An effective alerting strategy is the difference between reacting to an outage and stopping it before it starts. That’s why at Coralogix, we’re constantly releasing new…
This post will show you how Coralogix can provide analytics and insights for your Okta logs, both performance, and security.
Okta is one of the leading Identity provider platforms in the world, offering a variety of cloud services including a Single Sign-On solution to manage and secure company user authentication with 3rd party applications.
Okta generates system events related to your organization’s authentication activity. The data provides an audit trail that helps you understand platform activity. Each log event object describes a single logged action or “event” performed by a certain actor for a certain target.
You can leverage these events data by using Coralogix alerts and dashboards to instantly diagnose problems, spot potential security threats, and get a real-time notification on any event that you might want to observe. Ultimately, this offers a better monitoring experience and more capabilities from your data with minimum effort.
Here are a few examples dashboards we created using the Okta log data. Using fields like displayMessage, eventType, legacyEventType, client.geographicalContext.geolocation, client.geographicalContext.country, actor.displayName, etc..
We were able to create dashboards for:
The options are practically limitless and you may create any visualization you can think of as long as your logs contain that data you want to visualize. For more information on using Kibana, please visit our tutorial.
Coralogix User-defined alerts enable you to easily create any alert you have in mind, using complex queries and various conditions heuristics, thus being more proactive with your Okta logs with insights you could never gain or anticipate from a traditional log investigation. Here are some examples of alerts we created using traditional Okta logs data.
The alert Condition can be customized to your pleasing and how it fits or satisfies your needs.
|Okta Policy update
|Update access policy.
|legacyEventType: “policy.updated” OR legacyEventType: “policy.rule.updated” NOT “test Infinipoint IdP – with mobile” OR “test Infinipoint IdP – without mobile” NOT “MFA-webauthn-Oktaverify-POC”
|OKTA – Policy Rule Deactivated
|Deactivate an access policy
|OKTA – Policy Rule Deactivated
|Deactivate a rule in a policy.
|OKTA – Revoke user privilege
|Revoke a user privilege from doing something or accessing something
|OKTA – Policy Deleted
|Delete a policy in okta app
|OKTA – Admin Privilege Granted
|Promote a user to be an admin
|debugContext.debugData.privilegeGranted: “admin” OR debugContext.debugData.privilegeGranted: “administrator”
|Okta – login failure
|A user cannot log in to OKTA
|legacyEventType:”login failed” NOT request.ipChain.geographicalContext.city:”ashburn”
|More than usual
|Okta – access admin app event from unknown actor
|Login to okta admin app from an unknown source
|eventType:”access admin app” AND NOT actor.alternateId:(root OR admin OR support)
|Okta – unauthorized admin request
|an unauthorized login access request to Okta app
|actor.alternateId:(support OR root OR admin) AND NOT client.userAgent.browser:chrome
|Okta – non-browser like tool used to enter an app
|Use curl or wget or a utility that is not meant to browse the web.
|administrative access to Okta
|Monitor admin access to okta all admin activity with failure.
|eventType: “user.session.access_admin_app” AND legacyEventType:failure
|Okta – Admin app access
|Monitor admin access to okta app
|eventType:”access admin app”
|More than Usual
|Okta – login from an unfamiliar country
|Login to okta from a country that you do not have users in.
|· Key to trackBody.countryCode· Notify on new value in the last 48h
|Abnormal amount of unique User Agents in OKTA
|trying to access Okta from too many user agents that have not been seen before.
|· Unique Count KeyClient.userAgent.rawUserAgent
To avoid noise from these Alerts. Coralogix added a utility to allow you to simulate how the alert would behave. At the end of the alert, click verify Alert.
Need More Help with Okta or any other log data? Click on the chat icon on the bottom right corner for quick advice from our logging experts.