-
Notifications
You must be signed in to change notification settings - Fork 429
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Integration Update] Add Sessions, Policy, Factors and Devices data to Okta Entity Analytics #10426
Comments
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
cc. @joedatlive |
Thanks Mika! I agree this would be great data to add and we can use it to enrich our Privileged User Monitoring capability in 8.17. For example, we can show disabled and denied MFA for Privileged Users. Here is a sub-task we created for integrations. https://github.com/elastic/security-team/issues/10420 @cpascale43 let's discuss in our sync tomorrow and see if we can get this on the 8.17 list. |
Update 09-19-2024@sodhikirti07 reached out asking for insight into Okta system logs related to https://github.com/elastic/security-team/issues/10420 linked by @joedatlive in a previous comment. From my understanding, the goal is to leverage ML to identify scenario's (priv esc) similar to the following: Scenario
To accomplish this, an algorithm would need access to both "activity-based" and "context-based" data for Okta. For example, what did Bob do and tell me about Bob's user profile. This seems to be accomplishable, but will require some updates to the Entity Analytics integration with the minimum being done.
I believe Session data would be beneficial as well but not entirely necessary for this or priv esc scenarios based on the sample data given by Okta. It would however, allow us to start leaning into session-hijacking anomalies and detection. I have given Kirti access to TRADE's Okta dev environment and a stack with data from both integrations actively ingesting. Happy to share access as need be and helping with threat emulation. cc @tinnytintin10 @Mikaayenson @tinnytintin10 - It may be very beneficial for you and @joedatlive to sync on this, if not already. When we discussed node visualization for CDR, the contextual information reported by these APIs would be extremely helpful with each node or edge if user's wanted to understand more about that entity. |
Hi, in relation to [Epic] Using ML to detect abusing the Privileged access of an admin account elastic/security-team#10421: Can we confirm if this ticket will update the Okta fields that we need for developing anomaly detections:
More info: |
I have a PR that adds role and factor collection to the internal client. Session data is not viable since it requires a cookie and only deals with a single, logged in (or with this state fabricated via cookie) user. I am concerned about the impact of adding all these additional calls. Already we make O(paginations+users) calls to the API since all users have their group membership queried by the client. With the addition of roles, we will have O(paginations+3×users) (abusing O-notation). In the current set-up we are already in a position where a large organisation will be rate-limited to the extent that a full sync may take on the order of 24 hours. Really, Okta should have used graphQL for this set of APIs, but we live in the universe that we do. |
@susan-shu-c The roles API endpoints include those fields. If they are needed as fields under
|
@efd6 those fields look great, let's add them, thank you! |
I share the concerns about rate-limiting. I think we should document a formula to estimate the length of time a full sync will take given the number of accounts in your org. Do we also want to consider making some of the enrichment optional (e.g. making it possible to opt-out of "factors") in the integration config? Originally I was thinking that if we used the SCIM we might be able to mitigate rate-limits because the API works a little different, but it doesn't expose things like sessions or factors so this isn't an option. |
Summary
The Okta Entity Analytics integration is great for contextual IdP data on users. Often this data can be helpful when writing threat detection rules alongside Okta system logs.
However, according to the documentation, the integration only pulls data from the Users API, which is a great start but does not contain enough contextual information to write high fidelity threat detection rules on. Adding data from the Sessions, Policy, Factors and Devices APIs will add much more enrichment. Below are examples:
Additionally, this contextual and relational data may prove beneficial for ML and LLM initiatives.
cc @tinnytintin10 @jmcarlock
The text was updated successfully, but these errors were encountered: