icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Okta Identity Cloud Add-on for Splunk
SHA256 checksum (okta-identity-cloud-add-on-for-splunk_22519.tgz) cf8ee05293825db17b32a3b73a615b1f190d40748ef0793c6dc83003052b8050 SHA256 checksum (okta-identity-cloud-add-on-for-splunk_22517.tgz) c5f5643662c3704ac09bbd0256027304d36ba2f5b8c5c17bee1dc9628f3cc7bf SHA256 checksum (okta-identity-cloud-add-on-for-splunk_225.tgz) 03e765d24419d13e48512c87e3f9dd9472e7d189fe72c7316952f4b60e00c753 SHA256 checksum (okta-identity-cloud-add-on-for-splunk_210.tgz) 4b8545c6dca020e946af7b1473499471eecf93ace82507f21e4a0c2385598119
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Okta Identity Cloud Add-on for Splunk

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
Using Okta Identity Cloud REST APIs the Okta Identity Cloud Add-on for splunk allows a Splunk® administrator to collect data from the Okta Identity Cloud. The Add-on collects data related to:
• Event log information
• User information
• Group and Group Membership Information
• Application and Application Assignment information

Using Okta Identity Cloud REST APIs this Add-on supports adaptive response actions and custom alerts that enable taking the following actions from Splunk:
• Adding and removing Okta users from groups in Okta
• Performing account lifecycle actions (e.g. suspend, deactivate, expire) on Users in Okta

This Add-on provides inputs and CIM-compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.

Okta Identity Cloud Add-on

The primary purpose of this Add-On is to collect time series event data from Okta using the Okta System Log API. This Add-On also contains the ability to ingest Okta Universal Directory (UD) using Okta's Users, Groups and Apps APIs.

This guide will cover the steps required to ingest Log data from Okta.

The steps required to ingets UD data are similar but not covered here and I suggest that you NOT configure them unless you have a specific use case for ingesting directory state data.

Getting Started

Prerequisites

This add-on will require the Okta Domain and the API Token for an Administrative Account in that Okta Domain. We recommend creating a dedicated service account for this purpose and assigning the minimum privleges. Use the Create and API Token guide for detailed steps.

Install

We can now install the Add-on in our Splunk environment. This add-on is primarily a tool for collecting logs and is only required to be installed a heavy forwarder. It does contain saved searches and other knowledge objects so installation on search heads is helpful. Only configure an input on one Splunk server.

  • Install via the Splunk webapp (recommended) or manually copy and expand the app into $SPLUNK_HOME/etc/apps/ location
  • Restart the Splunk server

Configure Settings (optional)

Using the Splunk webapp, login and launch the newly installed Okta Identity Cloud Add-on.

The default settings are appropriate in most cases. Be aware of the advanced Add-on Settings and Logging available in the Configuration menu.

Define Account

Using the Splunk webapp, login and launch the newly installed Okta Identity Cloud Add-on.

Before we can define an input we must provide account credentials. Using the Okta Domain and API Token from our Prerequisites section perform the following.

  • Navigate to Configuration -> Okta Accounts
  • Click Add
  • Provide a unique and appropriate Okta Account Name for the account (arbitrary value)
  • Enter the Okta Domain
  • Enter the Okta API Token
  • Click Add

Define Input

With our Account defined we can now define and Input

  • Navigate to Inputs
  • Click Create New Input
  • Provide a unique and appropriate Name for the input (arbitrary value)
  • Provide the desired interval (60 seconds is recommended)
  • Choose the appropriate Index
  • Select Logs from the Metric dropdown (Only use Users, Groups and Apps if you have a specific use case for type of data those metrics ingest)
  • Select the appropriate Okta Account defined in the previous step
  • Click Add

Search for data

All data collected by this add-on will contain a source of Okta:im2 and the host value will be the domain of your Okta tenant (e.g. yourdomain.okta.com)

The sourcetype of the data will vary by the "metric" associated with the input. Refer to this table for the sourcetype generated by specific metrics used in the input and a link / description of the type of data.

Input Metric sourcetype API reference / Description
Log OktaIM2:log Log Object
User OktaIM2:user User Object
Group OktaIM2:group Group Object
Group OktaIM2:groupUser made up object to help Splunk, just a simple user to group mapping object
App OktaIM2:app App Object
App OktaIM2:appUser made up object to help Splunk, a truncated version of an appUser Object useful for maping a user to an app along with some high level metadata about the assginement

Refer to the descriptions below for each type of data for additional context relative to Splunk.

Log /api/v1/logs

This input is responsible for the ingesting all of the transactional events occurring in your Okta org it is the most important input provided by this add-on and should be configured to retrieve its data in a near real time manner.

Refer to the API documentation for a detailed explaination of the data model. You can also review the event type catalog additional insight into the meaning of specific event types you will see.

Sample Log

{
    "actor": {
        "id": "00u8tvgeu9PoK3xRB0h7",
        "type": "User",
        "alternateId": "mbegan@okta.com",
        "displayName": "Matthew Egan",
        "detailEntry": null
    },
    "client": {
        "userAgent": {
            "rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36",
            "os": "Mac OS X",
            "browser": "CHROME"
        },
        "zone": "null",
        "device": "Computer",
        "id": null,
        "ipAddress": "73.63.112.167",
        "geographicalContext": {
            "city": "Ogden",
            "state": "Utah",
            "country": "United States",
            "postalCode": "84401",
            "geolocation": {
                "lat": 41.2214,
                "lon": -111.9624
            }
        }
    },
    "authenticationContext": {
        "authenticationProvider": null,
        "credentialProvider": null,
        "credentialType": null,
        "issuer": null,
        "interface": null,
        "authenticationStep": 0,
        "externalSessionId": "102qxa2cQbJQViQis88bc-luw"
    },
    "displayMessage": "User accessing Okta admin app",
    "eventType": "user.session.access_admin_app",
    "outcome": {
        "result": "SUCCESS",
        "reason": null
    },
    "published": "2020-07-28T14:05:01.090Z",
    "securityContext": {
        "asNumber": 7922,
        "asOrg": "comcast",
        "isp": "comcast cable communications llc",
        "domain": "comcast.net",
        "isProxy": false
    },
    "severity": "INFO",
    "debugContext": {
        "debugData": {
            "requestId": "XyAwjOeTMrGczq2OgVx0egAAABQ",
            "requestUri": "/admin/sso/request",
            "threatSuspected": "false",
            "url": "/admin/sso/request?"
        }
    },
    "legacyEventType": "app.admin.sso.login.success",
    "transaction": {
        "type": "WEB",
        "id": "XyAwjOeTMrGczq2OgVx0egAAABQ",
        "detail": {}
    },
    "uuid": "53d1e0b0-d0db-11ea-9210-815689eddc18",
    "version": "0",
    "request": {
        "ipChain": [{
            "ip": "73.63.112.167",
            "geographicalContext": {
                "city": "Ogden",
                "state": "Utah",
                "country": "United States",
                "postalCode": "84401",
                "geolocation": {
                    "lat": 41.2214,
                    "lon": -111.9624
                }
            },
            "version": "V4",
            "source": null
        }]
    },
    "target": [{
        "id": "00u8tvgeu9PoK3xRB0h7",
        "type": "AppUser",
        "alternateId": "mbegan@okta.com",
        "displayName": "Matthew Egan",
        "detailEntry": null
    }]
}

User /api/v1/users

User objects are JSON representations of user objects in Okta Universal Directory. This isn't a transactional stream of "events" relative to users, rather a sync or replica of users from Okta. This data type can be be used to enrich log data retrieved from the log input, it could also be useful for performing adhoc and complex queries and analysis of your user population.

When this input is initially configured it will need to sync ALL of the user objects from Okta into Splunk. On subsequent job intervals the input will only retrieve user objects that have been modified since the last collection (deltas).

Sample User

{
    "id": "00urcn839yCU45hoG0h7",
    "status": "ACTIVE",
    "created": "2020-05-04T20:44:45.000Z",
    "activated": "2020-05-04T20:44:47.000Z",
    "statusChanged": "2020-05-04T20:44:47.000Z",
    "lastLogin": null,
    "lastUpdated": "2020-05-04T20:44:47.000Z",
    "passwordChanged": "2020-05-04T20:44:47.000Z",
    "type": {
        "id": "oty8tvgeqxbtt6mKk0h7"
    },
    "profile": {
        "firstName": "Matthew",
        "lastName": "Adams",
        "mobilePhone": null,
        "secondEmail": "",
        "login": "madam@regionalinsurance.zz",
        "email": "madam@regionalinsurance.zz"
    },
    "credentials": {
        "password": {},
        "provider": {
            "type": "OKTA",
            "name": "OKTA"
        }
    }
}

Group /api/v1/groups

Group objects are JSON representations of groups object in Okta Universal Directory, it is also used to enumerate group memberships**. This isn't a transactional stream of "events" relative to groups, rather a sync or replica of groups from Okta or other connected directories and applications. This data type can be used to enrich log data retrieved from the log input, it could also be useful for performing adhoc and complex queries and analysis of your groups and group memberships.

When this input is initially configured it will need to sync ALL of the group objects from Okta into Splunk. On subsequent job intervals the input will only retrieve group objects that have been modified since the last collection (deltas).

Sample Group

{
    "id": "00grcnm2l6XF8pUtD0h7",
    "created": "2020-05-04T20:58:23.000Z",
    "lastUpdated": "2020-05-04T20:58:23.000Z",
    "lastMembershipUpdated": "2020-05-04T20:58:49.000Z",
    "objectClass": ["okta:user_group"],
    "type": "OKTA_GROUP",
    "profile": {
        "name": "VAP Exception",
        "description": "Users to be excluded from regular VAP Group policies"
    },
    "_embedded": {
        "stats": {
            "usersCount": 3,
            "appsCount": 0,
            "groupPushMappingsCount": 0,
            "hasAdminPrivilege": false
        }
    },
    "members": ["see groupUser sourcetype"],
    "assignedApps": []
}

App /api/v1/apps

App objects are JSON representations of apps objects in Okta Universal Directory, it is also used to enumerate users assigned to apps and groups related to apps -- assignment groups, groups sourced from the app or groups pushed to the app. This isn't a transactional stream of "events" relative to apps, rather a sync or replica of apps as they are configured in Okta. This data type can be used to enrich data retrieved from the log input, it could also be useful for performing adhoc and complex queries and analysis of your apps, their configuration as well as applications assignments.

Sample App

{
    "id": "0oamrm1jn2iFAYEBy0h7",
    "name": "scaleft",
    "label": "Okta Advanced Server Access",
    "status": "ACTIVE",
    "lastUpdated": "2020-07-27T05:23:06.000Z",
    "created": "2019-08-06T20:46:27.000Z",
    "accessibility": {
        "selfService": false,
        "errorRedirectUrl": null,
        "loginRedirectUrl": null
    },
    "visibility": {
        "autoSubmitToolbar": false,
        "hide": {
            "iOS": false,
            "web": false
        },
        "appLinks": {
            "scaleft_link": true
        }
    },
    "features": ["PUSH_NEW_USERS", "PUSH_USER_DEACTIVATION", "SCIM_PROVISIONING", "GROUP_PUSH", "REACTIVATE_USERS", "PUSH_PROFILE_UPDATES"],
    "signOnMode": "SAML_2_0",
    "credentials": {
        "userNameTemplate": {
            "template": "${source.login}",
            "type": "BUILT_IN"
        },
        "signing": {
            "kid": "SW2tTiRWLH0oVmf5Moi7AKf_H2Dl5lrVgufuP5LFkG8"
        }
    },
    "settings": {
        "app": {
            "audRestriction": "https://app.scaleft.com/v1/teams/oktabd-dev",
            "baseUrl": "https://app.scaleft.com"
        },
        "notifications": {
            "vpn": {
                "network": {
                    "connection": "DISABLED"
                },
                "message": null,
                "helpUrl": null
            }
        },
        "signOn": {
            "defaultRelayState": null,
            "ssoAcsUrlOverride": null,
            "audienceOverride": null,
            "recipientOverride": null,
            "destinationOverride": null,
            "attributeStatements": []
        }
    },
    "assigned_users": ["see appUser sourcetype"],
    "assigned_groups": ["00gbp0p37mI2AvvEP0h7"]
}

appUser

An appUser object is a truncated version of an okta Application User Object

Useful for understanding basic details about a users assignment to a given application.

Use the log data

See our Event Types Catalog to see transactional events.

source="okta:im2" sourcetype="OktaIM2:log" eventType=application.user_membership.*

Sample appUser

{
    "appid": "0oasyjsx014fxPKg10h7",
    "userid": "00u8tvgeu9PoK3xRB0h7",
    "externalId": null,
    "userName": "mbega.n@gmail.com",
    "created": "2020-07-24T18:50:45.000Z",
    "lastUpdated": "2020-07-24T18:50:45.000Z",
    "statusChanged": "2020-07-24T18:50:45.000Z",
    "scope": "",
    "status": "ACTIVE"
}

groupUser

A groupUser object is a made up object that expresses a users group membership (or a groups user membership).

Useful for building an understanding of group memberships.

Use the log data

See our Event Types Catalog to see transactional events.

source="okta:im2" sourcetype="OktaIM2:log" eventType=group.user_membership.*

Sample groupUser

{
    "groupid": "00gn76moxaDjJnDdD0h7",
    "userid": "00urcn839yCU45hoG0h7"
}

Troubleshooting and FAQ

Troubleshooting

Look at the logs (index="_internal" sourcetype="OktaIM2:addon" or the tail -f ta_okta_identity_cloud_for_splunk_okta_identity_cloud.log file

FAQ

Will update as they come in

Enjoy!

Release Notes

Version 2.25.19
July 28, 2020

- Fixed UI element to call username / password -> Okta Domain / API Token
- Added missing config UI element to control rate limit warning avoidance parameters
- Fixed issue with case sensitive URL validation

Version 2.25.17
July 9, 2020

Python3 and Splunk v8 Compatible
Rate limit (warning and violation) avoidance enhancements

Version 2.25
Feb. 12, 2018

https://github.com/mbegan/Okta-Identity-Cloud-for-Splunk/commit/4c44c09214d2193ced76507980054f8c0fb91100

Version 2.10
Aug. 23, 2017

Initial release

2,091
Installs
3,769
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.