Splunk Phantom
Overview
The Okta + Splunk Phantom integration orchestrates response for credential-based threats, using identity as the security control point to enable adaptive, automated response actions like step-up authentication. When suspicious account activity is detected, like a log-in from a new device or location, security teams can mitigate the threat automatically by clearing active sessions or forcing multi-factor authentication (MFA) with Okta. If a legitimate user's credentials have been compromised, security teams can take additional remediation actions against the bad actor by suspending the compromised account and conducting a password reset.
Resources
The Challenge
- The rise of credential-based threats means that identity is the new security control point
- Alert fatigue: Security teams are bombarded by alerts, some of which may be false positives, or may be overlooked due to high volumes
- Disparate security tools create complex environments that can be difficult for security teams to protect
The Solution
The Okta + Splunk Phantom integration orchestrates threat response for credential-based threats
Identity serves as the security control point enabling adaptive, automated actions like step-up authentication
Gain total visibility on user activity and identity context with the Okta Identity Cloud Add-on for Splunk
Orchestrate and automate your security response
In order to protect the enterprise, security teams must quickly resolve alerts as they arise, as well as proactively identify threats before they cause damage. Many of these threats involve weak or stolen credentials, demonstrating that hackers are increasingly targeting user identities. To better protect against these threat vectors and deliver identity-driven security, Okta integrates with Splunk Phantom to enable identity-centric response actions. When suspicious account activity is detected, like a log-in from a new device or location, security teams can mitigate the threat automatically by clearing active sessions or forcing multi-factor authentication (MFA) with Okta. If, after further investigation, the user does appear to be compromised, security teams can take additional remediation actions against the bad actor by suspending the compromised account and conducting a password reset. Together, Okta + Splunk Phantom orchestrate security using identity as the control point.
Enable enrichment for more complete visibility
The Okta Identity Cloud add-on for Splunk expands the joint solution to include complete visibility to user activity and identity. Splunk aggregates millions of data sources across firewalls, routers, endpoints, as well as critical information on user identity and access from Okta. When alerts arise, Okta provides rich identity context on users, groups, and applications for additional security enrichment on suspicious activity. This helps answer questions like ‘what sensitive applications have they been assigned’ and ‘which groups does this user belong to’ so security teams can better judge the nature of the threat and prioritize response actions accordingly. Okta also enables additional threat hunting with user activity logs to help identify failed log-ins or new factor enrollments. This helps security teams mitigate threats before they turn into full-fledged attacks. By integrating with the entire Splunk Security Operations Suite (Splunk Enterprise, Splunk Cloud, Splunk User Behavior Analytics, and Splunk Phantom), Okta completes the security loop from visibility to response with identity as the key control point.
Identity-driven orchestration and response
With Okta + Splunk Phantom integrated together, enterprises can enjoy identity-centric security and orchestration and automation of your existing security infrastructure. The combination allows you to enable decisive, quick, and automated security actions to keep assets and users safe from credential compromise.
- Add identity context to security alerts, making alerts more meaningful and actionable
- Understand and prioritize threats across the enterprise, so teams can respond to the most serious incidents first
- Automate security responses to make security teams more effective and efficient in fighting credential-based attacks
Capabilities
Access
- OIDC OpenID Connect is an extension to the OAuth standard that provides for exchanging Authentication data between an identity provider (IdP) and a service provider (SP) and does not require credentials to be passed from the Identity Provider to the application.
- WS-Federation
- SAML Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP) that does not require credentials to be passed to the service provider.
- SWA Secure Web Authentication is a Single Sign On (SSO) system developed by Okta to provide SSO for apps that don't support proprietary federated sign-on methods, SAML or OIDC.
Provisioning
- Create Creates or links a user in the application when assigning the app to a user in Okta.
- Update Okta updates a user's attributes in the app when the app is assigned. Future attribute changes made to the Okta user profile will automatically overwrite the corresponding attribute value in the app.
- Deactivate Deactivates a user's account in the app when it is unassigned in Okta or their Okta account is deactivated. Accounts can be reactivated if the app is reassigned to a user in Okta.
- Sync Password Push either the users Okta password or a randomly generated password to the app. This feature is not required for all federated applications as user authentication takes place in Okta, however some apps still require a password.
- Group Push Push existing Okta groups and their memberships to the application. Groups can then be managed in Okta and changes are reflected in the application.
- Group Linking Link Okta groups to existing groups in the application. Simplifies onboarding an app for Okta provisioning where the app already has groups configured.
- Schema Discovery Import the user attribute schema from the application and reflect it in the Okta app user profile. Allows Okta to use custom attributes you have configured in the application that were not included in the basic app schema.
- Attribute Sourcing The application can be defined as the source of truth for a full user profile or as the source of truth for specific attributes on a user profile.
- Attribute Writeback When the application is used as a profile master it is possible to define specific attributes to be sourced from another location and written back to the app. For example the user profile may come from Active Directory with phone number sourced from another app and written back to Active Directory.
