Okta Log Insights

Okta Logs

This post will show you how Coralogix can provide analytics and insights for your Okta logs, both performance, and security.

Okta is one of the leading Identity provider platforms in the world, offering a variety of cloud services including a Single Sign-On solution to manage and secure company user authentication with 3rd party applications.

Okta Logs

As a result, Okta generates system events related to your organization’s authentication activity. The data provides an audit trail that helps you understand platform activity. Each log event object describes a single logged action or “event” performed by a set of actors for a set of targets.

You can leverage the event data by using Coralogix alerts and dashboards to instantly diagnose problems, spot potential security threats, and get a real-time notification on any event that you might want to observe. Ultimately, this offers a better monitoring experience and more capabilities from your data with minimum effort.

 

Okta Dashboards

Here are a few examples dashboards we created using the Okta log data. Using fields like displayMessage, eventType, legacyEventType, client.geographicalContext.geolocation, client.geographicalContext.country, actor.displayName, etc..

We were able to create dashboards for:

  • User Overview
  • Events Actions
  • Failed logins view
  • Successful logins view

The options are practically limitless and you may create any visualization you can think of as long as your logs contain that data you want to visualize. For more information on using Kibana, please visit our tutorial.

  • User Overview

  • Event Actions

  • Failed Logins

  • Successful Logins

Okta Alerts

Coralogix User-defined alerts enable you to easily create any alert you have in mind, using complex queries and various conditions heuristics, thus being more proactive with your Okta logs with insights you could never gain or anticipate from a traditional log investigation. Here are some examples of alerts we created using traditional Okta logs data.

1. More Than Usual Login Failures

Alert Filter: legacyEventType:”login failed”

Alert Condition: ‘More than usual times, within 5 min with a minimum of 10 occurrences’.

 

2. More Than Usual Access to Admin App

This example alerts if there are ‘more than usual’ events of accessing applications that only account administrators are allowed to access.

Alert Filter: eventType:”access admin app”

Alert Condition: ‘More than usual times in 5 min with a minimum of 15 occurrences’.

 

3. Unknown Actor Accessed an Admin App

Alert Filter: eventType:”access admin app” AND NOT actor.alternateId:(root OR admin OR support)

Alert Condition: ‘Notify immediately’

4. Unauthorized Admin Request

Known and valid admins are expected to use chrome when doing any action with Okta.

Alert Filter: actor.alternateId:(support OR root OR admin) AND NOT client.userAgent.browser:chrome

Alert Condition: ‘Notify immediately’

5. Login From an Unfamiliar Country

Alert Filter: legacyEventType:”login success” NOT client.geographicalContext.country:(ireland OR “united states” OR israel)

Alert Condition: ‘Notify immediately’

6. Non-browser-like Tool Used to Enter an App

Alert Filter: client.userAgent.rawUserAgent.keyword:/.{0,19}/

Alert Condition: ‘Notify immediately’

 

Need More Help with Okta or any other log data? Click on the chat icon on the bottom right corner for quick advice from our logging experts.

Start solving your production issues faster

Let's talk about how Coralogix can help you better understand your logs

Managed, Scaled and Compliant ELK Stack

No credit card required

Get a personalized demo

Jump on a call with one of our experts and get a live personalized demonstration