Ingest Logs and Data from Okta

Ingest authentication logs and data from Okta for use in Cortex XDR authentication stories.
Ingesting external logs and data requires a Cortex XDR Pro per TB license.
To receive logs and data from Okta, you must configure the Collection Integrations settings in Cortex XDR. After you set up data collection, Cortex XDR immediately begins receiving new logs and data from the source. The information from Okta is then searchable in XQL Search using the
okta_sso_raw
dataset.
You can collect all types of events from Okta. When setting up the Okta data collector in Cortex XDR, a field called
Okta Filter
is available to configure collection for events of your choosing. All events are collected by default unless you define an Okta API Filter expression for collecting the data, such as
filter=eventType eq “user.session.start”.\n
. For Okta information to be weaved into authentication stories,
“user.authentication.sso”
events must be collected.
  1. Identify the domain name of your Okta service.
    From the Dashboard of your Okta console, note your
    Org URL
    .
    For more information, see the Okta Documentation.
  2. Obtain your authentication token in Okta.
    1. Select
      API
      Tokens
      .
    2. Create Token
      and record the token value.
      This is your only opportunity to record the value.
  3. Select
    Settings ( )
    Configurations
    Data Collection
    Collection Integrations
    .
  4. Integrate the Okta authentication service with Cortex XDR.
    1. Specify the
      OKTA DOMAIN
      (Org URL) that you identified on your Okta console.
    2. Specify the
      TOKEN
      used to authenticate with Okta.
    3. Specify the
      Okta Filter
      to configure collection for events of your choosing.
      All events
      are collected by default unless you define an Okta API Filter expression for collecting the data, such as
      filter=eventType eq “user.session.start”.\n
      . For Okta information to be weaved into authentication stories,
      “user.authentication.sso”
      events must be collected.
    4. Test
      the connection settings.
    5. If successful,
      Enable
      Okta log collection.
      Once events start to come in, a green check mark appears underneath the
      Okta
      configuration with the amount of data received.
  5. After Cortex XDR begins receiving information from the service, you can Create an XQL Query to search for specific data. When including authentication events, you can also Create an Authentication Query to search for specific authentication data.

Recommended For You