Splunk® Supported Add-ons

Splunk Add-on for Okta Identity Cloud

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

CIM compatibility of Okta System Logs

The table below describes the CIM data models mapped to respective Okta System Log eventTypes since Splunk Add-on for Okta Identity Cloud v2.0.0

Okta System Log eventType CIM data model mapped
system.org.rate_limit.warning, system.agent.ad.write_ldap, system.import.incremental_converted_to_full, application.provision.group_push.mapping.update.or.delete.failed.with.error, system.agent.ad.write_ldap, system.org.rate_limit.violation, app.oauth2.token.detect_reuse, system.operation.rate_limit.violation, core.concurrency.org.limit.violation, system.email.new_device_notification.sent_message, user.account.report_suspicious_activity_by_enduser Alerts
user.session.start, user.authentication.verify, user.authentication.sso, user.authentication.auth_via_mfa, user.authentication.auth_via_mfa, user.session.start, app.oauth2.authorize.code, policy.evaluate_sign_on, app.oauth2.authorize, app.generic.unauth_app_access_attempt, policy.evaluate_sign_on, policy.evaluate_sign_on, app.oauth2.as.authorize.implicit.access_token, app.oauth2.as.authorize.implicit.id_token, user.authentication.auth_via_social, app.oauth2.as.authorize.code, app.oauth2.as.authorize, user.mfa.okta_verify.deny_push, user.authentication.auth_via_radius, user.authentication.auth_via_AD_agent, user.authentication.auth_via_IDP, app.oauth2.authorize.implicit.id_token, application.policy.sign_on.deny_access, app.access_request.expire, system.push.send_factor_verify_push Authentication
app.oauth2.credentials.lifecycle.delete, app.oauth2.client.lifecycle.delete, app.oauth2.client.lifecycle.deactivate, app.oauth2.client.lifecycle.activate, app.oauth2.client.lifecycle.create, app.oauth2.credentials.lifecycle.create, policy.mapping.create, app.oauth2.client.lifecycle.update, app.oauth2.token.grant.access_token, application.lifecycle.deactivate, application.user_membership.add, system.agent.ad.connect, app.oauth2.token.grant.id_token, group.user_membership.remove, policy.rule.add, application.lifecycle.create, directory.mapping.update, directory.app_user_profile.bootstrap, system.import.user.create, application.provision.user.deprovision, application.provision.user.deactivate, system.import.user.delete, application.user_membership.remove, system.import.group.create, app.user_management.user_group_import.upsert_success, system.agent.ad.import_user, system.import.group.delete, app.user_management.user_group_import.delete_success, group.application_assignment.remove, system.import.roadblock.updated, app.oauth2.token.grant.refresh_token, system.agent.ad.connect, policy.rule.update, policy.lifecycle.update, system.email.challenge_factor_redeemed, policy.lifecycle.create, system.agent.ad.realtimesync, application.provision.user.push_profile, application.user_membership.update, policy.lifecycle.delete, system.agent.ad.start, policy.rule.deactivate, system.api_token.create, application.user_membership.change_password, application.lifecycle.delete, group.application_assignment.update, group.application_assignment.add, directory.app_user_profile.update, self_service.disabled, application.lifecycle.update, application.provision.group_push.delete_appgroup, application.provision.group_push.push_memberships, application.provision.group_push.mapping.created, system.import.group.update, system.agent.ad.reactivate, system.api_token.enable, system.api_token.revoke, system.agent.ad.deactivate, application.provision.user.push, application.provision.field_mapping_rule.change, system.import.custom_object.create, system.agent.ad.create, group.profile.update, iam.resourceset.bindings.add, iam.resourceset.create, directory.user_profile.update, directory.non_default_user_profile.create, system.mfa.factor.activate, self_service.enabled, oauth2.as.created, directory.linked_object.create, security.threat.configuration.update, zone.create, directory.user_profile.bootstrap, system.brand.create, app.oauth2.credentials.lifecycle.deactivate, app.oauth2.credentials.lifecycle.activate, application.configuration.enable_fed_broker_mode, system.api_token.update, oauth2.as.deleted, app.oauth2.api_resource.delete, oauth2.claim.deleted, oauth2.scope.deleted, oauth2.as.deactivated, oauth2.scope.updated, oauth2.as.updated, oauth2.claim.created, policy.lifecycle.deactivate, policy.lifecycle.activate, security.authenticator.lifecycle.activate, security.authenticator.lifecycle.update, application.lifecycle.activate, system.log_stream.lifecycle.delete, iam.role.create, application.configuration.disable_fed_broker_mode, system.log_stream.lifecycle.deactivate, system.log_stream.lifecycle.create, system.log_stream.lifecycle.activate, system.log_stream.lifecycle.update, device.lifecycle.activate, device.enrollment.create, app.oauth2.as.token.grant.access_token, oauth2.scope.created, group.user_membership.add, group.lifecycle.create, group.lifecycle.delete, device.lifecycle.delete, device.lifecycle.deactivate, device.lifecycle.unsuspend, device.lifecycle.suspend, application.user_membership.restore_password, application.user_membership.restore, application.configuration.update_logo, application.configuration.reset_logo, application.policy.sign_on.rule.create, plugin.script_status, policy.rule.activate, system.import.user.update, application.provision.user.reactivate, application.user_membership.change_username, system.agent.ad.update_user, app.oauth2.trusted_server.delete, app.oauth2.trusted_server.add, app.access_request.approver.deny, app.access_request.deny, app.access_request.delete, security.behavior.settings.update, ​​system.idp.lifecycle.delete, system.idp.lifecycle.create, system.idp.lifecycle.activate, system.idp.lifecycle.deactivate, policy.rule.delete All_Changes
user.session.end, app.oauth2.token.grant, app.oauth2.admin.consent.revoke, system.sms.send_account_unlock_message, user.account.lock, app.oauth2.token.revoke, user.mfa.factor.activate, system.sms.send_phone_verification_message, user.account.update_password, user.account.update_profile, user.lifecycle.unsuspend, user.lifecycle.suspend, user.lifecycle.create, system.import.complete, system.import.group_membership.complete, system.import.group.complete, system.import.user.complete, system.import.user_matching.complete, system.import.complete_batch, system.import.user_matching.start, system.import.membership_processing.complete, system.import.membership_processing.start, app.user_management, system.import.implicit_deletion.start, system.import.implicit_deletion.complete, system.sms.send_factor_verify_message, user.account.unlock_by_admin, user.account.unlock, user.lifecycle.reactivate, system.import.custom_object.complete, user.lifecycle.deactivate, user.account.privilege.revoke, app.user_management.push_new_user_success, user.account.privilege.grant, user.lifecycle.activate, app.oauth2.admin.consent.grant, device.user.add, app.oauth2.as.token.grant, app.oauth2.as.consent.revoke.implicit.client, user.mfa.factor.reset_all, user.mfa.factor.deactivate, user.account.reset_password, user.mfa.factor.unsuspend, user.mfa.factor.suspend, system.sms.send_okta_push_verify_message, app.realtimesync.import.details.update_user, system.sms.send_password_reset_message, user.account.update_secondary_email, system.agent.ad.reset_user_password, user.mfa.factor.update, app.access_request.request, app.access_request.approver.approve, device.user.remove, user.account.expire_password Account_Management
security.request.blocked Network Traffic
Last modified on 30 April, 2024
PREVIOUS
Lookups for the Splunk Add-on for Okta Identity Cloud 		  NEXT
Performance Statistics for Okta System Logs Data Collection through Modinput

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters