Graylog Illuminate is available for use with Graylog Operations and Graylog Security. Contact sales to learn more about obtaining Graylog Illuminate.

Okta is a cloud-based identity management service that provides access to a wide range of applications like Amazon, Google, box, Office 365, and others. This technology pack will process Okta logs, providing normalization and enrichment of common events of interest.

Supported Version(s)

• This version of the Okta Spotlight was tested with Okta API version 2021.04.1

Stream Configuration

This technology pack includes one stream:

• “Illuminate:Okta Messages”

If this stream name is already defined, then nothing will be changed. If this stream name does not exist, then it will be created.

Index Set Configuration

This technology pack includes one index set definition:

• “Okta System Logs”

If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Example

{"actor":{"id":"00uznmiqsr1UIPqr90h9","type":"User","alternateId":"test.user@graylog.com","displayName":"Test User","detailEntry":null},"client":{"userAgent":{"rawUserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36","os":"Windows 10","browser":"CHROME"},"zone":"null","device":"Computer","id":null,"ipAddress":"10.10.84.54","geographicalContext":{"city":"Dallas","state":"Mississippi","country":"United States","postalCode":"90210","geolocation":{"lat":40.969,"lon":-106.6034}}},"device":null,"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"00uznmiqsr1UIPqr90h9"},"displayMessage":"User login to Okta","eventType":"user.session.start","outcome":{"result":"SUCCESS","reason":null},"published":"2021-10-18T20:49:24.126Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"INFO","debugContext":{"debugData":{"requestId":"YW3d0-2p3-1iwOeHylXaAVXRCcE","origin":"https://test.graylog.net","requestUri":"/api/v0/authx","threatSuspected":"false","url":"/api/v0/authx?"}},"legacyEventType":"core.user_auth.login_success","transaction":{"type":"WEB","id":"YW3d0-2p3-1iwOeHylXaAVXRCcE","detail":{}},"uuid":"e05d81bb-3054-837b-11ec-9bf29b682db0","version":"0","request":{"ipChain":[{"ip":"10.10.84.54","geographicalContext":{"city":"Lakeside","state":"Omaha","country":"United States","postalCode":"90210","geolocation":{"lat":33.696,"lon":-104.0346}},"version":"V4","source":null}]},"target":null}

Requirements

• A configured Okta Developer, Preview, or Custom Domain Organization

• A user account in the Okta Organization with “Report Administrator” and “Organization Administrator” or higher permissions

• (See “Create Okta API Token” and “Configuring an Okta Input” below.)

What Is Provided?

• Parsing rules to extract Okta logs into Graylog schema compatible fields.

• Data lookup tables to assist in normalizing Okta log messages into the Graylog schema

• Dashboards

Create Okta Token

Okta API tokens have the same permissions as the user who creates them. If the user permissions change, the API token permissions also change. Consider creating a dedicated service account when creating an API token to limit the access level associated with the token.

To Create the API Token

1. Log in to the Okta website using an Okta account that has been granted “Report Administrator” and “Organization Administrator” permissions (or higher) for the target Okta Organization.

   1. The Report Administrator role grants read-only access to reports and the Okta System Log.

   2. The Organization Administrator role is required to create the API key. This permission should be removed from the Okta account once setup is complete.

2. Navigate to the Okta Admin page.

3. Access the API page:

   1. If using the Developer Console, select Tokens from the API menu.

   2. If using the Administrator Console (Classic UI), select API from the Security menu, and then select Tokens.

4. Click Create Token.

5. Name the token and click Create Token.

   1. IMPORTANT: Record the token value and store it in a secure location. This is the only opportunity to see it and record it.

   2. OPTIONAL: It is recommended to remove any Okta Administrator roles other than “Report Administrator” from the account to be used for API access to system logs. This step limits use of the API key to read-only access to reduce the potential for misuse.

References

• Creating an Okta API token

• Okta Report Administrator role