Recorded Future Collective Insights for Okta

Introduction

Recorded Future's Collective Insights is a new type of Recorded Future analytics, providing clients with a complete view of what threats matter to an organization. Collective Insights enables Recorded Future’s clients to analyze detected incidents to create an intelligence resource for use in two ways:

• Collective Insights provides clients with a comprehensive view of detections across their infrastructure and controls.
• Anonymized data can be used to create visualizations and analytics comparing threat vectors and the entire threat landscape for your enterprise anonymously compared to specific industries and geographies.

For more information on Recorded Future’s Collective Insights, please see the Getting Started with Collective Insights page for more information.

• Indicator Type 
• Indicator Value 
• UUID - Unique ID of the Incident
• Name - Name of the Incident
• Type - Type of Incident
• Reason - reason of outcome 

Getting Started

To enable the Recorded Future integration for Okta, navigate to the Integration Center in the left-hand menu. 

Click the Okta tile. 

You will see additional details and resources for the integration. Click the blue Set up button.

Note: You must be an administrator to see the Set up button. 

Enter the requested information in the setup modal that displays.

• Connector Name: Collective Insights Connector For Okta
• Okta Authentication 
  • URL: Server URL to access your Okta instance
  • API Token: Your Okta API Token with Read Only Admin privilege
• Detection Parameters 
  • Connector Update Frequency: The Update Frequency refers to the duration of time that Recorded Future will pause between updates. This can be set to hours, minutes, or days. Note that Recorded Future will poll for updates based on this frequency, but for all new events since the last time queried. The default (suggested) frequency is every 30 minutes.
• Initial Import
  • Detections Created Last: The duration of historical information that Recorded Future will pull based on the initial setup. The default range is 1 day; ranges longer than the previous 24 hours may cause delays in the setup process

Click Activate.

Steps to deploy Scripted Solution (Advanced)

Attached to this article is a script ("okta_collective_insights_keyless[public].py") that maps Okta detections to Recorded Future's collective insights data model.  You will need the following to run this script:

• A valid Recorded Future collective insights API Key (email support@recordedfuture.com to request this)
• A Okta API Key
• A Okta Endpoint URL
  • Note: for the hosted version of the Recorded Future for Okta Integration only needs the base url for configuration

1. Update the script to set the Okta API URL and API key
2. Add your Recorded Future API Token to the script
   
   
3. Update the "previous_date" field to match the frequency you intend to run the script.  For example, if you plan to run the script once a day, the previous_date should be set to be 1 day back.     If a more frequent update is desired (e.g., hourly), then change the "days=1" to "hours=1".
4. Test run the script.  In the default configuration the script will make a live API call to your Okta instance, gather and format the data for submission to Recorded Future, and then validate the API package sent to the Collective Insights API.  However, it will NOT initially write to the Collective Insights database; to start sending data to the Collective Insights database, the "debug" flag must be set to false for the Collective Insights API.  Here is where the change in the code must be made: 
5. Schedule the script to be run automatically on a schedule.  To automatically submit Okta detections to the Recorded Future Collective Insights database, clients must set up this script to run on a schedule, ideally via a cron job (or similar) with a schedule matched to the query parameters set up in step 3.  

FAQ

1. How to generate API token in Okta for Collective Insights ?

Once logged into Okta as an Administrator, go to Admin Console and navigate to Security -> API -> Tokens. From there, you can view your existing tokens. Click on "Create Token". Give an appropriate name and click on "Create Token". A token should be generated now. Copy the token to be used as part of the deployment process.

2. Why don't i see any events or mismatch in the number of events between Okta and Detection Trends dashboard ?

Not all events from Okta make it to the Collective Insights. The following criteria has to match in order for an event in Okta to be sent to Collective Insights:

a. The event type should be "security.threat.detected".

b. There should be actor information under the event and the display name under actor information should not be null.

3. Why don't i see any MITRE codes related to my Okta events in the Detection Activity dashboard ?

The following criteria has to match in order for the MITRE Codes related to events in Okta to be reflected under Detection Activity dashboard:

a. There should be outcome information under the event and the reason under the outcome information should not be null.

4. What are the IP addresses which needs to be whitelisted to allow communication from the hosted service to Okta?

The traffic from the following IP addresses from AWS which are dedicated to Recorded Future needs to be whitelisted to allow communication from the hosted service:

• 52.204.27.85
• 54.198.55.229
• 54.156.251.192
• 34.235.48.77

5. How to setup connector under a suborg in case of a Multiorg environment?

In order to setup a connector under a specific suborg, please switch as Enterprise admin to that particular suborg and create a connector following the same process mentioned here.

Happy Hunting !!