Panther has the ability to fetch Okta events by querying the Okta System Log API. Panther will query the System Log API every 1' minute.
In order for Panther to access the API you need to create a new API token or use an existing one.
Log in as Okta administrator
In the Okta Admin Console, navigate to Security > API
Click Create Token
Enter a name for your token, e.g.
Panther API token
Keep a note of Token value in the pop-up screen.
Important: Be sure to document and store the API token value carefully, as it cannot be retrieved later and can present a security risk if used in an unauthorized fashion.
Login to your Panther account
Go to Log analysis > Sources from the sidebar menu
Click Add Source
Select Okta from the list of available types
In the following form, fill in the following fields:
Name: A friendly name for the source e.g.
My Okta logs
Okta: The name of your Okta domain. Should be in the form
API Token: The token value you noted before
Click on Next and then Save Source. The API Token will be stored, encrypted, in Panther backend.
You are done! You can now start writing detections and exploring your Okta data.