Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

Okta

Okta

FortiSIEM can integrate with Okta as a single sign-on service for FortiSIEM users, discover Okta users and import them into the CMDB, and collect audit logs from Okta. See Setting Up External Authentication for information on configuring Okta to use as a single sign-on service, and Adding Users from Okta for discovering users and associating them with the Okta authentication profile. Once you have discovered Okta users, FortiSIEM will begin to monitor Okta events.

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Okta API

Event Types

In ADMIN > Device Support > Event Types, search for "okta" to see the event types associated with this device.

Configuration

  • In Okta Administartion -> Security -> API, create a token. Note, tokens generated by this mechanism will have the permissions of the user who generated them.
  • Tokens are valid for 30 days and automatically refresh with each API call. Tokens that are not used for 30 days will expire. The token lifetime is currently fixed and cannot be changed.

Access Credentials in FortiSIEM

Setting Value
Name <name>
Device Type OKTA.com OKTA
Access Protocol OKTA API
Pull Interval 5
Domain The name of your OKTA domain
Security Token The token that has been created in Okta
Organization Select an organization from the drop-down list.

Sample Okta Event

Mon Jul 21 15:50:26 2014 FortiSIEM-Okta [action/message]=Sign-in successful [action/objectType]=core.user_auth.login_success [action/requestUri]=/login/do-login [actors/0/displayName]=CHROME [actors/0/id]=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 [actors/0/ipAddress]=211.144.207.10 [actors/0/login]=firstname.lastname@example.com [actors/0/objectType]=Client [eventId]=tev-UlpTnWJRI2vXNRKTJHE4A1405928963000 [eventName]=USER-AUTH-LOGIN-SUCCESS [published]=2014-07-21T07:49:23.000Z [requestId]=U8zGA0zxVNXabfCeka9oGAAAA [sessionId]=s024bi4GPUkRaegPXuA1IFEDQ [targets/0/displayName]=a_name [targets/0/id]=00uvdkhrxcPNGYWISAGK [targets/0/login]=a_name@doamin.com [targets/0/objectType]=User

Okta

Okta

FortiSIEM can integrate with Okta as a single sign-on service for FortiSIEM users, discover Okta users and import them into the CMDB, and collect audit logs from Okta. See Setting Up External Authentication for information on configuring Okta to use as a single sign-on service, and Adding Users from Okta for discovering users and associating them with the Okta authentication profile. Once you have discovered Okta users, FortiSIEM will begin to monitor Okta events.

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Okta API

Event Types

In ADMIN > Device Support > Event Types, search for "okta" to see the event types associated with this device.

Configuration

  • In Okta Administartion -> Security -> API, create a token. Note, tokens generated by this mechanism will have the permissions of the user who generated them.
  • Tokens are valid for 30 days and automatically refresh with each API call. Tokens that are not used for 30 days will expire. The token lifetime is currently fixed and cannot be changed.

Access Credentials in FortiSIEM

Setting Value
Name <name>
Device Type OKTA.com OKTA
Access Protocol OKTA API
Pull Interval 5
Domain The name of your OKTA domain
Security Token The token that has been created in Okta
Organization Select an organization from the drop-down list.

Sample Okta Event

Mon Jul 21 15:50:26 2014 FortiSIEM-Okta [action/message]=Sign-in successful [action/objectType]=core.user_auth.login_success [action/requestUri]=/login/do-login [actors/0/displayName]=CHROME [actors/0/id]=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 [actors/0/ipAddress]=211.144.207.10 [actors/0/login]=firstname.lastname@example.com [actors/0/objectType]=Client [eventId]=tev-UlpTnWJRI2vXNRKTJHE4A1405928963000 [eventName]=USER-AUTH-LOGIN-SUCCESS [published]=2014-07-21T07:49:23.000Z [requestId]=U8zGA0zxVNXabfCeka9oGAAAA [sessionId]=s024bi4GPUkRaegPXuA1IFEDQ [targets/0/displayName]=a_name [targets/0/id]=00uvdkhrxcPNGYWISAGK [targets/0/login]=a_name@doamin.com [targets/0/objectType]=User