Panther has the ability to fetch Okta events by querying the Okta System Log API. Panther will query the System Log API every 1' minute.
In order for Panther to access the API you need to create a new API token or use an existing one.
Create a new Okta API token
To create an API token with permissions to query Okta System Logs, you will need to be logged in as an administrator that has the rights to perform your API call's actions. Please refer to Okta documentation for information on managing Admin roles and their rights.
Log in as Okta administrator
In the Okta Admin Console, navigate to Security > API
Click Create Token
Enter a name for your token, e.g. Panther API token
Keep a note of Token value in the pop-up screen.
Important: Be sure to document and store the API token value carefully, as it cannot be retrieved later and can present a security risk if used in an unauthorized fashion.
Create a new Okta source in Panther
Login to your Panther account.
Go to Integrations > Log Sources from the sidebar menu.
Click Add Source.
Select Okta from the list of available types.
In the following form, fill in the following fields:
Name: A friendly name for the source e.g. My Okta logs
Okta: The name of your Okta domain. Should be in the form https://my-org.okta.com
API Token: The token value you noted before
Click on Next and then Save Source. The API Token will be stored, encrypted, in Panther backend.
You are done! You can now start writing detections and exploring your Okta data.