Last updated: Aug 23, 2019

Integration detail

Splunk Phantom

Securely enable access for your users from anywhere with Splunk Phantom

Overview

The Okta + Splunk Phantom integration orchestrates response for credential-based threats, using identity as the security control point to enable adaptive, automated response actions like step-up authentication. When suspicious account activity is detected, like a log-in from a new device or location, security teams can mitigate the threat automatically by clearing active sessions or forcing multi-factor authentication (MFA) with Okta. If a legitimate user's credentials have been compromised, security teams can take additional remediation actions against the bad actor by suspending the compromised account and conducting a password reset.

The Challenge

  • The rise of credential-based threats means that identity is the new security control point
  • Alert fatigue: Security teams are bombarded by alerts, some of which may be false positives, or may be overlooked due to high volumes
  • Disparate security tools create complex environments that can be difficult for security teams to protect

The Solution

fast integration

The Okta + Splunk Phantom integration orchestrates threat response for credential-based threats

fingerprint shield

Identity serves as the security control point enabling adaptive, automated actions like step-up authentication

search icon

Gain total visibility on user activity and identity context with the Okta Identity Cloud Add-on for Splunk

Orchestrate and automate your security response

In order to protect the enterprise, security teams must quickly resolve alerts as they arise, as well as proactively identify threats before they cause damage. Many of these threats involve weak or stolen credentials, demonstrating that hackers are increasingly targeting user identities. To better protect against these threat vectors and deliver identity-driven security, Okta integrates with Splunk Phantom to enable identity-centric response actions. When suspicious account activity is detected, like a log-in from a new device or location, security teams can mitigate the threat automatically by clearing active sessions or forcing multi-factor authentication (MFA) with Okta. If, after further investigation, the user does appear to be compromised, security teams can take additional remediation actions against the bad actor by suspending the compromised account and conducting a password reset. Together, Okta + Splunk Phantom orchestrate security using identity as the control point.

Phantom Visibility Response diagram

Enable enrichment for more complete visibility

The Okta Identity Cloud add-on for Splunk expands the joint solution to include complete visibility to user activity and identity. Splunk aggregates millions of data sources across firewalls, routers, endpoints, as well as critical information on user identity and access from Okta. When alerts arise, Okta provides rich identity context on users, groups, and applications for additional security enrichment on suspicious activity. This helps answer questions like ‘what sensitive applications have they been assigned’ and ‘which groups does this user belong to’ so security teams can better judge the nature of the threat and prioritize response actions accordingly. Okta also enables additional threat hunting with user activity logs to help identify failed log-ins or new factor enrollments. This helps security teams mitigate threats before they turn into full-fledged attacks. By integrating with the entire Splunk Security Operations Suite (Splunk Enterprise, Splunk Cloud, Splunk User Behavior Analytics, and Splunk Phantom), Okta completes the security loop from visibility to response with identity as the key control point.

Phantom SupportedAPICommands

Identity-driven orchestration and response

With Okta + Splunk Phantom integrated together, enterprises can enjoy identity-centric security and orchestration and automation of your existing security infrastructure. The combination allows you to enable decisive, quick, and automated security actions to keep assets and users safe from credential compromise.

  • Add identity context to security alerts, making alerts more meaningful and actionable
  • Understand and prioritize threats across the enterprise, so teams can respond to the most serious incidents first
  • Automate security responses to make security teams more effective and efficient in fighting credential-based attacks

Documentation

Here is a section all about documentation, integration, and implementation.

  • Configuration Guide:

    Splunk Phantom

    Read it

Okta Verified
Okta Verified
The integration was either created by Okta or by Okta community users and then tested and verified by Okta.

Languages Supported

English