ho7r1 (ho7r1) asked a question.
OKTA API calls for SIEM
Hello,
Currently we deploy OKTA authentication and authorization for several 3rd party SaaS applications used within our organization. We have OKTA logs flowing into our SIEM. When a user authenticates to a SaaS app using our OKTA tenant, an event is captured in the OKTA System Log and this information is sent to our SIEM via System Log API call. The event though, only captures the fact the user logged into OKTA, but not which SaaS application was accessed.
Is there a System Log API call that can be used to capture not only that a user authenticated via our OKTA tenant, but also which application was accessed (including login and logout events)?
I see login and logout events in the "DisplayMessage" field and the "Target->AlternateId" field shows the SAAS app names (workday,etc) in my Okta system logs that get pushed to our SIEM (sumologic).
There is an Okta log API if you want to use it to pull logs but I think you will get the same results as the SIEM integration. https://developer.okta.com/docs/reference/api/system-log/