Collect Okta logs

This document describes how you can collect Okta logs by setting up a Google Security Operations feed.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the OKTA ingestion label.

Configure Okta SSO

To configure Okta SSO, complete the following tasks:

Create read-only administrator user

  1. Sign in to the Okta SSO Administrator Console as an administrator.
  2. Create a Standard User. If you already have an existing standard user who you want to make a read-only administrator, proceed to the next step.
  3. Select Security > Administrators.
  4. Click Add Administrator.
  5. In the Grant administrator role to field, enter the username.
  6. In the Administrator roles section, select the Read-Only Administrator checkbox.
  7. Sign out from the administrator account.

Get API key

  1. Sign in to the Okta SSO Administrator Console with the read-only administrator created earlier.
  2. Select Security > API.
  3. Click Create Token.
  4. Enter the token name and click Create Token. The token value appears.

  5. Copy the API key, which is required when you configure the Google Security Operations feed.

    The API key cannot be recovered later and is stored in encrypted format after you close the window. If changes occur in the user or the privileges of the user who created the token, then the token is not valid. If the token is revoked or expired, then log collection is stopped until a new token is configured.

  6. Click OK, got it.

Configure Okta ASA

To fetch Okta Advanced Server Access (ASA) audit events through the Okta system log API, integrate Okta ASA audit events with the Okta system log. To enable this integration, contact Okta support. For more information, see the Okta help center.

Configure a feed in Google Security Operations to ingest Okta logs

  1. From the Google Security Operations menu, select Settings.
  2. Click Feeds.
  3. Click Add New.
  4. Select Third party API as the Source Type.
  5. Select Okta as the Log Type to create a feed for Okta.
  6. Click Next.
  7. Configure the following input parameters:
    • Authentication HTTP Header: specify credentials that authenticate a user agent with a server, giving access to a protected resource.
    • API Hostname: specify the domain name or IP address of the host that serves the API.
  8. Click Next and then click Submit.

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type.

If you encounter issues when you create feeds, contact Google Security Operations support.

What's next