Introduction
Recorded Future Collective Insights is a mechanism for clients to share threat detections from their on-prem and cloud based infrastructure back into Recorded Future. This enhances overall security and threat awareness through analytics such as those found on the SecOps Intelligence dashboard.
As a common and powerful identity access and management tool, Okta clients rely on Okta to ensure protection from unauthorized system access. This article will walk through how to setup collective insights for Okta using the Recorded Future collective insights API.
Setup Collective Insights with Okta
Attached to this article is a script ("okta_collective_insights_keyless[public].py") that maps Okta detections to Recorded Future's collective insights data model. You will need the following to run this script:
- A valid Recorded Future collective insights API Key (email support@recordedfuture.com to request this)
- A Okta API Key
- A Okta Endpoint URL
- Update the script to set the Okta API URL and API key
- Add your Recorded Future API Token to the script
- Update the "previous_date" field to match the frequency you intend to run the script. For example, if you plan to run the script once a day, the previous_date should be set to be 1 day back.
If a more frequent update is desired (e.g., hourly), then change the "days=1" to "hours=1".
- Test run the script. In the default configuration the script will make a live API call to your Okta instance, gather and format the data for submission to Recorded Future, and then validate the API package sent to the Collective Insights API. However, it will NOT initially write to the Collective Insights database; to start sending data to the Collective Insights database, the "debug" flag must be set to false for the Collective Insights API. Here is where the change in the code must be made:
- Schedule the script to be run automatically on a schedule. To automatically submit Okta detections to the Recorded Future Collective Insights database, clients must set up this script to run on a schedule, ideally via a cron job (or similar) with a schedule matched to the query parameters set up in step 3.
Results
Once the script has run at least once (with the debug flag set to false!), collective insights results can be viewed in the Recorded Future UI in the SecOps Dashboard. The SecOps Dashboard panels in the UI will be populated displaying Detection Trends and Detection Activity (MITRE ATT&CK Heatmap).
Click into the detection trends and detection activity panels to see which detections are driving each analytic to gain insights to common attributes between all detections coming from Okta.
Related Articles