Splunk® Supported Add-ons

Splunk Add-on for Okta Identity Cloud

CIM compatibility of Okta System Logs

The table below describes the CIM data models mapped to respective Okta System Log eventTypes since Splunk Add-on for Okta Identity Cloud v2.0.0

Okta System Log eventType CIM data model mapped
system.org.rate_limit.warning, system.agent.ad.write_ldap, system.import.incremental_converted_to_full, application.provision.group_push.mapping.update.or.delete.failed.with.error, system.agent.ad.write_ldap, system.org.rate_limit.violation, app.oauth2.token.detect_reuse, system.operation.rate_limit.violation, core.concurrency.org.limit.violation, system.email.new_device_notification.sent_message, user.account.report_suspicious_activity_by_enduser Alerts
user.session.start, user.authentication.verify, user.authentication.sso, user.authentication.auth_via_mfa, user.authentication.auth_via_mfa, user.session.start, app.oauth2.authorize.code, policy.evaluate_sign_on, app.oauth2.authorize, app.generic.unauth_app_access_attempt, policy.evaluate_sign_on, policy.evaluate_sign_on, app.oauth2.as.authorize.implicit.access_token, app.oauth2.as.authorize.implicit.id_token, user.authentication.auth_via_social, app.oauth2.as.authorize.code, app.oauth2.as.authorize, user.mfa.okta_verify.deny_push, user.authentication.auth_via_radius, user.authentication.auth_via_AD_agent, user.authentication.auth_via_IDP, app.oauth2.authorize.implicit.id_token, application.policy.sign_on.deny_access, app.access_request.expire, system.push.send_factor_verify_push Authentication
app.oauth2.credentials.lifecycle.delete, app.oauth2.client.lifecycle.delete, app.oauth2.client.lifecycle.deactivate, app.oauth2.client.lifecycle.activate, app.oauth2.client.lifecycle.create, app.oauth2.credentials.lifecycle.create, policy.mapping.create, app.oauth2.client.lifecycle.update, app.oauth2.token.grant.access_token, application.lifecycle.deactivate, application.user_membership.add, system.agent.ad.connect, app.oauth2.token.grant.id_token, group.user_membership.remove, policy.rule.add, application.lifecycle.create, directory.mapping.update, directory.app_user_profile.bootstrap, system.import.user.create, application.provision.user.deprovision, application.provision.user.deactivate, system.import.user.delete, application.user_membership.remove, system.import.group.create, app.user_management.user_group_import.upsert_success, system.agent.ad.import_user, system.import.group.delete, app.user_management.user_group_import.delete_success, group.application_assignment.remove, system.import.roadblock.updated, app.oauth2.token.grant.refresh_token, system.agent.ad.connect, policy.rule.update, policy.lifecycle.update, system.email.challenge_factor_redeemed, policy.lifecycle.create, system.agent.ad.realtimesync, application.provision.user.push_profile, application.user_membership.update, policy.lifecycle.delete, system.agent.ad.start, policy.rule.deactivate, system.api_token.create, application.user_membership.change_password, application.lifecycle.delete, group.application_assignment.update, group.application_assignment.add, directory.app_user_profile.update, self_service.disabled, application.lifecycle.update, application.provision.group_push.delete_appgroup, application.provision.group_push.push_memberships, application.provision.group_push.mapping.created, system.import.group.update, system.agent.ad.reactivate, system.api_token.enable, system.api_token.revoke, system.agent.ad.deactivate, application.provision.user.push, application.provision.field_mapping_rule.change, system.import.custom_object.create, system.agent.ad.create, group.profile.update, iam.resourceset.bindings.add, iam.resourceset.create, directory.user_profile.update, directory.non_default_user_profile.create, system.mfa.factor.activate, self_service.enabled, oauth2.as.created, directory.linked_object.create, security.threat.configuration.update, zone.create, directory.user_profile.bootstrap, system.brand.create, app.oauth2.credentials.lifecycle.deactivate, app.oauth2.credentials.lifecycle.activate, application.configuration.enable_fed_broker_mode, system.api_token.update, oauth2.as.deleted, app.oauth2.api_resource.delete, oauth2.claim.deleted, oauth2.scope.deleted, oauth2.as.deactivated, oauth2.scope.updated, oauth2.as.updated, oauth2.claim.created, policy.lifecycle.deactivate, policy.lifecycle.activate, security.authenticator.lifecycle.activate, security.authenticator.lifecycle.update, application.lifecycle.activate, system.log_stream.lifecycle.delete, iam.role.create, application.configuration.disable_fed_broker_mode, system.log_stream.lifecycle.deactivate, system.log_stream.lifecycle.create, system.log_stream.lifecycle.activate, system.log_stream.lifecycle.update, device.lifecycle.activate, device.enrollment.create, app.oauth2.as.token.grant.access_token, oauth2.scope.created, group.user_membership.add, group.lifecycle.create, group.lifecycle.delete, device.lifecycle.delete, device.lifecycle.deactivate, device.lifecycle.unsuspend, device.lifecycle.suspend, application.user_membership.restore_password, application.user_membership.restore, application.configuration.update_logo, application.configuration.reset_logo, application.policy.sign_on.rule.create, plugin.script_status, policy.rule.activate, system.import.user.update, application.provision.user.reactivate, application.user_membership.change_username, system.agent.ad.update_user, app.oauth2.trusted_server.delete, app.oauth2.trusted_server.add, app.access_request.approver.deny, app.access_request.deny, app.access_request.delete, security.behavior.settings.update, ​​system.idp.lifecycle.delete, system.idp.lifecycle.create, system.idp.lifecycle.activate, system.idp.lifecycle.deactivate, policy.rule.delete All_Changes
user.session.end, app.oauth2.token.grant, app.oauth2.admin.consent.revoke, system.sms.send_account_unlock_message, user.account.lock, app.oauth2.token.revoke, user.mfa.factor.activate, system.sms.send_phone_verification_message, user.account.update_password, user.account.update_profile, user.lifecycle.unsuspend, user.lifecycle.suspend, user.lifecycle.create, system.import.complete, system.import.group_membership.complete, system.import.group.complete, system.import.user.complete, system.import.user_matching.complete, system.import.complete_batch, system.import.user_matching.start, system.import.membership_processing.complete, system.import.membership_processing.start, app.user_management, system.import.implicit_deletion.start, system.import.implicit_deletion.complete, system.sms.send_factor_verify_message, user.account.unlock_by_admin, user.account.unlock, user.lifecycle.reactivate, system.import.custom_object.complete, user.lifecycle.deactivate, user.account.privilege.revoke, app.user_management.push_new_user_success, user.account.privilege.grant, user.lifecycle.activate, app.oauth2.admin.consent.grant, device.user.add, app.oauth2.as.token.grant, app.oauth2.as.consent.revoke.implicit.client, user.mfa.factor.reset_all, user.mfa.factor.deactivate, user.account.reset_password, user.mfa.factor.unsuspend, user.mfa.factor.suspend, system.sms.send_okta_push_verify_message, app.realtimesync.import.details.update_user, system.sms.send_password_reset_message, user.account.update_secondary_email, system.agent.ad.reset_user_password, user.mfa.factor.update, app.access_request.request, app.access_request.approver.approve, device.user.remove, user.account.expire_password Account_Management
security.request.blocked Network Traffic
Last modified on 03 September, 2024
Lookups for the Splunk Add-on for Okta Identity Cloud   Performance Statistics for Okta System Logs Data Collection through Modinput

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters