This tutorial demonstrates how to integrate [Okta](https://www.okta.com/) with Coralogix using either a pulling integration or AWS EventBridge to send your contextual data logs for analysis. ## Overview Okta generates various logs that capture user authentication and authorization events, such as login attempts, user provisioning, and access management. These logs contain valuable information about user activities, security events, and system behavior within your Okta environment. Coralogix offers two methods to collect and analyze your Okta logs: 1. **Pull Integration**: Coralogix can ingest your Okta contextual data logs at specified intervals using our pulling integration. 1. **AWS EventBridge Integration**: Alternatively, you can use AWS EventBridge to stream Okta System Log events in real-time to Coralogix. Both methods allow you to gain insights into system behavior within our platform and troubleshoot problems that arise, with the key difference being pull vs. push-based architecture. Benefits include: - **Security Monitoring.** Coralogix enables you to monitor user authentication and access events, detect suspicious activities, and identify potential security threats. Identify patterns, anomalies, and indicators of compromise so that you can respond swiftly to security incidents. - **Compliance and Auditing.** By collecting and analyzing the context data logs, Coralogix helps you meet regulatory compliance requirements. It provides the ability to track and audit user activities, generate compliance reports, and ensure adherence to industry standards. - **Operational Insights.** Our monitoring platform allows you to identify usage patterns, troubleshoot issues, track performance metrics, and optimize your Okta environment for improved efficiency. ## Using pull integration ### Permissions You must have Okta Admin permissions for: - Creating users  (**Users** > **Manage users** > **Create users**). - Viewing roles, resources, and admin assignments (**Identity and Access Management** > **View roles, resources, and admin assignments**). #### Create Okta API token 1. Log into your Okta portal with admin credentials and navigate to **Directory** > **People**. 2. Select **Add person** and create a user to be used for this integration. 3. Navigate to **Security** > **Administrators** and select **Add administrator**. 4. In **Select admin**, select the user you created and assign it the **Read-only Administrator** role. Then save your changes. 5. Log into Okta as the new user created according to procedures detailed above. 6. Navigate to **Security** > **API** > **Tokens** tab. 7. Select **Create token**, and copy the token value. #### Pull-integration configuration 1. In your Coralogix dashboard, navigate to **Data Flow** > **Contextual Data**. 2. In the **Contextual Data** section, locate Okta and click on **ADD**. 3. Enter the integration details. - Integration Name - Account Name (This will appear in your Coralogix UI as your [subsystem name](https://coralogix.com/docs/user-guides/account-management/account-settings/application-and-subsystem-names/index.md).) - [Okta Domain](https://developer.okta.com/docs/guides/find-your-domain/main/) - [Okta API key](https://developer.okta.com/docs/guides/create-an-api-token/main/). Enter previously-copied token value (see step 7). 4. Click **Connect** to trigger the integration. Your pulled Okta logs should appear in your Coralogix dashboard. 5. [Optional]\*\* To minimize the Okta admin permission level, limiting it to viewing logs, follow these steps: - Log into your Okta portal again with admin credentials. - Navigate to **Security** > **Administrators** > **Admins** tab. - Edit the new admin that you created, and change the role to **Report Administrator**. Then, save the changes. 6. **[Recommended]** To enhance your monitoring capabilities, select the corresponding extension and deploy it. Learn more about our **Extension Packages** [here](https://coralogix.com/docs/user-guides/getting-started/packages-and-extensions/extension-packages/index.md). Note You may encounter rate-limiting issues depending on data volume and your organization's rate limit configuration. For guidance on how to adjust these limits, please refer to the official [documentation](https://developer.okta.com/docs/reference/rate-limits/) provided by Okta. ## Using AWS EventBridge As an alternative to the pull integration described above, you can use AWS EventBridge to stream Okta System Log events to your AWS environment and then forward them to Coralogix. This push-based approach provides real-time log delivery without the need for API polling. You'll need to set up an **API Destination to Coralogix** under AWS EventBridge. Follow our [AWS EventBridge integration guide](https://coralogix.com/docs/integrations/aws/aws-eventbridge/index.md) to create and configure the API Destination before proceeding with the Okta log streaming setup. ### Prerequisites - Super admin access to your Okta account - AWS account with appropriate permissions to configure EventBridge - Your AWS account ID and preferred region - An EventBridge API destination to Coralogix already configured following [this guide](https://coralogix.com/docs/integrations/aws/aws-eventbridge/index.md) #### Configure Okta log streaming 1. In the Okta Admin Console, navigate to **Reports** > **Log Streaming**. 2. Click **Add Log Stream** to start the wizard. 3. Select **AWS EventBridge** from the catalog and click **Next**. 4. Fill in the configuration details: - **Name**: Provide a unique name for this log stream in Okta - **AWS Event Source Name**: Create a unique name without special characters or spaces. - **AWS account ID**: Enter your 12-digit AWS account identifier - **AWS region**: Select the AWS region closest to your EventBridge target. 5. Click **Save**. The log stream should appear on the Log Streaming page with "Active" status. #### Create an event bus 1. In the AWS console, go to Amazon EventBridge. 2. Select **Partner event sources** from the Integration section of the navigation panel. 3. Find your partner event source with the format: `aws.partner/okta.com/yourOktaSubdomain/yourAWSEventSourceName`. 4. Select the log stream and click **Associate with an event bus**. 5. Configure required permissions and click **Associate**. The partner event source is now associated with an event bus of the same name. ### Create a rule Create a EventBridge **Rule** to route events into a API Destination configured to Coralogix. 1. The API Destination to Coralogix should appear under **EventBridge** > **Integration** > **API destinations**. If you have not already created an EventBridge API destination to Coralogix follow our [AWS EventBridge Integration Guide](https://coralogix.com/docs/integrations/aws/aws-eventbridge/index.md) 2. Under **Buses** > **Rules**, select the newly created event bus and click **Create rule**. 3. Set the **Name** and the **Event bus** as your partner event source. Set the **Rule type** as **Rule with an event pattern**. 4. Select **AWS events or EventBridge partner events** option. Configure the **Event pattern**: - Select **Use pattern form** as the **Creation method**. - Select **EventBridge partners** as the **Event source**. - Select **Okta** as the **Partner**. - Select **All Events** as the **Event type** or any specific event type. Click **Next**. 5. Create a target for this rule and configure the API destination to Coralogix: - Select **EventBridge API destination** as the **Target type**. - Select **Use an exisiting API destination** and select the Coralogix API destination created. - Create or Assign an IAM role for execution. Review & Create the EventBridge Rule. 5. Check your Coralogix dashboard to see the incoming Okta logs. The logs will have a similar structure as the following example: ```json { "version": "0", "id": "4ab6d852-09e9-1036-fc04-2e22004b3c3f", "detail-type": "SystemLog", "source": "aws.partner/okta.com/coralogix/okta-events", "account": "999999999999", "time": "2023-05-30T14:17:58Z", "region": "us-east-1", "resources": [], "detail": { "actor": { "id": "00uttidj04jqI21bA1d6", "type": "User", "alternateId": "user@customer.biz", "displayName": "A User", "detailEntry": null }, "client": { "userAgent": { "rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36", "os": "Mac OS X", "browser": "CHROME" }, "zone": "null", "device": "Computer", "id": null, "ipAddress": "127.0.0.1", "geographicalContext": { "city": "Fictionville", "state": "Pennsylvania", "country": "United States", "postalCode": "19513", "geolocation": { "lat": 41.1286, "lon": -73.4835 } } }, "device": null, "authenticationContext": { "authenticationProvider": null, "credentialProvider": null, "credentialType": null, "issuer": null, "interface": null, "authenticationStep": 0, "externalSessionId": "102BoThue9qT2uRBdaO_Z9msg" }, "displayMessage": "User accessing Okta admin app", "eventType": "user.session.access_admin_app", "outcome": { "result": "SUCCESS", "reason": null }, "published": "2023-05-30T14:17:58.126Z", "securityContext": { "asNumber": 6167, "asOrg": "verizon", "isp": "verizon", "domain": "myvzw.com", "isProxy": false }, "severity": "INFO", "debugContext": { "debugData": { "requestId": "ZHYFlX6QY0rHqq1oihP7CwAACSI", "dtHash": "e463841eed07369aeb7ace43a41fcef75ccefa573ced0420039c16b0e3d7cc99", "requestUri": "/admin/sso/callback", "url": "/admin/sso/callback?code=******&state=vdC6CnQXeZqyxBJKBVmtej9wMnF4nM1r" } }, "legacyEventType": "app.admin.sso.login.success", "transaction": { "type": "WEB", "id": "ZHYFlX6QY0rHqq1oihP7CwAACSI", "detail": {} }, "uuid": "c6ed294a-fef4-11ed-a5b1-bbb7c1de1a4b", "version": "0", "request": { "ipChain": [ { "ip": "127.0.0.1", "geographicalContext": { "city": "Fictionville", "state": "Pennsylvania", "country": "United States", "postalCode": "19513", "geolocation": { "lat": 41.1286, "lon": -73.4835 } }, "version": "V4", "source": null } ] }, "target": [ { "id": "00uttidj04jqI21bA1d6", "type": "AppUser", "alternateId": "user@evership.biz", "displayName": "A User", "detailEntry": null } ] } } ``` ## Additional resources | | | | ------------- | --------------------------------------------------------------------------------- | | Documentation | Okta Audit Logs | | Blog | [Okta Log Insights with Coralogix](https://coralogix.com/blog/okta-log-insights/) | ## Limitations Logs older than 24 hours from their original event time are dropped and not processed. ## Support **Need help?** Our world-class customer success team is available 24/7 to walk you through your setup and answer any questions that may come up. Feel free to reach out to us **via our in-app chat** or by sending us an email at [support@coralogix.com](mailto:support@coralogix.com).