Okta integration with Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-1266641%22%20slang%3D%22en-US%22%3EOkta%20integration%20with%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1266641%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHas%20anyone%20had%20any%20experience%20with%20getting%20Okta%20events%20ingesting%20into%20Sentinel%3F%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1266641%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntegration%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1269278%22%20slang%3D%22en-US%22%3ERe%3A%20Okta%20integration%20with%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1269278%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F536739%22%20target%3D%22_blank%22%3E%40Dev_Choudhary%3C%2FA%3E%26nbsp%3BHave%20you%20had%20a%20chance%20to%20look%20at%20the%20Okta%20integration%20information%20here%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-syslog-cef-logstash-and-other-3rd-party%2Fba-p%2F803891%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-syslog-cef-logstash-and-other-3rd-party%2Fba-p%2F803891%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1294532%22%20slang%3D%22en-US%22%3ERe%3A%20Okta%20integration%20with%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1294532%22%20slang%3D%22en-US%22%3E%3CP%3EHey%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324945%22%20target%3D%22_blank%22%3E%40rodtrent%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20sharing%20this.%20Initially%20I%20was%20looking%20for%20some%20connector%20but%20Now%20I%20have%20configured%20the%20logstash%20and%20able%20to%20ingest%20the%20okta%20events.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1418503%22%20slang%3D%22en-US%22%3ERe%3A%20Okta%20integration%20with%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1418503%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F536739%22%20target%3D%22_blank%22%3E%40Dev_Choudhary%3C%2FA%3Ecan%20you%20please%20share%20insights%20in%20how%20to%20configure%20this%20integration%3F%20We%20are%20stuck%20on%20getting%20the%20%22gem%22%20plugins%20to%20install%20in%20logstash.%20Thank%20you%20so%20much%2C%20John%20(%40%20howdy%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324945%22%20target%3D%22_blank%22%3E%40rodtrent%3C%2FA%3E%20!)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1421556%22%20slang%3D%22en-US%22%3ERe%3A%20Okta%20integration%20with%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1421556%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F379245%22%20target%3D%22_blank%22%3E%40John_Joyner%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20refer%20below%20link%20for%20okta%20plugin.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Frubygems.org%2Fgems%2Flogstash-input-okta_system_log%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frubygems.org%2Fgems%2Flogstash-input-okta_system_log%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInstall%20this%20okta%20input%20plugin%20for%20Logstash%20and%20also%20install%20below%20output%20plugin%20for%20Sentinel%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fyokawasa%2Flogstash-output-azure_loganalytics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fyokawasa%2Flogstash-output-azure_loganalytics%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1421760%22%20slang%3D%22en-US%22%3ERe%3A%20Okta%20integration%20with%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1421760%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20appreciate%20your%20reply%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F536739%22%20target%3D%22_blank%22%3E%40Dev_Choudhary%3C%2FA%3E%20we%20know%20about%20those%20two%20URLs%2C%20but%20are%20unsuccessful%20at%20installing%20the%20plugins.%20The%20good%20news%20is%20that%20a%20recent%20Playbook%20was%20made%20available%20with%20works%20perfectly%20and%20is%20so%20simple%20to%20get%20working%20compared%20to%20the%20logstash%20method%3A%3C%2FP%3E%3CP%3E%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FOktaRawLog%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FOktaRawLog%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3CDIV%3E%3CSPAN%3E%23GoServerless!%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%3EJohn%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Has anyone had any experience with getting Okta events ingesting into Sentinel? 

5 Replies
Highlighted
Highlighted

Hey @rodtrent 

 

Thanks for sharing this. Initially I was looking for some connector but Now I have configured the logstash and able to ingest the okta events.

Highlighted

@Dev_Choudharycan you please share insights in how to configure this integration? We are stuck on getting the "gem" plugins to install in logstash. Thank you so much, John (@ howdy @rodtrent !)

 

Highlighted

Hi @John_Joyner 

 

Please refer below link for okta plugin.

https://rubygems.org/gems/logstash-input-okta_system_log 

 

Install this okta input plugin for Logstash and also install below output plugin for Sentinel 

https://github.com/yokawasa/logstash-output-azure_loganalytics

Highlighted

So appreciate your reply @Dev_Choudhary we know about those two URLs, but are unsuccessful at installing the plugins. The good news is that a recent Playbook was made available with works perfectly and is so simple to get working compared to the logstash method:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/OktaRawLog

#GoServerless!
John