To integrate Okta Advanced Threat Detection with Red Canary, follow the procedure below from beginning to end.

Note: This functionality is available to only Red Canary users who have a Red Canary Threat Investigation subscription. 

Step 1: Update/Create your Okta Workforce Identity integration with Red Canary

If you are a Red Canary Threat Investigation customer, you must update your Okta Workforce Identity integration to start sending your Okta alerts and telemetry to Red Canary. Once added, no other configuration is needed and you can leave the ingest format field blank.

1. From your Red Canary homepage, click the Integrations dropdown.
2. Click Okta Workforce Identity.
   
   
3. Click Configure a new service.
4. Enter a name for your Okta Domain.
5. Enter your Okta API Token. Learn more about creating an Okta API Token.
6. Click Save.

Step 2: Deactivate your Okta Workforce Identity Alert Source integration

To prevent duplicate alerts, deactivate your old Okta Alert Source integration once you set up the new integration.

Note: You will continue to see Okta alerts ingested into Red Canary and triaged by Red Canary’s Detection Engineers. You can review all alerts and any associated threats in your Alerts page by filtering for “Okta Workforce Identity” as the provider source.

1. From your Red Canary homepage, click the Integrations dropdown.
2. Click Alert Sources.
3. Click your old Okta Alert Source.
   
   
4. Click Edit Configuration.
5. Click Deactivate.
6. Click Save Configuration.

FAQ

I don’t see Okta Workforce Identity in the navigation bar; how do I get started?

To take advantage of Advanced Threat Detection for Okta, you need to be a Red Canary Threat Investigation customer. Reach out to your Customer Success Manager to learn more.

What kind of data is Red Canary collecting from Okta with this update? 

For legacy integrations, Red Canary used to collect only alert data from Okta Workforce Identity. Red Canary now collects alert data and raw telemetry that is used to develop our own analytics. This raw telemetry includes system activities such as MFA events,  user actions, and timestamp information for authentication attempts.