Play Now with BOTS Partner Experiences: Okta

Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we no longer use. For more information on our updated terminology and our stance on biased language, please visit our blog post. We appreciate your understanding as we work towards making our community more inclusive for everyone.

A little less than a year ago, a small team of us at Splunk released the first of our Boss of the SOC (BOTS) Partner Experiences, covering integration between Splunk and one of our network/wire data partners, Corelight. The idea that anyone in the world could access BOTS experiences at any time of day which showcase data from Splunk’s many partners proved a popular one. Since inception, more than 500 individuals have played at least one of these partner experiences. We followed up the Corelight scenario with one from OT Cybersecurity partner Dragos in July.

Well, good things come in threes, right? Splunk is proud to announce the debut of our third BOTS Partner Experience, this time with Identity and Access Management partner Okta. With identity-based attacks on the rise and high-profile breaches making headlines, identity and access management logs are a critical component of any Blue Team’s toolset. Anyone with a splunk.com account can access this experience, linked from the main BOTS portal page at https://bots.splunk.com. The whole point of these no-cost, no-obligation experiences is to expose you, our readers, to more data sets — especially ones similar to what you might find in your real-world environments. And as such, Okta should be a popular choice - there are thousands of organizations that are customers of both Splunk and Okta. As you’ll experience, Okta’s Identity Engine and Advanced Server Access solutions provide detailed data to Splunk Enterprise that is significant for cybersecurity monitoring, detection, and threat hunting as well as general identity management operations and reporting.

Okta provides the world's leading, enterprise-grade, cloud-native Identity as a Service solution to more than 14,000 customers worldwide. These customers use Okta for both workforce-facing identity requirements as well as customer-facing ones. Through the Okta Identity Cloud, organizations can securely manage any employee or customer’s access to any application, from any device. Okta provides significant capabilities surrounding Single Sign On, Multi-Factor Authentication, Identity Lifecycle Provisioning, Privileged Access Management, and many others, and integrates with over 7,000 applications through the Okta Integration Network.

The BOTS Okta Partner Experience plunges you into a day managing the SOC at Coffeecase, a Bay-area startup that markets curated coffee subscription boxes to under-caffeinated consumers worldwide. Similar to our past Frothly scenarios in BOTS, Coffeecase has a “bad day” on July 28th, 2022, where they come under attack by various interesting adversaries. These adversaries are leveraging modern identity-based attacks. You’ll investigate failed logins, MFA factors, automatic identity lifecycle provisioning functions, Okta sign-on policies at the global and application level, session cookie re-use attacks, and many other realistic pieces of data.

Not familiar with Okta data or identity and access management? Don’t worry! There are plenty of hints available as you go through the 20 questions. We’ve allocated two hours, but you can always come back later and play again.

We’re excited for you to check out the Okta Partner Experience on bots.splunk.com. And we’d be remiss not to mention: the scenario, questions, and dataset were masterminded by a team of summer interns at Okta, led by Cornell University CS student Michelle Prior. The experience and related questions will give you a very complete picture of how Okta data can augment detection and hunting against this data in Splunk Enterprise (and could be used in the same way in Splunk Cloud Platform!) This data can be augmented and refreshed to represent additional scenarios in the future.

And by the way, if you’re looking for some out-of-the-box detection content for Okta data that you can use in Splunk Enterprise Security, please check out the October 4, 2022 release of Enterprise Security Content Update, brought to you by the Splunk Threat Research Team. They’ve added eight new and three updated Okta detections, all of which will work against the very same data from Okta’s system log that you will experience in the Partner Experience!