Use Okta with Splunk for better Security

28 Oct 2015 11:30 AM By Nick Edwards

Things, as in the Internet of Things, are looking up for organisations that use Okta to manage their users such as employees, contractors, customers and partners. 
Okta captures a lot of useful information on user activities, including user lifecycle, applications, and directory agent activities.

Combine that information with Splunk’s analytics and your organisation will immediately gain very valuable insights into a number of organisational aspects including security, business and infrastructure. 

For example, by knowing the distinct number of users logging into specific applications you can better manage subscription licenses for those applications (Figure 1 - Distinct Count Access by App), enabling the business to optimise the ROI by making informed decisions based on how these applications are being utilised.

Figure 1 - Distinct Count by App

The technological magic touch behind all that is the Splunk Add-on for Okta. 

This little application makes it all seamlessly possible by allowing a Splunk administrator to acquire data from Okta using the Okta Event API.  

The Okta events include user and provisioning lifecycle events, authentication, Single Sign-On (SSO) information, and Multi Factor Authentication (MFA) events.  

All that data is readily available to be consumed using the pre-build Splunk dashboard panels included with the add-on.

Furthermore, organisations who use Active Directory (AD) as the corporate identity store on their premises (Figure 2 – High Level Architecture), can combine unsuccessful login attempts information and Okta AD agent activities to promptly pin point where the problem is (e.g. the server hosting the AD is having a down time, therefore the users login attempts fail etc.).

Figure 2 - High Level Architecture

If the AD seems to be operational then the information is used to look at the login attempts with possibly incorrect or expired passwords etc.

By understanding excessive login attempts and based on geolocation, suspicious login attempts are captured under the “suspicious activity” events and also visually reflected on the Dashboard, alerting the security team to focus on the possibility of some hacking attempts.

Figure 3 - Geo Map

For example, if the same user credentials are used within a couple of seconds from two locations that are thousands of miles apart from each other, you might be facing with what referred as a “Superman case” as these login attempts are humanly impossible. 

The Splunk Add-on for Okta identifies and classifies these attempts as “suspicious activity” and displays them on the Okta dashboard in the panel titled, “Impossible Consecutive Logins”.

That is a very smart thing!