Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
Okta Logs | ✅ | ✅ | ✅ | ✅ | okta_logs | NDJSON | API |
Okta Users | ✅ | ✅ | ✅ | okta_users | NDJSON | API | |
Okta Apps | ✅ | okta_apps | NDJSON | API | |||
Okta Groups | okta_groups | NDJSON | API |
Overview
For organizations that utilize Okta as their SSO provider, it is usually a crucial component in providing regulated access for all organizational users to all relevant Cloud and SaaS resources. In some cases, it is even used to manage access to internal organizational resources. As such, it is a high-value target for attackers, as the platform can be accessed from the internet, and through it to many other organizational resources.
Okta logs are pulled via the API, and provide several different types of logs and data, enabling detection and enrichment capabilities for this attack vector and more.
Supported data types
Okta Logs
Table name: okta_logs
These are the activity logs, and contain each event and action done by any user in Okta. These logs are required for detecting all suspicious and malicious behaviors that are relevant to the Okta platform or for other products and services that use Okta as their SSO.
Okta Users
Table name: okta_users
This provides snapshot-in-time information about all users that exist in the system, and is crucial contextual information in automatic investigations throughout the entire organization (and not only in Okta), as the user identifiers are used to automatically correlate activities related to the same person in different platforms and products (with possibly different users and usernames)
Okta Apps
Table name: okta_apps
Information gathered about the app connected by Okta and the users/groups associated with them.
Okta Groups
Table name: okta_groups
Information about the groups the Okta Groups and their user members.
Send data to Hunters
Hunters supports the collection of logs from Okta using API.
Create an Okta API token
Log into Okta using a READ ONLY ADMIN role.
📘Why?
To complete the connection, we'll need the API to have read-only permissions. The API Token inherits the permission level of the admin user that has created it.
Follow this guide to create an API Token and copy your API Token and Okta Host to save them in a secure location.
Create a data source on Hunters
Follow this procedure to connect Okta as a data source.
Insert your Okta Host into the Okta Domain field. The host must start with
https://and may or may not includewww. Valid examples:https://your-org-okta.comorhttps://www.your-org-okta.com.Enter the API Token into the corresponding field.
Select the log types you want to connect. We recommend connecting all types.
📘Why?
Connecting all log types will allow Hunters to provide you with all of the available features for this data source.
Complete the process as described in this procedure.
Expected format
Okta Logs
{
"actor": {
"id": "anonymous_id_1",
"type": "AD_AGENT",
"alternateId": "anonymous_id_2",
"displayName": "Anonymous AD Agent",
"detailEntry": "No additional details"
},
"client": {
"userAgent": {
"rawUserAgent": "Okta AD Agent/3.19.0 (Microsoft Windows NT; .NET CLR; 64-bit OS; 64-bit Process; sslpinning=disabled)",
"os": "Windows",
"browser": "UNKNOWN"
},
"zone": "Default Zone",
"device": "Laptop",
"id": "anonymous_device_1",
"ipAddress": "0.0.0.0",
"geographicalContext": {
"city": "Anytown",
"state": "Anystate",
"country": "Anycountry",
"postalCode": "00000",
"geolocation": {
"lat": 0.0000,
"lon": 0.0000
}
}
},
"device": "Generic Device",
"authenticationContext": {
"authenticationProvider": "Internal",
"credentialProvider": "Password",
"credentialType": "Basic",
"issuer": "Anonymous Issuer",
"interface": "Web Login",
"authenticationStep": 1,
"rootSessionId": "anonymous_session_1",
"externalSessionId": "anonymous_session_2"
},
"displayMessage": "Authenticate user with AD agent",
"eventType": "user.authentication.auth_via_AD_agent",
"outcome": {
"result": "SUCCESS",
"reason": "User authenticated successfully"
},
"published": "2025-02-07T00:54:01.863Z",
"securityContext": {
"asNumber": 12345,
"asOrg": "Anonymous Org",
"isp": "Anonymous ISP",
"domain": "anonymous.net",
"isProxy": false
},
"severity": "INFO",
"debugContext": {
"debugData": {
"requestId": "anonymous_request_1",
"requestUri": "/api/1/internal/app/activedirectory/anonymous/actionResult",
"url": "/api/1/internal/app/activedirectory/anonymous/actionResult?responseId=anonymous_response_1"
}
},
"legacyEventType": "app.ad.agent.user_auth",
"transaction": {
"type": "WEB",
"id": "anonymous_transaction_1",
"detail": {
"rootApiTokenId": "anonymous_token_1",
"requestApiTokenId": "anonymous_token_2",
"requestApiTokenClientId": "anonymous_client_id"
}
},
"uuid": "anonymous_uuid_1",
"version": "1.0",
"request": {
"ipChain": [
{
"ip": "0.0.0.0",
"geographicalContext": {
"city": "Anytown",
"state": "Anystate",
"country": "Anycountry",
"postalCode": "00000",
"geolocation": {
"lat": 0.0000,
"lon": 0.0000
}
},
"version": "V4",
"source": "Internal Network"
}
]
},
"target": [
{
"id": "anonymous_target_1",
"type": "AppInstance",
"alternateId": "anonymous_app",
"displayName": "Anonymous Directory",
"detailEntry": "No additional details"
}
],
"sample_time": "2025-02-07T01:10:56.981Z"
}Okta Users
{
"id": "7kwo5837fj85j29",
"status": "STAGED",
"created": "2022-04-20T17:36:37.000Z",
"activated": null,
"statusChanged": null,
"lastLogin": null,
"lastUpdated": "2024-06-20T13:01:10.000Z",
"passwordChanged": null,
"type": {
"id": "oty13647ohReoiG4i4x7"
},
"profile": {
"firstName": "Service",
"lastName": "Service",
"mobilePhone": null,
"displayName": "Service Service",
"secondEmail": null,
"login": "service.service@example.com",
"email": "Service.Sentry@example.com"
},
"credentials": {
"provider": {
"type": "ACTIVE_DIRECTORY",
"name": "corp.example.com"
}
},
"_links": {
"self": {
"href": "https://example.okta.com/api/v1/users/7kwo5837fj85j29"
}
},
"sample_time": "2025-02-07T23:40:45.412Z"
}Okta Apps
{
"id": "3hdj4kuh4398fh2i3",
"orn": "orn:okta:idp:00o13647nwKgshBqp4x7:apps:active_directory:3hdj4kuh4398fh2i3",
"name": "active_directory",
"label": "corp.example.com",
"status": "ACTIVE",
"lastUpdated": "2025-02-07T21:28:31.000Z",
"created": "2020-10-29T14:56:54.000Z",
"accessibility": {
"selfService": false,
"errorRedirectUrl": null,
"loginRedirectUrl": null
},
"visibility": {
"autoSubmitToolbar": false,
"hide": {
"iOS": false,
"web": false
},
"appLinks": {}
},
"features": [
"IMPORT_PROFILE_UPDATES",
"SUPPRESS_ACTIVATION_EMAIL",
"PROFILE_MASTERING",
"OUTBOUND_DEL_AUTH",
"FEDERATED_PROFILE",
"IMPORT_USER_SCHEMA",
"IMPORT_NEW_USERS"
],
"signOnMode": null,
"credentials": {
"userNameTemplate": {
"template": "substringBefore(user.login, \"@\") + \"@\" + target_app.namingContext",
"type": "CUSTOM",
"pushStatus": "NOT_CONFIGURED"
},
"signing": {}
},
"settings": {
"app": {
"jitGroupsAcrossDomains": false,
"password": null,
"scanRate": null,
"searchOrgUnit": null,
"filterGroupsByOU": false,
"namingContext": "corp.example.com",
"login": null,
"activationEmail": null
},
"notifications": {
"vpn": {
"network": {
"connection": "DISABLED"
},
"message": null,
"helpUrl": null
}
},
"manualProvisioning": false,
"implicitAssignment": false
},
"_links": {
"uploadLogo": {
"href": "https://example.okta.com/api/v1/apps/3hdj4kuh4398fh2i3/logo",
"hints": {
"allow": ["POST"]
}
},
"appLinks": [],
"profileEnrollment": {
"href": "https://example.okta.com/api/v1/policies/rstbhlfk6yQF9YUEh4x7"
},
"policies": {
"href": "https://example.okta.com/api/v1/apps/3hdj4kuh4398fh2i3/policies",
"hints": {
"allow": ["PUT"]
}
},
"groups": {
"href": "https://example.okta.com/api/v1/apps/3hdj4kuh4398fh2i3/groups"
},
"logo": [
{
"name": "medium",
"href": "https://ok11static.oktacdn.com/assets/img/logos/active-directory.9d71e6886192896cd905f4987688d95f.png",
"type": "image/png"
}
],
"accessPolicy": {
"href": "https://example.okta.com/api/v1/policies/rstbhlfk5pTlc2s8I4x7"
},
"users": {
"href": "https://example.okta.com/api/v1/apps/3hdj4kuh4398fh2i3/users"
},
"deactivate": {
"href": "https://example.okta.com/api/v1/apps/3hdj4kuh4398fh2i3/lifecycle/deactivate"
}
},
"sample_time": "2025-02-07T23:39:24.391Z"
}Okta Groups
{
"id": "anonymous_group_1",
"created": "2021-04-12T18:19:39.000Z",
"lastUpdated": "2021-04-12T18:19:39.000Z",
"lastMembershipUpdated": "2021-04-12T18:19:39.000Z",
"objectClass": ["okta:user_group"],
"type": "APP_GROUP",
"profile": {
"name": "Anonymous Group",
"description": "No description available"
},
"source": {
"id": "anonymous_source_1"
},
"_links": {
"logo": [
{
"name": "medium",
"href": "https://example.com/assets/img/logos/groups/medium.png",
"type": "image/png"
},
{
"name": "large",
"href": "https://example.com/assets/img/logos/groups/large.png",
"type": "image/png"
}
],
"source": {
"href": "https://anonymous.okta.com/api/v1/apps/anonymous_source_1"
},
"users": {
"href": "https://anonymous.okta.com/api/v1/groups/anonymous_group_1/users"
},
"apps": {
"href": "https://anonymous.okta.com/api/v1/groups/anonymous_group_1/apps"
}
},
"sample_time": "2025-02-08T23:40:22.062Z"
}