SentinelOne and Okta Integration: Elevating Zero Trust Security in Okta
PreviousSentinelOneNextSentinelOne and Microsoft Entra ID Integration: Elevating Zero Trust Security in Azure AD
Last updated
Was this helpful?
Last updated
Was this helpful?
In an era where cybersecurity threats are not just escalating but also evolving in complexity, deploying robust and synergistic security solutions is paramount. The integration of SentinelOne and Okta exemplifies a stride towards an accelerated and more insightful threat triage process. The SentinelOne XDR and Okta Singularity Marketplace app is at the heart of this integration, offering automatic response actions, enriched visibility into involved identities, and data to further investigate and monitor threats.
The Okta app is instrumental in amplifying the threat enrichment process. It provides a comprehensive summary of the last logged-in endpoint user including details like the last known IP address and the time of the last password reset. Moreover, it avails a summary of recent failed logins, successful logins from anonymous IP addresses or machines, thereby enhancing the contextual data around a potential security incident.
Failed Login Summary: An overview of recent failed login attempts.
IP Summary: Identifies successful logins from anonymous IP addresses.
Endpoint Summary: Pinpoints successful logins from anonymous machines.
The response actions are streamlined and automated, requiring the last logged-in endpoint username, coupled with the configured domain address, to match the Okta directory name.
Expire Sessions: Terminates active sessions to curb unauthorized access.
Reset Password: Forces a password reset to ensure account integrity.
Suspend User: Temporarily suspends user access as a precautionary measure.
Log ingestion is facilitated through polling Okta APIs to collect detection logs. Once ingested, Power Query can be utilized to sort the data within these logs. With Skylight enabled, searching and visualizing Okta data becomes straightforward.
Enable Ingest Logs Option: A simple toggle to start the log ingestion process.
Included Parsers: Parsers come included to aid in data processing.
Before installing the app from Singularity™ Marketplace, access to an Okta Administrator account is necessary along with the Okta API credentials.
Access Your Okta Tenant:
Navigate to Security > API > Tokens > Create Token in your Okta tenant.
Name your token for easy identification and save the generated token securely.
Install the App:
Login to your SentinelOne Management Console.
Navigate to Singularity Marketplace.
Find and configure the SentinelOne XDR Response for Okta app.
Fill in the necessary fields like Tenant OKTA Domain, Okta API Token, and Email domain names.
Customize your settings under Enrichment, Response Actions, and Ingestion as per your organization’s requirements.
Finally, install the app and choose the access level for the app - Global, Account, or Site based on your preference.
The Okta parser plays a crucial role in normalizing data from Okta to OCSF version 1.0.0 - RC 3. It supports Okta Version 2023.06.1 C and a variety of event types ranging from user session starts to system organization rate limit warnings.
This integration between SentinelOne and Okta not only accelerates the threat triage process but also augments the ability to respond to threats swiftly and effectively. By leveraging this integrated solution, organizations can significantly bolster their security posture while ensuring a more streamlined threat management process.
