Okta Advanced Server Access Add-on for Splunk
Overview
Details
Okta Advanced Server Access Add-on
This addon will collect audit events from the Okta Advanced Server Access (ASA) API and index them into Splunk. This makes tracking events like permission changes, server logins, credential approvals through ASA simple.
Getting Started
Prerequisites
This add-on will require an API key and secret to access the audit data from ASA. We recommend creating a dedicated service account for this purpose and assigning the minimum privleges. Perform the following steps in the ASA webapp.
- Create a new service user in the ASA webapp
- Create an API key for this new service user
- Take note of the
API Key IDandAPI Key Secret - Add your service user to a group, and be sure this group has at least the
Reportingpermission
Install
We can now install the Add-on in our Splunk environment. This add-on is primarily a tool for collecting logs and is only required to be installed a heavy forwarder. It does contain saved searches and other knowledge objects so installation on search heads is helpful. Only configure an input on one Splunk server.
- Install via the Splunk webapp (recommended) or manually copy and expand the app into $SPLUNK_HOME/etc/apps/ location
- Restart the Splunk server
Configure Settings (optional)
Using the Splunk webapp, login and launch the newly installed Okta Advanced Server Access Add-on.
The default settings are appropriate in most cases. Be aware of the advanced Add-on Settings and Logging available in the Configuration menu.
Define Account
Using the Splunk webapp, login and launch the newly installed Okta Advanced Server Access Add-on.
Before we can define an input we must provide account credentials. Using the API Key ID and API Key Secret from our Prerequisites section perform the following.
- Navigate to Configuration -> Account
- Click
Add - Provide a unique and appropriate
Account Namefor the account (arbitrary value) - Enter the
API Key ID - Enter the
API Key Secret - Click
Add
Define Input
With our Account defined we can now define and Input
- Navigate to Input
- Click
Create New Input - Provide a unique and appropriate
Account Namefor the input (arbitrary value) - Provide the desired interval (60 seconds is recommended)
- Choose the appropriate
Index - Enter the
Team Nameyou wish to collect audit events for (This is your ASA Team Name and must be correct) - Select the appropriate
ASA Accountdefined in the previous step - Click
Add
Search for data
This add-on will produce data with a source of source="Okta:ASA"
{
"id": "UhSXLZ2N51GGpjYAnY3nUQ==",
"timestamp": "2020-07-09T15:12:08.314955Z",
"details": {
"actor": {
"id": "a6a33a38-f871-417a-9bf6-d3d05ce20aef",
"name": "mbegan",
"status": "ACTIVE",
"details": {
"first_name": "Matthew",
"last_name": "Egan",
"full_name": "Matthew Egan",
"email": "mbega.n@gmail.com"
},
"user_type": "human",
"oauth_client_application_id": null,
"role_grants": null,
"deleted_at": null
},
"target_user": {
"id": "d54bc50c-7afc-46b0-bdd9-ae0356ed451f",
"name": "SplunkTest",
"status": "ACTIVE",
"details": null,
"user_type": "service",
"oauth_client_application_id": null,
"role_grants": null,
"deleted_at": null
},
"team_id": "a9dcf8ed-a32e-411b-be70-f89932ef4998",
"team_name": "oktabd-dev",
"trace_id": "1-5f0733c8-f1b67bc0b80fa79cdb92630c",
"type": "apikey.rotate",
"user_name": "SplunkTest"
}
}
Troubleshooting and FAQ
Troubleshooting
Look at the logs (index=_interal sourcetype="ta:okta:advanced:server:access:add:on:for:splunk:log" or the tail -f ta_okta_advanced_server_access_add_on_for_splunk_advanced_server_access.log file
FAQ
Will update as they come in
Enjoy!
Release Notes
Version 2.1.3
Removed errantly included input