Okta

The IBM® QRadar® DSM for Okta collects Okta REST API events from an Okta device.

The following table identifies the specifications for the Okta DSM:
Table 1. Okta DSM specifications
Specification Value
Manufacturer Okta
DSM name Okta
RPM file name DSM-OktaIdentityManagement-QRadar_version-build_number.noarch.rpm
Protocol Okta REST API
Event format JSON
Recorded event types All
Automatically discovered? No
Includes identity? Yes
Includes custom properties? No
More information Okta website (https://www.okta.com/)
To integrate Okta with QRadar, complete the following steps:
  1. If automatic updates are not enabled, RPMs are available for download from the IBM support website (http://www.ibm.com/support). Download and install the most recent version of the following RPMs on your QRadar Console:
    • Protocol Common
    • Okta REST API Protocol RPM
    • Okta DSM RPM

    If multiple DSM RPMs are required, the integration sequence must reflect the DSM RPM dependency.

  2. Add an Okta log source on the QRadar Console:
    Table 2. Okta DSM log source parameters
    Parameter Value
    Log Source type Okta
    Protocol type Okta REST API
    Name A name for the log source
    Description (optional) A description for the log source

For a list of Okta REST API protocol parameters and their values, see Okta REST API protocol configuration options.

The following table provides a sample event message for the Okta DSM:
Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Table 3. Okta sample message supported by the Okta device
Event name Low level category Sample log message
Core-User Auth-Login Success User Login Success 
{"eventId":"xxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxx","sessionId":"xxxxxxxxxxxxxxxxxxxxxxxxx","requestId":"xxxxxxxxxxxxxxxxxxxxxxxxxx","published":"2016-04-06T16:16:40.000Z","action":{"message":"Sign-in successful","categories":["Sign-in Success"],"objectType":"core.user_auth.login_success","requestUri":"/api/v1/authn"},"actors":[{"id":"xxxxxxxxxxxxxxxxxxxx","displayName":"User","login":"username@example.com","objectType":"User"},{"id":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0","displayName":"FIREFOX","ipAddress":"<IP_address>","objectType":"Client"}],"targets":[{"id":"xxxxxxxxxxxxxxxxxxxx","displayName":"User","login":"username@example.com","objectType":"User"}]}
Core-User Auth-Login Failed User Login Failure 
{"eventId":"xxxxxxxxxxxxxxxx_xxxxxxxxxxxxxxxxxxxxxx","sessionId":"","requestId":"xxxxxxxxxxxxxxxxxxx-xxxxxxx","published":"2015-08-19T17:08:37.000Z","action":{"message":"Sign-in Failed - Not Specified","categories":["Sign-in Failure","Suspicious Activity"],"objectType":"core.user_auth.login_failed","requestUri":"/login/do-login"},"actors":[{"id":"Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko","displayName":"x x","ipAddress":"<IP_address>","objectType":"Client"}],"targets":[{"id":"","objectType":"User"}]}