OKTA System Log API
This data pipeline extracts the System logs from Okta technology using the Log API.

This Pipeline integrates with API Logs from the OKTA Platform using the HTTP Pull Listener, transforming it from JSON to CSV format.
Listen
The Listener pulls events using the Configure as YAML option, using the following YAML:
withTemporalWindow: true
temporalWindow:
duration: 1m
offset: 1m
tz: UTC
format: "2006-01-02T15:04:05"
withAuthentication: false
withEnumerationPhase: false
collectionPhase:
paginationType: "webLinking"
limit: 1000
request:
responseType: json
method: "GET"
url: "****************"
headers:
- name: Accept
value: "application/json"
- name: Content-Type
value: "application/json"
- name: Authorization
value: "**********"
queryParams:
- name: since
value: "${temporalWindow.from}"
- name: until
value: "${temporalWindow.to}"
output:
select: "."
map: "."
outputMode: "element"
Transform OKTA data
Flat JSON
We need to flatten the incoming JSON with key-value pairs that we can then parse into more specific fields.

Parser
The parser extracts the individual fields coming from the OKTA JSON into more detailed fields, including severity, actor information, user agent data and other transaction data.

Message Builder
We use the Message Builder action to transform the fields to CSV format, using a comma as the delimiter.
You can now send on your CSV containing OKTA logs to your preferred destination using a sink.
Last updated
Was this helpful?