>
    Strata Copilot
    Send Cortex XDR Risk Signals to Okta
    Focus
    Download PDF
    Focus
    1. Home
    2. Identity
    3. Identify Users and Devices with Cloud Identity Engine
    4. Send Cortex XDR Risk Signals to Okta
    Download PDF
    Identity

    Send Cortex XDR Risk Signals to Okta

    Table of Contents

    Send Cortex XDR Risk Signals to Okta

    Share Cortex XDR user risk intelligence with Okta for coordinated and rapid responses to security events.
    Where Can I Use This?What Do I Need?
    • Cloud Identity Engine
    • A Cortex XDR directory associated with the CIE
    • Okta Identity Threat Protection (ITP), an Okta tenant address, and an Okta account with administrative privileges
    You can send user risk signals from Cortex XDR to Okta through the Shared Signals Framework (SSF) Transmitter in Cloud Identity Engine (CIE). The SSF Transmitter enables the exchange of the risks signals. The CIE functions as the signal "transmitter" while Okta is the "receiver." All Cortex XDR risk signals sync with the CIE and flow through the SSF stream to Okta. These signals indicate whether a user's risk is low, medium, or high. Okta uses these signals along with its own insights to enforce risk entity policy rules that you define. For example, you can create a rule that logs users out of all active sessions and supported applications when Okta detects high-risk user activity during an active Okta session. By sharing risk intelligence between platforms, your security infrastructure can respond to threats in a coordinated, rapid manner.
    How The SSF Transmitter Works
    1. Cortex XDR detects high-risk user activity during an active Okta session. For example, a user risk level is now high.
    2. Cortex XDR syncs user risk and device risk data with the Cloud Identity Engine.
    3. The CIE receives this data and sends it to Okta as security events through the SSF Transmitter.
    4. Okta processes the signals as risk detection events and enforces risk-based policy rules.
    1. Sign in to the Cloud Identity Engine.
    2. Configure Cortex XDR as a risk source.
      This step enables Cortex XDR to sync user risk and device risk signals with the CIE.
      The Cortex XDR directory must be associated with the CIE already.
      1. Select Security RiskRisk Connections.
      2. Add a risk source.
      3. Connect Cortex, and then select an existing Cortex Directory.
      4. Click Continue.
        The Cortex directory you selected is added to the Risk Collection for Cortex.
    3. Configure the Shared Signals Framework Transmitter.
      1. Select Security RiskRisk Connections.
      2. Under Risk Sharing, Add the Shared Signals Framework Okta.
        The SSF Transmitter configuration window opens.
      3. For Risk Source, select XDR.
      4. For Directory, select the target Okta directory for Cortex XDR risk signals.
      5. Verify SSF stream details.
        The Create SSF Stream to Okta fields are pre-filled based on risk source, SSF transmitter, and SSF receiver details.
        1. Leave the Audience field as is.
        2. Copy the Well Known Configuration Endpoint value. You'll need this URL to set up Okta as a shared signal receiver.
        3. Verify that the Transmitter Endpoint value is your organization's Okta tenant address appended with /security/api/v1/security-events: your-org.okta.com/security/api/v1/security-events.
        4. Submit the configuration.
          SSF stream details are available for viewing under Risk Sharing. Find the stream of interest, and then click Actions View.
    4. Configure your Okta tenant to receive shared signals.
      Paste the Well Known Configuration Endpoint value from the SSF transmitter configuration into the Well-known URL field in the Okta configuration.

    © 2026 Palo Alto Networks, Inc. All rights reserved.