Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

The Okta CDF for ThreatQ enables analysts to automatically pull back a list of users (and their identity information) from Okta, into ThreatQ.

The integration ingests identities and identity attributes into the ThreatQ platform.  

Prerequisites

The Okta CDF requires an Okta API Token.  See the section below for steps on generating an Okta API Token.

Generating an Okta API Token

Use the following steps to generate an Okta API Token to use for this integration.

1. Log into your Okta Portal.
2. Click on Security > API in the left navigation.
3. Select the Tokens tab.
4. Click on the Create Token button.
5. Name the token. ThreatQuotient recommends the following name: ThreatQ.
6. Click on the Create button
7. Copy and save the token to a secure location.  This token will be used when configuring the CDF.

Installation

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

1. Navigate to your integrations management page in ThreatQ.
2. Select the Commercial option from the Category dropdown (optional).

   If you are installing the integration for the first time, it will be located under the Disabled tab.

3. Click on the integration entry to open its details page.
4. Enter the following parameters under the Configuration tab:

   Parameter	Description
   Okta Host	Enter your Okta hostname.  Do not include the http schema or any trailing slashes.
   API Token	Enter your Okta API Token generated at Security > API > Tokens in your Okta portal.  See the Prerequisites chapter for more details.
   Ingest Users Based on Last Run Timeframe	Enable this option if you don't want the entire user list ingested every time the feed runs. You can use the manual run button to pull historically if this is option is enabled.
   Custom Search Query (Optional)	Optional.  Enter a custom search query to apply to the API requests. See the following Okta reference for more details: https://developer.okta.com/docs/reference/api/users/#list-users-with-search.
   Include User Information	Select the pieces of user information that you'd like to be brought into ThreatQ.

5. Review any additional settings, make any changes if needed, and click on Save.
6. Click on the toggle switch, located above the Additional Information section, to enable it.

ThreatQ Mapping

[
    {
        "id": "00u1t42alzDtDDRNY5d7",
        "status": "RECOVERY",
        "created": "2021-09-14T18:52:11.000Z",
        "activated": null,
        "statusChanged": "2021-09-14T19:31:35.000Z",
        "lastLogin": "2021-09-17T13:03:41.000Z",
        "lastUpdated": "2021-09-17T13:44:52.000Z",
        "passwordChanged": "2021-09-14T19:31:37.000Z",
        "type": {
            "id": "oty1t42agnkjSIFX55d7"
        },
        "profile": {
            "lastName": "Doe",
            "zipCode": "22066",
            "preferredLanguage": "English",
            "city": "Cupertino",
            "displayName": "John Doe",
            "timezone": "EST",
            "title": "Solutions Architect",
            "locale": "",
            "login": "john.doe@threatq.com",
            "employeeNumber": "1",
            "division": "Sales Engineering",
            "countryCode": "US",
            "state": "California",
            "department": "Sales",
            "email": "john.doe@threatq.com",
            "manager": "Jack Black",
            "nickName": "John",
            "secondEmail": "john.doe@gmail.com",
            "firstName": "John",
            "primaryPhone": "7031231234",
            "postalAddress": "22066",
            "mobilePhone": "7031231234",
            "streetAddress": "1 Cupertino Road",
            "organization": "ThreatQuotient",
            "middleName": "L",
            "userType": "Employee"
        },
        "credentials": {
            "password": {},
            "emails": [
                {
                    "value": "john.doe@threatq.com",
                    "status": "VERIFIED",
                    "type": "PRIMARY"
                },
                {
                    "value": "john.doe@gmail.com",
                    "status": "VERIFIED",
                    "type": "SECONDARY"
                }
            ],
            "provider": {
                "type": "OKTA",
                "name": "OKTA"
            }
        },
        "_links": {
            "self": {
                "href": "https://dev-15613756.okta.com/api/v1/users/00u1t42alzDtDDRNY5d7"
            }
        }
    }
]

Average Feed Run

Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.

Known Issues / Limitations

• If the Ingest Users Based on Last Run Timeframe is enabled, users will only be pulled back when they have been last updated within the feed run timeframe. Disable this option to always pull back the full list of users, or keep it enabled and utilize the manual Run Integration button to pull a list of users, historically.

Change Log

• Version 1.0.1
  • CDF optimization by ThreatQuotient Engineering.
  • Updated Support tier from Not Supported to ThreatQ Supported.  
• Version 1.0.0
  • Initial Release