

From your Okta administration dashboard, click the Directory dropdown, and then click People.
Click Add person to create a new user account.
Fill in the relevant information and click Save.
Once the user account is created, click the Security dropdown (1), click Administrators (2), and then click the Admins tab (3).
Click +Add administrator.
Under the Admin dropdown, type and select the name of the user account you just created.
Under the Role dropdown, select Read-Only Administrator.
Click Save Changes.

Step 2: Okta–Get an Okta API key

Generate an Okta API key in Okta to connect to Red Canary. Once you’ve connected Okta to Red Canary, Okta will send alert data to Red Canary.

Once you’ve created your user account, log in to Otka with the Read-Only Administrator account to get the Okta API key.
Click the Security (1) dropdown; and then click API (2); and then click Create Token (3).
Name your token, and then click Create Token.
Copy the API key so you can connect Okta to Red Canary.
Click OK, got it to continue.
With your API key copied, log in to Red Canary.

Step 3: Red Canary–Connect the API Key

Connect your Okta API key to Red Canary in order to start receiving the Okta alerts.

From your Red Canary dashboard, click the Integrations dropdown, and then click Alert Sources.
In the search bar, type and select Okta Workforce Identity.
To configure your new alert source, scroll down and click Okta Workforce Identity.
Click Edit Configuration.
Enter a Name for your external alert source.
Select a display category.
Under the Ingest Format/Method dropdown, select Okta Workforce Identity via API Poll (Required for Red Canary Threat Investigation Service).
Note: We recommend selecting Okta Workforce Identity via API Poll (Required for Red Canary Threat Investigation Service) as the ingest method because the API option provides more data than the other available options.
Enter your Okta Domain.
Note: Enter your Okta Domain as exampledomain do not enter exampledomain.okta.com
Paste the Okta API Token you copied from Okta.
Click Save.

Confirm that the integration was successful

To confirm that the Okta integration was successful, you can generate an alert by removing or setting up a security method factor. This will send an email that you can report as suspicious and thereby ensure that the integration is active.

From your My Apps dashboard, click on the profile dropdown, and then click Settings.
Under Security Methods, click Remove or Set up another on any factor. This will trigger an alert and notify you by email.
In your email, look for the Red Canary Okta Notice and click Report Suspicious Activity.
From your Red Canary dashboard, click Alert Sources.
Scroll down and click on Okta Workforce Identity.
After a few minutes, you will see the activity you just reported at the top of the Recent Alerts list.