Okta Logs
Panther supports pulling logs directly from Okta

Overview

Panther has the ability to fetch Okta events by querying the Okta System Log API. Panther will query the System Log API every 1 minute.
In order for Panther to access the API you need to create a new API token or use an existing one.

How to Onboard Okta logs to Panther

Create a new Okta API token

To create an API token with permissions to query Okta System Logs, you need to be logged in as an administrator that has the rights to perform your API call's actions. Please refer to Okta documentation for information on managing Admin roles and their rights.
  1. 1.
    Log in as Okta administrator.
  2. 2.
    In the Okta Admin Console, navigate to Security > API.
  3. 3.
    Click Create Token.
  4. 4.
    Enter a memorable name for your token, e.g. Panther API token
  5. 5.
    Copy the Token value and store it in a secure location. You will need it in the next steps.
    • Note: Okta will not display this value again.

Create a new Okta source in Panther

  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar menu, click Integrations > Log Sources.
  3. 3.
    Click Create New.
  4. 4.
    Select Okta from the list of available log sources. Click Start Source Setup.
  5. 5.
    Select okta.com from the Okta domain drop-down.
  6. 6.
    Fill in the following fields:
    • Name: A memorable name for the source e.g. My Okta logs.
    • Okta subdomain: The name of your Okta domain. Should be in the form https://my-org.okta.com.
    • API Token: The token value from the previous section of our documentation.
    • Log Types: Select the log types you would like to monitor.
  7. 7.
    Click Continue Setup.
  8. 8.
    You will be directed to a confirmation screen where you can set up a log drop-off alarm.
    • This feature sends an error message if logs aren't received within a specified time interval.
  9. 9.
    Click Finish Setup.

Panther-Built Detections

The following detections are available for use immediately:
  • Admin Role Assigned
  • API Key Created
  • API Key Revoked
  • Brute Force Logins
  • Geo Improbable Access
Review the files in the okta_rules repository to see how these are built.

Supported log types

Okta.SystemLog

The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems.
1
schema: Okta.SystemLog
2
description: |
3
The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems.
4
referenceURL: https://developer.okta.com/docs/reference/api/system-log/
5
version: 0
6
fields:
7
- name: uuid
8
required: true
9
description: Unique identifier for an individual event
10
type: string
11
- name: published
12
required: true
13
description: Timestamp when event was published
14
type: timestamp
15
timeFormat: rfc3339
16
isEventTime: true
17
- name: eventType
18
required: true
19
description: Type of event that was published
20
type: string
21
- name: version
22
required: true
23
description: Versioning indicator
24
type: string
25
- name: severity
26
required: true
27
description: 'Indicates how severe the event is: DEBUG, INFO, WARN, ERROR'
28
type: string
29
- name: legacyEventType
30
description: Associated Events API Action objectType attribute value
31
type: string
32
- name: displayMessage
33
description: The display message for an event
34
type: string
35
- name: actor
36
description: Describes the entity that performed an action
37
type: object
38
fields:
39
- name: id
40
required: true
41
description: ID of actor
42
type: string
43
- name: type
44
required: true
45
description: Type of actor
46
type: string
47
- name: alternateId
48
description: Alternative id of the actor
49
type: string
50
indicators:
51
- email
52
- name: displayName
53
description: Display name of the actor
54
type: string
55
- name: details
56
description: Details about the actor
57
type: json
58
- name: detailEntry
59
description: Detail entry
60
type: json
61
- name: client
62
description: The client that requested an action
63
type: object
64
fields:
65
- name: id
66
description: For OAuth requests this is the id of the OAuth client making the request. For SSWS token requests, this is the id of the agent making the request.
67
type: string
68
- name: userAgent
69
description: The user agent used by an actor to perform an action
70
type: object
71
fields:
72
- name: browser
73
description: If the client is a web browser, this field identifies the type of web browser (e.g. CHROME, FIREFOX)
74
type: string
75
- name: os
76
description: The Operating System the client runs on (e.g. Windows 10)
77
type: string
78
- name: rawUserAgent
79
description: A raw string representation of the user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field.
80
type: string
81
- name: geographicalContext
82
description: The physical location where the client made its request from
83
type: object
84
fields:
85
- name: geolocation
86
description: Contains the geolocation coordinates (latitude, longitude)
87
type: object
88
fields:
89
- name: lat
90
description: Latitude
91
type: float
92
- name: lon
93
description: Longitude
94
type: float
95
- name: city
96
description: The city encompassing the area containing the geolocation coordinates, if available (e.g. Seattle, San Francisco)
97
type: string
98
- name: state
99
description: Full name of the state/province encompassing the area containing the geolocation coordinates (e.g. Montana, Incheon)
100
type: string
101
- name: country
102
description: Full name of the country encompassing the area containing the geolocation coordinates (e.g. France, Uganda)
103
type: string
104
- name: postalCode
105
description: Full name of the country encompassing the area containing the geolocation coordinates (e.g. France, Uganda)
106
type: string
107
- name: zone
108
description: The name of the Zone that the client's location is mapped to
109
type: string
110
- name: ipAddress
111
description: Ip address that the client made its request from
112
type: string
113
indicators:
114
- ip
115
- name: device
116
description: Type of device that the client operated from (e.g. Computer)
117
type: string
118
- name: request
119
description: The request that initiated an action
120
type: object
121
fields:
122
- name: ipChain
123
description: If the incoming request passes through any proxies, the IP addresses of those proxies will be stored here in the format (clientIp, proxy1, proxy2, ...).
124
type: array
125
element:
126
type: object
127
fields:
128
- name: ip
129
description: IP address
130
type: string
131
indicators:
132
- ip
133
- name: geographicalContext
134
description: Geographical context of the IP address
135
type: object
136
fields:
137
- name: geolocation
138
description: Contains the geolocation coordinates (latitude, longitude)
139
type: object
140
fields:
141
- name: lat
142
description: Latitude
143
type: float
144
- name: lon
145
description: Longitude
146
type: float
147
- name: city
148
description: The city encompassing the area containing the geolocation coordinates, if available (e.g. Seattle, San Francisco)
149
type: string
150
- name: state
151
description: Full name of the state/province encompassing the area containing the geolocation coordinates (e.g. Montana, Incheon)
152
type: string
153
- name: country
154
description: Full name of the country encompassing the area containing the geolocation coordinates (e.g. France, Uganda)
155
type: string
156
- name: postalCode
157
description: Full name of the country encompassing the area containing the geolocation coordinates (e.g. France, Uganda)
158
type: string
159
- name: version
160
description: IP version
161
type: string
162
- name: source
163
description: Details regarding the source
164
type: string
165
- name: outcome
166
description: The outcome of an action
167
type: object
168
fields:
169
- name: result
170
description: 'Result of the action: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN'
171
type: string
172
- name: reason
173
description: Reason for the result, for example INVALID_CREDENTIALS
174
type: string
175
- name: target
176
description: Zero or more targets of an action
177
type: array
178
element:
179
type: object
180
fields:
181
- name: id
182
required: true
183
description: ID of target
184
type: string
185
- name: type
186
required: true
187
description: Type of target
188
type: string
189
- name: alternateId
190
description: Alternative id of the target
191
type: string
192
- name: displayName
193
description: Display name of the target
194
type: string
195
- name: details
196
description: Details about the target
197
type: json
198
- name: detailEntry
199
description: Detail entry
200
type: json
201
- name: transaction
202
description: The transaction details of an action
203
type: object
204
fields:
205
- name: id
206
description: Unique identifier for this transaction.
207
type: string
208
- name: type
209
description: Describes the kind of transaction. WEB indicates a web request. JOB indicates an asynchronous task.
210
type: string
211
- name: detail
212
description: Details for this transaction.
213
type: json
214
- name: debugContext
215
description: The debug request data of an action
216
type: object
217
fields:
218
- name: debugData
219
description: Dynamic field containing miscellaneous information dependent on the event type.
220
type: json
221
- name: authenticationContext
222
description: The authentication data of an action
223
type: object
224
fields:
225
- name: authenticationProvider
226
description: The system that proves the identity of an actor using the credentials provided to it
227
type: string
228
- name: authenticationStep
229
description: The zero-based step number in the authentication pipeline. Currently unused and always set to 0.
230
type: int
231
- name: credentialProvider
232
description: A credential provider is a software service that manages identities and their associated credentials. When authentication occurs via credentials provided by a credential provider, that credential provider will be recorded here.
233
type: string
234
- name: credentialType
235
description: The underlying technology/scheme used in the credential
236
type: string
237
- name: issuer
238
description: The specific software entity that created and issued the credential.
239
type: object
240
fields:
241
- name: id
242
description: Varies depending on the type of authentication. If authentication is SAML 2.0, id is the issuer in the SAML assertion. For social login, id is the issuer of the token.
243
type: string
244
- name: type
245
description: Information regarding issuer and source of the SAML assertion or token.
246
type: string
247
- name: externalSessionId
248
description: A proxy for the actor's session ID
249
type: string
250
- name: interface
251
description: The third party user interface that the actor authenticates through, if any.
252
type: string
253
- name: authenticatorProvider
254
description: 'DEPRECATED: This field is kept here for backwards compatibility.'
255
type: string
256
- name: securityContext
257
description: The security data of an action
258
type: object
259
fields:
260
- name: asNumber
261
description: Autonomous system number associated with the autonomous system that the event request was sourced to
262
type: bigint
263
- name: asOrg
264
description: Organization associated with the autonomous system that the event request was sourced to
265
type: string
266
- name: isp
267
description: Internet service provider used to sent the event's request
268
type: string
269
- name: domain
270
description: The domain name associated with the IP address of the inbound event request
271
type: string
272
indicators:
273
- domain
274
- name: isProxy
275
description: Specifies whether an event's request is from a known proxy
276
type: boolean
Copied!