As an Okta customer, your Okta instance captures valuable information regarding user activities, and application access over time – including details about devices, location, browser information, etc. This app collects data through the Okta platform APIs with the primary focus on system log events. The app can also present the “latest snapshot” on users, groups and apps.
Out-of-the-box dashboards are provided to give immediate insights on your Okta data based on events.
Here is a high-level architectural diagram of the integration.
Before setting up Splunk App for Okta, the following is needed from an Okta administrator:
An Okta administrator must create an appropriate Okta API key which will be used by the Splunk App to import data from Okta. The API key should ideally belong to a system user as opposed to an actual “human” user. A recommended approach is the following:
a. Create a new Okta user as a dedicated Splunk App account.
b. Assign the appropriate admin role to give this account the right level of privileges. If Splunk app is used in a read-only mode without the callbacks to Okta, the account should be given read-only access. If callbacks are planned, then a higher privileged admin role should be granted.
c. Remember that an API key should be carefully protected as it can be used in a malicious manner especially when it has access to Okta beyond read-only.
d. To create an API key
i. Log in as the Okta user you intend to associate the API key with.
ii. Go to Security->API and create a Token
You can test the API key using the following cURL command:
curl -H "Authorization:SSWS <token>" -H “Accept:application/json” -H “Content-type:application/json” https://<your_okta_org>.okta.com/api/v1/events?startDate=2015-01-01T00%3A00%3A00.000Z&limit=1
The “startDate” and “limit” parameters are optional – but should be considered if your Okta org has been LIVE for some time and contains a large amount of log data.
a. Install the Splunk Add-on for Okta
b. Install the Splunk App for Okta
Q: Can I use a read-only API key for this integration
A: Yes. A read-only API key will suffice for all the out-of-the-box dashboards in Splunk. However, to leverage the Okta Commands which will modify user status/group membership within Okta, the API key will need to be associated with a user with "super admin" privileges.
Q: Can I associate multiple Okta orgs with a single Splunk App for Okta instance?
A: Yes. As part of the Splunk Add-on for Okta, each modular input entry can be pointed to a new Okta instance. Just Add as many modular input entries as needed.
Q: Is there a dashboard capturing LDAP (non-AD) agent activities?
A: The out-of-the-box dashboard only supports AD agents. We will enhance the out-of-the-box dashboard in the future to include generic LDAP agent activities. However, the data is imported under "index=okta". You can build custom queries/dashboards on top of that.
Q: As an Okta customer, is SAML supported between Splunk Cloud and Okta (as part of the Okta Application Network)?
A: This currently being worked on. Stay tuned.
Q: It has been more than 24 hours and the data is still coming in. Is that normal?
A: The "24 hours" window is an estimate. The time for the initial import really depends on the amount of data that is coming in. Again, the best gauge is to look at "index=okta" and see if the latest event has caught up with the current time.
Splunk Add-on for Okta is required to be installed and configured prior to using the Splunk App for Okta:
https://splunkbase.splunk.com/app/2806
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.