CIM compatibility of Okta System Logs
The table below describes the CIM data models mapped to respective Okta System Log eventTypes since Splunk Add-on for Okta Identity Cloud v2.0.0
| Okta System Log eventType | CIM data model mapped |
|---|---|
system.org.rate_limit.warning, system.agent.ad.write_ldap, system.import.incremental_converted_to_full, application.provision.group_push.mapping.update.or.delete.failed.with.error, system.agent.ad.write_ldap, system.org.rate_limit.violation, app.oauth2.token.detect_reuse, system.operation.rate_limit.violation, core.concurrency.org.limit.violation, system.email.new_device_notification.sent_message, user.account.report_suspicious_activity_by_enduser
|
Alerts |
user.session.start, user.authentication.verify, user.authentication.sso, user.authentication.auth_via_mfa, user.authentication.auth_via_mfa, user.session.start, app.oauth2.authorize.code, policy.evaluate_sign_on, app.oauth2.authorize, app.generic.unauth_app_access_attempt, policy.evaluate_sign_on, policy.evaluate_sign_on, app.oauth2.as.authorize.implicit.access_token, app.oauth2.as.authorize.implicit.id_token, user.authentication.auth_via_social, app.oauth2.as.authorize.code, app.oauth2.as.authorize, user.mfa.okta_verify.deny_push, user.authentication.auth_via_radius, user.authentication.auth_via_AD_agent, user.authentication.auth_via_IDP, app.oauth2.authorize.implicit.id_token, application.policy.sign_on.deny_access, app.access_request.expire, system.push.send_factor_verify_push
|
Authentication |
app.oauth2.credentials.lifecycle.delete, app.oauth2.client.lifecycle.delete, app.oauth2.client.lifecycle.deactivate, app.oauth2.client.lifecycle.activate, app.oauth2.client.lifecycle.create, app.oauth2.credentials.lifecycle.create, policy.mapping.create, app.oauth2.client.lifecycle.update, app.oauth2.token.grant.access_token, application.lifecycle.deactivate, application.user_membership.add, system.agent.ad.connect, app.oauth2.token.grant.id_token, group.user_membership.remove, policy.rule.add, application.lifecycle.create, directory.mapping.update, directory.app_user_profile.bootstrap, system.import.user.create, application.provision.user.deprovision, application.provision.user.deactivate, system.import.user.delete, application.user_membership.remove, system.import.group.create, app.user_management.user_group_import.upsert_success, system.agent.ad.import_user, system.import.group.delete, app.user_management.user_group_import.delete_success, group.application_assignment.remove, system.import.roadblock.updated, app.oauth2.token.grant.refresh_token, system.agent.ad.connect, policy.rule.update, policy.lifecycle.update, system.email.challenge_factor_redeemed, policy.lifecycle.create, system.agent.ad.realtimesync, application.provision.user.push_profile, application.user_membership.update, policy.lifecycle.delete, system.agent.ad.start, policy.rule.deactivate, system.api_token.create, application.user_membership.change_password, application.lifecycle.delete, group.application_assignment.update, group.application_assignment.add, directory.app_user_profile.update, self_service.disabled, application.lifecycle.update, application.provision.group_push.delete_appgroup, application.provision.group_push.push_memberships, application.provision.group_push.mapping.created, system.import.group.update, system.agent.ad.reactivate, system.api_token.enable, system.api_token.revoke, system.agent.ad.deactivate, application.provision.user.push, application.provision.field_mapping_rule.change, system.import.custom_object.create, system.agent.ad.create, group.profile.update, iam.resourceset.bindings.add, iam.resourceset.create, directory.user_profile.update, directory.non_default_user_profile.create, system.mfa.factor.activate, self_service.enabled, oauth2.as.created, directory.linked_object.create, security.threat.configuration.update, zone.create, directory.user_profile.bootstrap, system.brand.create, app.oauth2.credentials.lifecycle.deactivate, app.oauth2.credentials.lifecycle.activate, application.configuration.enable_fed_broker_mode, system.api_token.update, oauth2.as.deleted, app.oauth2.api_resource.delete, oauth2.claim.deleted, oauth2.scope.deleted, oauth2.as.deactivated, oauth2.scope.updated, oauth2.as.updated, oauth2.claim.created, policy.lifecycle.deactivate, policy.lifecycle.activate, security.authenticator.lifecycle.activate, security.authenticator.lifecycle.update, application.lifecycle.activate, system.log_stream.lifecycle.delete, iam.role.create, application.configuration.disable_fed_broker_mode, system.log_stream.lifecycle.deactivate, system.log_stream.lifecycle.create, system.log_stream.lifecycle.activate, system.log_stream.lifecycle.update, device.lifecycle.activate, device.enrollment.create, app.oauth2.as.token.grant.access_token, oauth2.scope.created, group.user_membership.add, group.lifecycle.create, group.lifecycle.delete, device.lifecycle.delete, device.lifecycle.deactivate, device.lifecycle.unsuspend, device.lifecycle.suspend, application.user_membership.restore_password, application.user_membership.restore, application.configuration.update_logo, application.configuration.reset_logo, application.policy.sign_on.rule.create, plugin.script_status, policy.rule.activate, system.import.user.update, application.provision.user.reactivate, application.user_membership.change_username, system.agent.ad.update_user, app.oauth2.trusted_server.delete, app.oauth2.trusted_server.add, app.access_request.approver.deny, app.access_request.deny, app.access_request.delete, security.behavior.settings.update, system.idp.lifecycle.delete, system.idp.lifecycle.create, system.idp.lifecycle.activate, system.idp.lifecycle.deactivate, policy.rule.delete
|
All_Changes |
user.session.end, app.oauth2.token.grant, app.oauth2.admin.consent.revoke, system.sms.send_account_unlock_message, user.account.lock, app.oauth2.token.revoke, user.mfa.factor.activate, system.sms.send_phone_verification_message, user.account.update_password, user.account.update_profile, user.lifecycle.unsuspend, user.lifecycle.suspend, user.lifecycle.create, system.import.complete, system.import.group_membership.complete, system.import.group.complete, system.import.user.complete, system.import.user_matching.complete, system.import.complete_batch, system.import.user_matching.start, system.import.membership_processing.complete, system.import.membership_processing.start, app.user_management, system.import.implicit_deletion.start, system.import.implicit_deletion.complete, system.sms.send_factor_verify_message, user.account.unlock_by_admin, user.account.unlock, user.lifecycle.reactivate, system.import.custom_object.complete, user.lifecycle.deactivate, user.account.privilege.revoke, app.user_management.push_new_user_success, user.account.privilege.grant, user.lifecycle.activate, app.oauth2.admin.consent.grant, device.user.add, app.oauth2.as.token.grant, app.oauth2.as.consent.revoke.implicit.client, user.mfa.factor.reset_all, user.mfa.factor.deactivate, user.account.reset_password, user.mfa.factor.unsuspend, user.mfa.factor.suspend, system.sms.send_okta_push_verify_message, app.realtimesync.import.details.update_user, system.sms.send_password_reset_message, user.account.update_secondary_email, system.agent.ad.reset_user_password, user.mfa.factor.update, app.access_request.request, app.access_request.approver.approve, device.user.remove, user.account.expire_password
|
Account_Management |
security.request.blocked
|
Network Traffic |
Last modified on 03 September, 2024
| Lookups for the Splunk Add-on for Okta Identity Cloud | Performance Statistics for Okta System Logs Data Collection through Modinput |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Download manual
Feedback submitted, thanks!