> For the complete documentation index, see [llms.txt](https://docs.panther.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.panther.com/ko/search/data-explorer/example-queries/okta-logs-queries.md). # Okta 로그 쿼리 아래에는 Okta 이벤트를 조사하고 학습하는 데 도움이 되는 몇 가지 쿼리가 있습니다. 이 쿼리들은 기존 로그 데이터를 조사하기 위한 것입니다. 새로 유입되는 데이터를 탐지하는 데 관심이 있다면, 다음을 활성화하는 것을 고려하세요 [여기에서 Panther에서 관리하는 Okta 탐지를 확인하세요](/ko/data-onboarding/supported-logs/okta.md#panther-built-detections). 다음 쿼리들은 별도로 명시되지 않는 한 Snowflake SQL 구문으로 작성되었습니다. #### 사용자별 지난 7일간 로그인 상위 항목 ```sql -- 사용자별 지난 7일간 로그인 상위 항목 SELECT actor:alternateId as actor, COUNT(*) as total FROM panther_logs.public.okta_systemlog WHERE eventtype = 'user.authentication.sso' and outcome:result = 'SUCCESS' and p_occurs_since(7d) GROUP BY actor ORDER BY total desc ``` #### 시간대별 지난 1일간 로그인 ```sql -- 시간대별 지난 1일간 로그인 SELECT time_slice(p_event_time, 1, 'HOUR', 'START') as "start", time_slice(p_event_time, 1, 'HOUR', 'END') as "end", count(*) as "logins", count(distinct(actor:alternateId)) as "users" FROM panther_logs.public.okta_systemlog WHERE eventtype = 'user.authentication.sso' and outcome:result = 'SUCCESS' and p_occurs_since(1d) GROUP BY "start", "end" ORDER BY "start" desc ``` #### 지난 7일간 상위 애플리케이션 ```sql -- 지난 7일간 상위 애플리케이션 SELECT GET(target, 0):displayName as application, count(*) as total FROM panther_logs.public.okta_systemlog WHERE eventtype = 'user.authentication.sso' and p_occurs_since(7d) GROUP BY Application ORDER BY total desc ``` #### 지난 7일간 로그인 실패 상위 사용자 ```sql -- 지난 7일간 로그인 실패 상위 사용자 SELECT actor:alternateId as actor, COUNT(*) as total FROM panther_logs.public.okta_systemlog WHERE eventtype = 'user.session.start' and outcome:result = 'FAILURE' and outcome:reason = 'INVALID_CREDENTIALS' and p_occurs_since(7d) GROUP BY actor ORDER BY total desc ``` #### 사유별 지난 7일간 로그인 실패 ```sql -- 로그인 실패 사유별 SELECT outcome:reason as reason, COUNT(*) as total FROM panther_logs.public.okta_systemlog WHERE eventtype = 'user.session.start' and outcome:result = 'FAILURE' and p_occurs_since(7d) GROUP BY reason ORDER BY total desc ``` #### 지난 7일간 가짜 계정 로그인 시도 ```sql -- 가짜 계정 로그인 시도 SELECT actor:alternateId as actor, COUNT(*) as total FROM panther_logs.public.okta_systemlog WHERE eventtype = 'user.session.start' and outcome:result = 'FAILURE' and outcome:reason = 'VERIFICATION_ERROR' GROUP BY actor ORDER BY total desc ``` **귀하의 Okta 조직에 대한 Okta Support 접근 식별** ```sql SELECT p_event_time as event_time, actor:alternateId as actor_email, actor:displayName as actor_name, client:ipAddress as src_ip, client:geographicalContext:city as city, client:geographicalContext:country as country, client:userAgent:rawUserAgent as user_agent, displayMessage, eventType FROM panther_logs.public.okta_systemlog WHERE eventType = 'user.session.impersonation.grant' 또는 eventType = 'user.session.impersonation.initiate' AND p_occurs_between('YYYY-MM-DD','YYYY-MM-DD') ORDER BY event_time desc ``` **Okta에서 Admin 권한이 부여된 모든 사용자 식별** ```sql SELECT p_event_time as event_time, actor:alternateId as actor_email, actor:displayName as actor_name, displayMessage, eventType, debugContext:debugData:privilegeGranted as priv_granted, target as target_user, client:ipAddress as src_ip, client:geographicalContext:city as city, client:geographicalContext:country as country, client:userAgent:rawUserAgent as user_agent FROM panther_logs.public.okta_systemlog WHERE ( eventType = 'user.account.privilege.grant' 또는 eventType = 'group.privilege.grant' AND debugContext:debugData:privilegeGranted like '%Admin%' ) AND p_occurs_between(''YYYY-MM-DD','YYYY-MM-DD') ORDER BY event_time desc ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.panther.com/ko/search/data-explorer/example-queries/okta-logs-queries.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.