# Okta 로그 쿼리 아래는 Okta 이벤트를 조사하고 학습하는 데 시작할 수 있는 몇 가지 쿼리입니다. 이 쿼리들은 기존 로그 데이터를 조사하기 위한 것입니다. 새로 유입되는 데이터를 탐지하는 데 관심이 있다면, 다음을 활성화하는 것을 고려하세요. [여기에서 Panther가 관리하는 Okta 탐지를 확인하세요](/ko/data-onboarding/supported-logs/okta.md#panther-built-detections). 다음 쿼리들은 별도로 명시되지 않는 한 Snowflake SQL 구문으로 작성되었습니다. #### 지난 7일간 사용자별 로그인 상위 항목 ```sql -- 지난 7일간 사용자별 로그인 상위 항목 SELECT actor:alternateId as actor, COUNT(*) as total FROM panther_logs.public.okta_systemlog WHERE eventtype = 'user.authentication.sso' and outcome:result = 'SUCCESS' and p_occurs_since(7d) GROUP BY actor ORDER BY total desc ``` #### 지난 1일간 시간별 로그인 ```sql -- 지난 1일간 시간별 로그인 SELECT time_slice(p_event_time, 1, 'HOUR', 'START') as "start", time_slice(p_event_time, 1, 'HOUR', 'END') as "end", count(*) as "logins", count(distinct(actor:alternateId)) as "users" FROM panther_logs.public.okta_systemlog WHERE eventtype = 'user.authentication.sso' and outcome:result = 'SUCCESS' and p_occurs_since(1d) GROUP BY "start", "end" ORDER BY "start" desc ``` #### 지난 7일간 상위 애플리케이션 ```sql -- 지난 7일간 상위 애플리케이션 SELECT GET(target, 0):displayName as application, count(*) as total FROM panther_logs.public.okta_systemlog WHERE eventtype = 'user.authentication.sso' and p_occurs_since(7d) GROUP BY Application ORDER BY total desc ``` #### 지난 7일간 실패한 사용자 상위 항목 ```sql -- 지난 7일간 실패한 사용자 상위 항목 SELECT actor:alternateId as actor, COUNT(*) as total FROM panther_logs.public.okta_systemlog WHERE eventtype = 'user.session.start' and outcome:result = 'FAILURE' and outcome:reason = 'INVALID_CREDENTIALS' and p_occurs_since(7d) GROUP BY actor ORDER BY total desc ``` #### 지난 7일간 이유별 로그인 실패 ```sql -- 로그인 실패 이유별 SELECT outcome:reason as reason, COUNT(*) as total FROM panther_logs.public.okta_systemlog WHERE eventtype = 'user.session.start' and outcome:result = 'FAILURE' and p_occurs_since(7d) GROUP BY reason ORDER BY total desc ``` #### 지난 7일간 가짜 계정 로그인 시도 ```sql -- 가짜 계정 로그인 시도 SELECT actor:alternateId as actor, COUNT(*) as total FROM panther_logs.public.okta_systemlog WHERE eventtype = 'user.session.start' and outcome:result = 'FAILURE' and outcome:reason = 'VERIFICATION_ERROR' GROUP BY actor ORDER BY total desc ``` **Okta 조직에 대한 Okta Support 액세스 식별** ```sql SELECT p_event_time as event_time, actor:alternateId as actor_email, actor:displayName as actor_name, client:ipAddress as src_ip, client:geographicalContext:city as city, client:geographicalContext:country as country, client:userAgent:rawUserAgent as user_agent, displayMessage, eventType FROM panther_logs.public.okta_systemlog WHERE eventType = 'user.session.impersonation.grant' 또는 eventType = 'user.session.impersonation.initiate' AND p_occurs_between('YYYY-MM-DD','YYYY-MM-DD') ORDER BY event_time desc ``` **Okta에서 관리자 권한이 부여된 모든 사용자 식별** ```sql SELECT p_event_time as event_time, actor:alternateId as actor_email, actor:displayName as actor_name, displayMessage, eventType, debugContext:debugData:privilegeGranted as priv_granted, target as target_user, client:ipAddress as src_ip, client:geographicalContext:city as city, client:geographicalContext:country as country, client:userAgent:rawUserAgent as user_agent FROM panther_logs.public.okta_systemlog WHERE ( eventType = 'user.account.privilege.grant' 또는 eventType = 'group.privilege.grant' AND debugContext:debugData:privilegeGranted like '%Admin%' ) AND p_occurs_between(''YYYY-MM-DD','YYYY-MM-DD') ORDER BY event_time desc ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/ko/search/data-explorer/example-queries/okta-logs-queries.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.