Prerequisites
Before you begin, ensure that the following prerequisites are met:| Prerequisite | Description |
|---|---|
| Create an API service application | Provides the necessary authentication for OktaHound to access your Okta environment |
| Configure and run the collector | Collects data from your Okta environment and generates JSON files for upload to BloodHound |
Register the Extension (BloodHound Enterprise Only)
The BloodHound extension feature is currently available in preview exclusively for BloodHound Enterprise customers. To get started, contact your Technical Account Manager to obtain the latest Enterprise release of OktaHound. The OktaHound extension includes a schema that tells BloodHound how to model and analyze data from your Okta organization. You must register the extension before you upload data generated by the OktaHound collector. Choose the registration approach that best fits your environment:- Simple (recommended): Upload all required and optional schemas up front.
- Specific: Upload the required schemas first, then upload only the optional supporting schemas for the collectors you actively use.
Hybrid edge data references node kinds across collectors. If the supporting schemas aren’t uploaded first, you may encounter missing node kind errors when uploading or exploring hybrid data (
okta-graph-hybrid.json).Required Schemas
The OktaHound extension bundle includes the required OktaHound schema as well as a required SCIM schema.Optional Schemas
OktaHound also includes optional supporting schemas for related data sources. These schemas enable additional node and edge types in BloodHound that are relevant to Okta environments. If you use Okta with any of the supported data sources in your environment, upload the corresponding schema to ensure that the data is properly modeled in BloodHound.| Data source | Optional schema file |
|---|---|
| GitHub | bhe-github-extension.json |
| Jamf | bhe-jamfhound-extension.json |
| 1Password | bhce-1passhound-extension.json |
| Snowflake | bhce-snowflake-extension.json |
Register Custom Node Icons (Community Edition Only)
Skip this step if you already uploaded an extension schema, as the schema registers the node icons automatically. If you haven’t registered an extension schema, register the Okta and SCIM custom node types by uploading the bh-okta-custom-nodes.json and bh-scim-custom-nodes.json files using the BloodHound API.Upload Data to BloodHound
After you complete the prerequisites and register the extension or node icons, upload the data collected by OktaHound to BloodHound. The OktaHound collector generates multiple JSON files. Each file contains a different subset of data about your Okta environment, such as general configuration data, Active Directory (AD) integration data, and hybrid attack path data.AD integration data is generated only when you run collection with the
--export-ad-nodes option. Use this option only when you want AD context without running LDAP enumeration with SharpHound, or if you do not have direct AD access but do have the required rights in Okta.okta-graph-ad.json (optional)
Upload Okta/AD integration data (generated only when you run collection with the
--export-ad-nodes option).Import Cypher Queries
OktaHound provides custom Cypher queries to help you identify attack paths and misconfigurations in your Okta environment. These queries are included in thequeries directory of the OktaHound extension.
To use these queries, you must first import the queries/*.json files into BloodHound. You can then run the queries on the Explore page.
Next Steps
- Explore the Okta node types and edge types in the schema reference
- Try the Okta Cypher queries on the Explore page
- Learn about Okta attack paths and what to look for
- Use OktaHound’s specialized queries to create or update Cypher-based Privilege Zone rules
- Join the
#oktachannel on the BloodHound Community Slack for questions and discussion