OKTA System Log API

This data pipeline extracts the System logs from Okta technology using the Log API.

This Pipeline integrates with API Logs from the OKTA Platform using the HTTP Pull Listener, transforming it from JSON to CSV format.

Listen

The Listener pulls events using the Configure as YAML option, using the following YAML:

withTemporalWindow: true
temporalWindow:
  duration: 1m
  offset: 1m
  tz: UTC
  format: "2006-01-02T15:04:05"
withAuthentication: false
withEnumerationPhase: false
collectionPhase:
  paginationType: "webLinking"
  limit: 1000
  request:
    responseType: json
    method: "GET"
    url: "****************"
    headers:
      - name: Accept
        value: "application/json"
      - name: Content-Type
        value: "application/json"
      - name: Authorization
        value: "**********"
    queryParams:
      - name: since
        value: "${temporalWindow.from}"
      - name: until
        value: "${temporalWindow.to}"
  output:
    select: "."
    map: "."
    outputMode: "element"

Transform OKTA data

Flat JSON

We need to flatten the incoming JSON with key-value pairs that we can then parse into more specific fields.

Parser

The parser extracts the individual fields coming from the OKTA JSON into more detailed fields, including severity, actor information, user agent data and other transaction data.

Message Builder

We use the Message Builder action to transform the fields to CSV format, using a comma as the delimiter.

You can now send on your CSV containing OKTA logs to your preferred destination using a sink.