Okta Webhook Plugin for Ticket Orchestrator

The Okta Webhook integration with Netskope Cloud Exchange enables real-time communication between Okta and Netskope, allowing for automated synchronization of user data and events. This integration can help detect special security events and can trigger special actions on the user’s end with the Okta Workflows.

Prerequisites

To complete this configuration, you need:

• A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
• An Okta Instance with Super Admin access.
• A Netskope Cloud Exchange tenant with the Ticket Orchestrator module already configured.
• A Webhook URL.
• Connectivity to the following hosts:
  • A Netskope Tenant.
  • An Okta Webhook URL

Webhook Plugin Support

Supported Alert types for notifications

Anomaly, Compromised Credentials, policy, Legal Hold, malsite, Malware, DLP, Security Assessment, watchlist, quarantine, Remediation, uba, ctep

Workflow

• Create an Okta Workflow API endpoint to get a Webhook URL.
• Configure the Webhook Plugin.
• Create a Ticket Orchestrator Business Rule.
• Create a Ticket Orchestrator Queue.
• Validate in Netskope.
• Validate in Okta Workflow.

Click play to watch a video.

Get an Webhook URL

1. To create a Webhook URL, log in to your Okta instance and go to Admin > Workflows Console.

   

2. Click Flows.

   

3. Click New Flow.

   

4. Click Add event.

   

5. Click API Endpoint.

   

6. Check API endpoint settings.

   

7. Enter a flow name and click Save.

   

8. Copy the Invoke URL.

   

9. Also make sure to Flow is ON.

   

Configure the Webhook Plugin

1. Go to Settings > Plugins. Search for and select the Webhook plugin box (make sure the CTO module is enabled. If not, go to Settings > General and enable the Ticket Orchestrator module).
2. Enter a Configuration Name.
3. Adjust the Sync Interval to the appropriate value: Suggested is 5+ minutes.

   

4. Click Next.

   

5. Enter your WebHook URL. It will be in the following format: “https://netskope-tech.workflows.okta.com/api/flo/*****/invoke”.
6. Click Save.

   

Create a Ticket Orchestrator Business Rule for Okta with Webhook

Create a business rule based on the filters you need to generate tickets in the Webhook plugin.

1. Under the Ticket Orchestrator module, select Business Rules from the left panel.

   

2. Click Create new rule.
3. Enter an appropriate Rule Name in the text box and build the appropriate filter query condition on the field(s) for the business rule. You can also type the query manually by pressing the Filter Query button.

   

4. Click Save.
5. To test the newly created business rule, click on the icon and enter the Time period (in days), and click Fetch. This will show the number of alerts that are eligible for incident/ticket creation.

   

Create a Ticket Orchestrator Queue for Okta with Webhook

1. In Ticket Orchestrator, select Queues.

   

2. Click Add Queue Configuration.

   

3. Select the previously created Business Rule from the dropdown.
4. Select the plugin from the dropdown for which the queue is being configured.
5. Select Queues from the dropdown, which will have Notification. The notification will be created in the selected Webhook.
6. Add/Map appropriate values between alerts and incidents under the Map Field section. Alert’s attributes can be accessed via “$” in the custom message field.

   Note

   You must provide the value of the field in JSON format: {“text”:”$user”}

7. Click Save.

   

8. Based on the business rule(s), Webhook notifications for incoming alerts will be created automatically. To create Webhook Notifications for historical alerts, click on the  icon on the configured queue and enter the Time period (in days) and then click Fetch. This will show the number of alerts that are eligible for ticket creation. Click Sync to create Webhook data for those alerts.

   

Validate the Okta Webhook Plugin

In Cloud Exchange

In order to validate the workflow, you must have Netskope Alerts.

1. To view the list of tickets created on Webhook, go to Tickets in Ticket Orchestrator.

   

2. If tickets are not being created on Webhook, check the audit logs in Cloud Exchange > Logging. Apply the filter: Type any in Error.

In Okta Workflows

1. In your Okta instance, go to Admin > Workflows Console > Flows > Execution history.

   

Creating Flows to Terminate the Okta Session

Create an Okta Workflow to terminate the Okta session based on the Alerts in Cloud Exchange.

1. In your Okta instance, go to Admin > Workflows Console > Flows.

   

2. Click Add function and select JSON, and then select Parse.

   

3. Drag and drop the Body from the On Demand API Endpoint in the JSON Parse String Column.

   

4. Click Add function and select Object, and then select GET.

   

5. Drag and drop the Output from JSON Parse output to the object Column, and set the path according to your data.

   

6. To verify the output, click Run.

   

7. Before sending the data with the next flow, you need to make a connection with your Okta application. In the Workflow console, go to Connection.

   

8. Click New Connection, select Okta, and then click Create.

   

   

9. For the Domain, Client ID, and Client Secret, you need to create a new application, or use an existing one, in the Okta Admin console. Click Application > Create App Integration.

   

10. Select OIDC and Web Application, and the click Next.

    

11. Provide the application name and Sign-in redirect URIs: https://oauth.workflows.okta.com/oauth/okta/cb. Click Save.

    

12. Assign the user to the application via which you are creating the workflow.

    

13. Assign the Okta API Scopes for the application. Add access to:
    • okta.sessions.manage
    • okta.users.read
    • okta.users.manage

    

14. Copy the Client ID and Secret. Paste these values in the Okta Connection tab. Also, make sure you have Super Admin access to establish the connection with Okta.

    

    

    

15. Go back to the same flow again. Click Add app action and select Okta, and then select Find Users.

    

16. Select the Result Set: First Matching Record, and click Save. For Inputs, select Query, and for Outputs, select ID (only ID to terminate the user session). Click Save.

    

17. Map the Output of Object Get with Input of Okta Find Users.

    

18. Click Add app action and select Okta, and then select Clear User Sessions. Map the Output of Okta Find Users with Input Okta Clear User Sessions. Set the Revoke oauthTokens: toTrue.

    

19. Now run and verify the workflow.

    

    

This how you can automate user session termination on the basis of alerts in the Cloud Exchange.

Troubleshooting

Unable to create notification using plugin

If you are not able to share any notifications from plugin it might be due to one reasons:

• If you are not able to send data to Webhook URL please check whether new alerts are been fetched or not.

What to do: If you are receiving the above issue it might be due to the above-mentioned point. In order to resolve this issue follow these steps respectively:

• If you are not able to send data to Webhook URL.
  1. Go to Netskope CE.
  2. Click on Ticket Orchestrator.
  3. Click on Alerts.
  4. Check whether new alerts are present or not.

  

Access Issue in Okta

Check if the correct access has been provided in the Okta API scopes of the application.

For the connection issue related to the Okta application make sure the connection is healthy to execute the workflow.

Limitation

One notable constraint arises when converting data to JSON. If the description field within the JSON conversion contains double quotes, it results in an error due to the presence of dynamic fields with double quotes in them, rendering the JSON object invalid.