For organizations that utilize Okta as their SSO provider, it is usually a crucial component in providing regulated access for all organizational users to all relevant Cloud and SaaS resources. In some cases it is even used to manage access to internal organizational resources. As such, it is an high-value target for attackers, as the platform can be accessed from the internet, and through it to many other organizational resources.

Okta logs are pulled via the API, and provide several different types of logs and data, enabling detection and enrichment capabilities for this attack vector and more.

Supported data types

  • Okta Logs: these are the activity logs, and contain each event and action done by any user in Okta. These logs are required for detecting all suspicious and malicious behaviors that are relevant for the Okta platform or for other products and services that use Okta as their SSO.

  • Okta Users: this provides snapshot-in-time information about all users that exist in the system, and is crucial contextual information in automatic investigations throughout the entire organization (and not only in Okta), as the user identifiers are used to automatically correlate activities related to the same person in different platforms and products (with possibly different users and usernames)

  • Okta Apps: Information gathered about the app connected by okta and the users/groups associated with them.

  • Okta Groups: Information about the groups the Okta Groups and their user members.

Sending data to Hunters


  1. Before you create an API token, make sure you are using a user with a READ ONLY ADMIN role, as the API Token inherits the permission level of the admin that has created it. If your role is not a Read-Only Administrator, follow this tutorial to grant read-only privileges.

  2. Follow this guide to create an API Token and when done copy your Authentication Key and Okta Host to save them in a secure location.

Creating a Data Flow

After getting your Authentication Key according to the tutorial in the prerequisites section, login into the Hunters Portal, go to the "Data Sources" section in the left side bar, and click the "Add Data Sources" button.

  1. Find and choose Okta

  2. Insert your Okta Domain and API Token. The host can be either a domain www.your-org-okta.co or the full url https://www.your-org-okta.com

  3. Click the "Test Connection" button at the bottom and when the test is successful, click Apply at the top right corner.