Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Okta

FortiSIEM can integrate with Okta as a single-sign service for FortiSIEM users, discover Okta users and import them into the CMDB, and collect audit logs from Okta. See Setting Up External Authentication for information on configuring Okta to use as a single-sign on service, and Adding Users from Okta for discovering users and associating them with the Okta authentication profile. Once you have discovered Okta users, FortiSIEM will begin to monitor Okta events. 

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 Okta API

Event Types

In ADMIN > Device Support > Event, search for "okta" in the Device Type column to see the event types associated with this device. 

Configuration

  • In Okta Administartion -> Security -> API, create a Token. Note, tokens generated by this mechanism will have the permissions of the user who generated them.
  • Tokens are valid for 30 days and automatically refresh with each API call. Tokens that are not used for 30 days will expire. The token lifetime is currently fixed and cannot be changed.

Access Credentials in FortiSIEM

Setting Value
Name <name>
Device Type OKTA.com OKTA
Access Protocol OKTA API
Pull Interval 5
Domain The name of your OKTA domain
Security Token The token that has been created in Okta
Organization Select an organization from the drop-down list.

Sample Okta Event

Mon Jul 21 15:50:26 2014 FortiSIEM-Okta [action/message]=Sign-in successful [action/objectType]=core.user_auth.login_success [action/requestUri]=/login/do-login [actors/0/displayName]=CHROME [actors/0/id]=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 [actors/0/ipAddress]=211.144.207.10 [actors/0/login]=YaXin.Hu@accelops.com [actors/0/objectType]=Client [eventId]=tev-UlpTnWJRI2vXNRKTJHE4A1405928963000 [eventName]=USER-AUTH-LOGIN-SUCCESS [published]=2014-07-21T07:49:23.000Z [requestId]=U8zGA0zxVNXabfCeka9oGAAAA [sessionId]=s024bi4GPUkRaegPXuA1IFEDQ [targets/0/displayName]=a_name [targets/0/id]=00uvdkhrxcPNGYWISAGK [targets/0/login]=a_name@doamin.com [targets/0/objectType]=User

Okta

FortiSIEM can integrate with Okta as a single-sign service for FortiSIEM users, discover Okta users and import them into the CMDB, and collect audit logs from Okta. See Setting Up External Authentication for information on configuring Okta to use as a single-sign on service, and Adding Users from Okta for discovering users and associating them with the Okta authentication profile. Once you have discovered Okta users, FortiSIEM will begin to monitor Okta events. 

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 Okta API

Event Types

In ADMIN > Device Support > Event, search for "okta" in the Device Type column to see the event types associated with this device. 

Configuration

  • In Okta Administartion -> Security -> API, create a Token. Note, tokens generated by this mechanism will have the permissions of the user who generated them.
  • Tokens are valid for 30 days and automatically refresh with each API call. Tokens that are not used for 30 days will expire. The token lifetime is currently fixed and cannot be changed.

Access Credentials in FortiSIEM

Setting Value
Name <name>
Device Type OKTA.com OKTA
Access Protocol OKTA API
Pull Interval 5
Domain The name of your OKTA domain
Security Token The token that has been created in Okta
Organization Select an organization from the drop-down list.

Sample Okta Event

Mon Jul 21 15:50:26 2014 FortiSIEM-Okta [action/message]=Sign-in successful [action/objectType]=core.user_auth.login_success [action/requestUri]=/login/do-login [actors/0/displayName]=CHROME [actors/0/id]=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 [actors/0/ipAddress]=211.144.207.10 [actors/0/login]=YaXin.Hu@accelops.com [actors/0/objectType]=Client [eventId]=tev-UlpTnWJRI2vXNRKTJHE4A1405928963000 [eventName]=USER-AUTH-LOGIN-SUCCESS [published]=2014-07-21T07:49:23.000Z [requestId]=U8zGA0zxVNXabfCeka9oGAAAA [sessionId]=s024bi4GPUkRaegPXuA1IFEDQ [targets/0/displayName]=a_name [targets/0/id]=00uvdkhrxcPNGYWISAGK [targets/0/login]=a_name@doamin.com [targets/0/objectType]=User