Okta Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Okta is a cloud-based identity management service that provides access to a wide range of applications like Amazon, Google, Box, Office 365, and others. This technology pack will process Okta logs, providing normalization and enrichment of common events of interest.

Requirements

  • A configured Okta Developer, Preview, or Custom Domain Organization

  • A user account in the Okta Organization with 'Report Administrator' and 'Organization Administrator' or higher permissions

  • An Okta API token for data collection (see Okta documentation for token creation)

Supported Versions

  • Okta API version 2021.04.1 and later

Log Collection and Delivery

Okta logs are collected via the Okta System Log API. An API token must be created in the Okta Admin console and configured in a Graylog Okta input. Okta API tokens have the same permissions as the user who creates them. Consider creating a dedicated service account to limit access.

Create Okta API Token

To create the API token:

  1. Log in to the Okta Admin console with 'Report Administrator' and 'Organization Administrator' permissions.

  2. Navigate to Security > API > Tokens (Classic UI) or API > Tokens (Developer Console).

  3. Click 'Create Token', name it, and record the token value immediately.

  4. Optional: Remove 'Organization Administrator' role from the service account to limit to read-only access.

Stream Configuration

This technology pack includes 1 stream:

  • "Illuminate:Okta Messages"

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • "Okta System Logs"

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

What is Provided

  • Parsing rules to extract Okta logs into Graylog schema compatible fields

  • GIM event type categorization and enforcement fields for supported Okta events

Log Format Example

{"actor":{"id":"00uznmiqsr1UIPqr90h9","type":"User","alternateId":"test.user@graylog.com","displayName":"Test User","detailEntry":null},"client":{"userAgent":{"rawUserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36","os":"Windows 10","browser":"CHROME"},"zone":"null","device":"Computer","id":null,"ipAddress":"10.10.84.54","geographicalContext":{"city":"Dallas","state":"Mississippi","country":"United States","postalCode":"90210","geolocation":{"lat":40.969,"lon":-106.6034}}},"device":null,"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"00uznmiqsr1UIPqr90h9"},"displayMessage":"User login to Okta","eventType":"user.session.start","outcome":{"result":"SUCCESS","reason":null},"published":"2021-10-18T20:49:24.126Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"INFO","debugContext":{"debugData":{"requestId":"YW3d0-2p3-1iwOeHylXaAVXRCcE","origin":"https://test.graylog.net","requestUri":"/api/v0/authx","threatSuspected":"false","url":"/api/v0/authx?"}},"legacyEventType":"core.user_auth.login_success","transaction":{"type":"WEB","id":"YW3d0-2p3-1iwOeHylXaAVXRCcE","detail":{}},"uuid":"e05d81bb-3054-837b-11ec-9bf29b682db0","version":"0","request":{"ipChain":[{"ip":"10.10.84.54","geographicalContext":{"city":"Lakeside","state":"Omaha","country":"United States","postalCode":"90210","geolocation":{"lat":33.696,"lon":-104.0346}},"version":"V4","source":null}]},"target":null}

GIM Categorization

GIM categorization is provided for the following event types:

Event Type gim_event_type_code gim_event_category gim_event_subcategory gim_event_type
user.session.start 100000 authentication authentication.logon logon
user.authentication.sso 100500 authentication authentication.credential validation credential validation
user.session.end, user.session.clear, user.session.expire, user.authentication.universal_logout 102500 authentication authentication.logoff logoff
user.authentication.auth_via_mfa 100502 authentication authentication.credential validation mfa
policy.evaluate_sign_on 109999 authentication authentication.default authentication message
app.oauth2.*.token.revoke, system.api_token.revoke 109999 authentication authentication.default authentication message
user.lifecycle.create 110000 iam iam.object create account created
group.lifecycle.create 110002 iam iam.object create group created
user.lifecycle.delete.* 110500 iam iam.object delete account deleted
group.lifecycle.delete 110501 iam iam.object delete group deleted
user.account.update_profile 111000 iam iam.object modify account modified
user.account.privilege.grant 111001 iam iam.object modify privileges assigned
user.account.privilege.revoke 111002 iam iam.object modify privileges removed
group.user_membership.add 111007 iam iam.object modify group member added
group.user_membership.remove 111008 iam iam.object modify group member removed
user.lifecycle.deactivate, user.lifecycle.suspend 111501 iam iam.object disable account disabled
user.lifecycle.activate, user.lifecycle.unsuspend 112001 iam iam.object enable account enabled
security.request.blocked, security.session.detect_client_roaming 300000 detection detection.network_detection ids_detection
security.threat.detected 300001 detection detection.network_detection network_detection
user.account.report_suspicious_activity_by_enduser 309999 detection detection.default detection_message

Fields Extracted by This Pack

Parsed Fields

These are the fields extracted and mapped by the Okta content pack.

Original Field Name Field Name Example Value Field Type Description
eventType vendor_event_type user.session.start string Okta event type identifier
displayMessage vendor_event_description User login to Okta string Human-readable event description
outcome.result vendor_event_outcome SUCCESS string Native event outcome
severity vendor_event_severity INFO string Okta event severity level
actor.alternateId user_name test01@domain.local string Actor alternate ID (email/username)
actor.id user_id 00uzcqv2e9y72f4600h7 string Okta actor user ID
actor.type vendor_user_type User string Actor type
client.ipAddress source_ip 194.99.104.172 string Client source IP address
client.userAgent.rawUserAgent http_user_agent Mozilla/5.0... string Raw HTTP user agent string
client.userAgent.browser http_user_agent_name FIREFOX string Browser name
client.userAgent.os http_user_agent_os Mac OS X string Client operating system
client.geographicalContext.city source_geo_city_name Madrid string Client geographic city
client.geographicalContext.state source_geo_state_name Madrid string Client geographic state
client.geographicalContext.country source_geo_country_name Spain string Client geographic country
authenticationContext.externalSessionId session_id 102W2LzHmyHS_K77LFSW4hppw string External session identifier
transaction.type vendor_transaction_type WEB string Transaction type
debugContext.debugData.threatSuspected vendor_threat_suspected false string Whether threat was suspected
uuid event_uid d0cbaed7-1b91-11ec-aab3-174e5f3ff29f string Okta event unique identifier
Mapped event_outcome success string Normalized event outcome
Mapped event_source seshat_simulator string Event source identifier
Mapped vendor_event_category session|user string Okta event categories
Mapped vendor_subtype session.start string Derived vendor subtype
Mapped gim_event_type_code 100000 string GIM event type code
Mapped alert_signature Security request blocked string Alert signature for detection events
Mapped alert_category threat string Alert category for detection events
Mapped alert_severity medium string Alert severity for detection events
Mapped alert_severity_level 3 long Alert severity level for detection events