82be1 (82be1) asked a question.
Dear Team,
I hope this email finds you well. I am writing to inquire about the availability of a REST API specifically designed for fetching native alerts within the Okta platform.
To clarify, I am not referring to the system logs API, as I am already aware of its existence. Rather, I am interested in understanding if there is a separate API dedicated to retrieving native alerts within Okta.
If such an API is available, I kindly request that you provide me with the relevant details, including any documentation or resources that outline its functionality and usage.
Your assistance in this matter would be greatly appreciated, as it will enable us to better integrate Okta's alerting capabilities into our systems.
Thank you for your attention to this inquiry. I look forward to your prompt response.
Best regards,
Mallikarjuna.
Can you provide an example / define what you specifically mean by "Native Alerts" in this context?
Sure,
For example,
where a user's login attempt fails multiple times due to an incorrect password, Okta logs this occurrence as a suspicious login event. These events are captured within the system log, providing valuable data for analysis to determine their legitimacy.
However, Okta does this analysis via some alert rules(like AWS Guardduty findings) and marked as suspicious activities, which could be accessed via its REST API.
Additionally, consider scenarios involving multiple login attempts originating from different IP addresses, which also raise suspicion. Furthermore, instances where a user downloads an important report multiple times may indicate suspicious behavior.
Below are sample JSON objects illustrating these scenarios, with some data properties such as operating system information, user IP, browser/user-agent details, detection ID, detection category, alert rule ID, impact score, timestamps, and other relevant attributes.
Sample responses expected:
{
"event": "suspicious_login_attempt",
"user_id": "123456",
"user_name": "example_user",
"ip_address": "192.168.1.100",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36",
"os_information": "Windows 10",
"detection_id": "987654",
"detection_category": "Authentication",
"alert_rule_id": "567890",
"impact_score": 8,
"timestamp": "2024-04-04T10:00:00Z"
}
{
"event": "multiple_login_attempts",
"user_id": "789012",
"user_name": "example_user2",
"ip_addresses": ["192.168.1.200", "192.168.1.201", "192.168.1.202"],
"user_agents": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36"],
"os_information": "Windows 10",
"detection_id": "543210",
"detection_category": "Authentication",
"alert_rule_id": "123456",
"impact_score": 9,
"timestamp": "2024-04-04T11:00:00Z"
}
{
"event": "multiple_report_downloads",
"user_id": "345678",
"user_name": "example_user3",
"report_name": "financial_summary",
"download_count": 5,
"os_information": "Mac OS X",
"detection_id": "246801",
"detection_category": "Data Access",
"alert_rule_id": "678901",
"impact_score": 7,
"timestamp": "2024-04-04T12:00:00Z"
}