Collect data from OKTA
Overview
Get system logs using the OKTA API.
Configuration
Parameters
Secrets
After entering the required parameters and secrets, you can choose to manually enter the OKTA System Log fields, or simply paste the given YAML:
Toggle this ON to enable a free text field where you can paste your Cortex XDR multi alerts YAML.
withTemporalWindow: true
temporalWindow:
duration: 5m
offset: 5m
tz: UTC
format: "2006-01-02T15:04:05"
withAuthentication: false
withEnumerationPhase: false
collectionPhase:
paginationType: "webLinking"
limit: 1000
request:
responseType: json
method: "GET"
url: "https://${parameters.mydomain}/api/v1/logs"
headers:
- name: Accept
value: "application/json"
- name: Content-Type
value: "application/json"
- name: Authorization
value: "SSWS ${secrets.OktaAuthorization}"
queryParams:
- name: since
value: "${temporalWindow.from}"
- name: until
value: "${temporalWindow.to}"
output:
select: "."
map: "."
outputMode: "element"Temporal Window
Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.
Duration - 5 minutes (
5m) as default, adjust based on your needs.Offset - initial offset should be
0(the latest alert).Format -
2006-01-02T15:04:05
Authentication Phase
Off
Enumeration Phase
Off
Collection Phase
Pagination Type* -
webLinkingZero index* - false
Limit* - 100
Request
Response Type* -
JSONMethod* -
GET
URL* -
https://${parameters.myDomain}/api/v1/logsHeaders
Name - Accept
Value -
application/jsonName - Content-Type
Value -
application/jsonName - Authorization
Value -
SSWS ${secrets.OktaAuthorization}
Query Params
Name - since
Value -
${temporalWindow.from}Name - Content-Type
Value -
${temporalWindow.to}
Output
Select -
.Map -
.Output Mode -
element
This HTTP Pull Listener now uses the data export API to extract events.
Click Create labels to move on to the next step and define the required Labels if needed.
Last updated
Was this helpful?