Okta Pack

Edge Delta Pipeline Pack for Okta

Overview

The Edge Delta Okta pack processes logs from the Okta API by parsing timestamps, enriching event data with OCSF categories, flattening JSON structures, and preparing logs for downstream destinations like Splunk. This pack ensures Okta identity and access management events are properly formatted for monitoring, security analysis, and compliance auditing.

Pack Description

1. Data Ingestion

The data flow starts with the compound_input_3f3c node as the entry point into the pack where all Okta API logs begin their processing journey.

- name: compound_input_3f3c
  type: compound_input
  user_description: Pack Source

2. Okta REST API Multi Processor

All logs are processed by the sequence_5b3b node, a Multiprocessor node. This node executes a series of processors that transform and enrich Okta logs through multiple stages.

- name: sequence_5b3b
  type: sequence
  user_description: okta_rest_api Multi Processor
  processors:
    - type: ottl_transform
      metadata: '{"id":"01c694e0b2c0fb747d3e86","type":"ottl_transform","name":"Auto Timestamp"}'
      data_types:
        - log
      statements: |-
        // Setting _time to the correct value and timezone
        set(attributes["_time"], UnixSeconds(Time(attributes["published"], "%Y-%m-%dT%H:%M:%S.%LZ")))        
    - type: lookup
      metadata: '{"id":"f0a8199e11e481f503b86e","type":"lookup","name":"Lookup"}'
      data_types:
        - log
      location_path: ed://okta-event-types.csv
      key_fields:
        - event_field: attributes["eventType"]
          lookup_field: EventType
      out_fields:
        - event_field: attributes["ocsf_category"]
          lookup_field: ocsf_category
        - event_field: attributes["ocsf_action"]
          lookup_field: action
    - type: ottl_transform
      metadata: '{"id":"3oyhkDrBXDhx8xzI-1f3Z","type":"ottl_transform","name":"Custom"}'
      data_types:
        - log
      statements: |-
        // Add your custom code here
        merge_maps(attributes, attributes["actor"], "upsert")
        set(attributes["actor"], {})
        merge_maps(attributes, attributes["client"], "upsert")
        set(attributes["client"], {})        
    - type: ottl_transform
      metadata: '{"id":"e92fc87d08d78a8f4c26ee","type":"ottl_transform","name":"Serialize CSV"}'
      disabled: true
      data_types:
        - log
      statements: |-
        // Serialize JSON to _raw
        set(attributes["_raw"], Concat([attributes["!_*"], attributes["!cribl*"], attributes["!source"], attributes["!host"], attributes["*"]], ","))        
    - type: ottl_transform
      metadata: '{"id":"Q2aOflqfRBuY5k7U4ds4e","type":"ottl_transform","name":"Custom"}'
      data_types:
        - log
      statements: |
        set(severity_text, attributes["severity"])
        set(attributes["sourcetype"], "OktaIM2:log")
        set(attributes["ed.source"], resource["ed.source.name"])
        set(attributes["index"], "okta")
        set(body, attributes["displayMessage"])        
    - type: ottl_transform
      metadata: '{"id":"32956dfcbf1d8802baa2a7","type":"ottl_transform","name":"Sets the index and sourcetype for Splunk output"}'
      disabled: true
      data_types:
        - log
      statements: |-
        set(cache["_time"], attributes["_time"])
        set(cache["source"], attributes["source"])
        set(cache["ed.source"], attributes["ed.source"])
        set(cache["host"], attributes["host"])
        set(cache["index"], attributes["index"])
        set(cache["sourcetype"], attributes["sourcetype"])
        set(attributes, {})
        set(attributes, cache)        
    - type: ottl_transform
      metadata: '{"id":"mTLqqwHoUnAO2igbAMLcV","type":"delete-field","name":"Delete Field"}'
      disabled: true
      data_types:
        - log
      statements: delete_key(attributes, "_raw")

2.1. Auto Timestamp

The first processor in the sequence is a Parse Timestamp Processor that standardizes the timestamp format.

- type: ottl_transform
  metadata: '{"id":"01c694e0b2c0fb747d3e86","type":"ottl_transform","name":"Auto Timestamp"}'
  data_types:
    - log
  statements: |-
    // Setting _time to the correct value and timezone
    set(attributes["_time"], UnixSeconds(Time(attributes["published"], "%Y-%m-%dT%H:%M:%S.%LZ")))    

This processor converts the published timestamp from Okta’s ISO 8601 format into Unix seconds and stores it in attributes["_time"]. This standardization ensures consistent timestamp handling across your telemetry pipeline, making it easier for you to correlate events across different data sources and perform accurate time-based queries.

2.2. Lookup

The second processor is a Lookup Processor that enriches Okta events with OCSF (Open Cybersecurity Schema Framework) metadata.

- type: lookup
  metadata: '{"id":"f0a8199e11e481f503b86e","type":"lookup","name":"Lookup"}'
  data_types:
    - log
  location_path: ed://okta-event-types.csv
  key_fields:
    - event_field: attributes["eventType"]
      lookup_field: EventType
  out_fields:
    - event_field: attributes["ocsf_category"]
      lookup_field: ocsf_category
    - event_field: attributes["ocsf_action"]
      lookup_field: action

This processor uses the okta-event-types.csv lookup table to match Okta’s eventType field and enriches the log with ocsf_category and ocsf_action attributes. This OCSF enrichment helps you normalize Okta events to a standardized security schema, making it easier to correlate Okta identity events with other security tools and enabling consistent security analytics across your environment.

2.3. Flatten Actor and Client

The third processor is an OTTL Transform processor that flattens nested JSON structures.

- type: ottl_transform
  metadata: '{"id":"3oyhkDrBXDhx8xzI-1f3Z","type":"ottl_transform","name":"Custom"}'
  data_types:
    - log
  statements: |-
    // Add your custom code here
    merge_maps(attributes, attributes["actor"], "upsert")
    set(attributes["actor"], {})
    merge_maps(attributes, attributes["client"], "upsert")
    set(attributes["client"], {})    

This processor takes nested actor and client objects and merges their fields into the top-level attributes, then clears the original nested objects. Flattening these structures makes it easier for you to query and filter on actor and client properties without navigating complex JSON paths, improving query performance and simplifying dashboard creation.

2.4. Serialize CSV (Disabled)

The fourth processor is an OTTL Transform processor that would serialize attributes to CSV format, but is currently disabled.

- type: ottl_transform
  metadata: '{"id":"e92fc87d08d78a8f4c26ee","type":"ottl_transform","name":"Serialize CSV"}'
  disabled: true
  data_types:
    - log
  statements: |-
    // Serialize JSON to _raw
    set(attributes["_raw"], Concat([attributes["!_*"], attributes["!cribl*"], attributes["!source"], attributes["!host"], attributes["*"]], ","))    

When enabled, this processor would serialize all attributes (excluding those starting with _, cribl, and the source and host fields) into a comma-separated string stored in attributes["_raw"]. This can be useful if you need to send data to systems that prefer CSV-formatted payloads.

2.5. Set Splunk Fields

The fifth processor is an OTTL Transform processor that prepares logs for Splunk ingestion.

- type: ottl_transform
  metadata: '{"id":"Q2aOflqfRBuY5k7U4ds4e","type":"ottl_transform","name":"Custom"}'
  data_types:
    - log
  statements: |
    set(severity_text, attributes["severity"])
    set(attributes["sourcetype"], "OktaIM2:log")
    set(attributes["ed.source"], resource["ed.source.name"])
    set(attributes["index"], "okta")
    set(body, attributes["displayMessage"])    

This processor configures Splunk-specific metadata by setting severity_text from the log’s severity attribute, ensuring proper severity level tracking in Splunk. It assigns sourcetype as OktaIM2:log for proper Splunk parsing, enabling field extractions and data model acceleration specific to Okta identity management logs. The processor copies the Edge Delta source name to ed.source for traceability, sets the Splunk index to okta for organized data storage, and replaces the log body with the human-readable displayMessage field. These transformations ensure that when you send Okta logs to Splunk, they are properly indexed and categorized, making it easy to search, create alerts, and build dashboards using Splunk’s Okta-specific field extractions and data models.

2.6. Minimize Attributes for Splunk (Disabled)

The sixth processor is an OTTL Transform processor that would minimize attributes for Splunk, but is currently disabled.

- type: ottl_transform
  metadata: '{"id":"32956dfcbf1d8802baa2a7","type":"ottl_transform","name":"Sets the index and sourcetype for Splunk output"}'
  disabled: true
  data_types:
    - log
  statements: |-
    set(cache["_time"], attributes["_time"])
    set(cache["source"], attributes["source"])
    set(cache["ed.source"], attributes["ed.source"])
    set(cache["host"], attributes["host"])
    set(cache["index"], attributes["index"])
    set(cache["sourcetype"], attributes["sourcetype"])
    set(attributes, {})
    set(attributes, cache)    

When enabled, this processor would strip all attributes except the essential Splunk metadata fields (_time, source, ed.source, host, index, sourcetype). This reduces data volume when you only need Splunk indexing fields and the raw log message, potentially lowering ingestion costs.

2.7. Delete Raw Field (Disabled)

The seventh processor is a Delete Field Processor that would remove the _raw field, but is currently disabled.

- type: ottl_transform
  metadata: '{"id":"mTLqqwHoUnAO2igbAMLcV","type":"delete-field","name":"Delete Field"}'
  disabled: true
  data_types:
    - log
  statements: delete_key(attributes, "_raw")

When enabled, this processor would remove the _raw attribute from logs. This is useful if you serialized data to _raw for a specific purpose but no longer need it in the final output, helping you reduce data payload size.

3. Pack Destination

After all processing is complete, logs flow to the compound_output_d570 node, which collects logs from the sequence_5b3b multiprocessor and routes them out of the pack to downstream destinations for storage, analysis, or alerting.

- name: compound_output_d570
  type: compound_output
  user_description: Pack Destination

Sample Input

{"uuid":"e1f8a0b2-9b1f-4b7a-9a6a-1f2a3b4c5d60","published":"2025-09-18T13:22:45.123Z","eventType":"user.session.start","displayMessage":"User session started","severity":"INFO","actor":{"id":"00u1abcdEFGH2ijkL3p4","type":"User","alternateId":"alice@example.com","displayName":"Alice Doe"},"client":{"ipAddress":"203.0.113.10","userAgent":{"rawUserAgent":"Mozilla/5.0 ...","os":"Mac OS X","browser":"Chrome"},"device":"Laptop"},"authenticationContext":{"authenticationProvider":"OKTA","credentialProvider":"OKTA_CREDENTIALS","credentialType":"PASSWORD","mfaRequired":false},"outcome":{"result":"SUCCESS"},"request":{"ipChain":[{"ip":"203.0.113.10","geographicalContext":{"city":"Austin","state":"Texas","country":"US"}}]},"debugContext":{"debugData":{"requestId":"REQ.0a1b2c3d4e","requestUri":"/login/sessionCookie"}},"transaction":{"type":"WEB"},"target":[]}

{"uuid":"6d0b3a2d-2f2f-42b8-9f33-8f8d2f6c7a21","published":"2025-09-18T13:24:01.044Z","eventType":"user.authentication.verify","displayMessage":"User authentication via MFA","severity":"INFO","actor":{"id":"00u1abcdEFGH2ijkL3p4","type":"User","alternateId":"alice@example.com","displayName":"Alice Doe"},"authenticationContext":{"credentialType":"SMS","mfaRequired":true,"externalSessionId":"trs_00xYZa12b3","interface":"Okta Sign-In"},"client":{"ipAddress":"203.0.113.10","userAgent":{"rawUserAgent":"Mozilla/5.0 ..."}},"outcome":{"result":"SUCCESS"},"target":[{"type":"User","id":"00u1abcdEFGH2ijkL3p4","displayName":"Alice Doe","alternateId":"alice@example.com"}]}

{"uuid":"b9a2d9f3-5ab0-4c1a-9a0b-3f0f4b0d1e22","published":"2025-09-18T13:26:18.700Z","eventType":"policy.evaluate_sign_on","displayMessage":"Sign-on policy evaluated","severity":"WARN","actor":{"type":"User","id":"00u1abcdEFGH2ijkL3p4","alternateId":"alice@example.com"},"client":{"ipAddress":"198.51.100.29"},"outcome":{"result":"CHALLENGE","reason":"MFA_REQUIRED"},"debugContext":{"debugData":{"matchedPolicyId":"00p9ZXY123abcDEF4567","matchedRuleId":"0pr9ZXY123abcDEF4567","networkZoneId":"nzo1abc2def3ghi4jkl5","riskBehavior":"ANOMALOUS_DEVICE"}},"target":[{"type":"Policy","id":"00p9ZXY123abcDEF4567","displayName":"Corp Sign-on Policy"},{"type":"PolicyRule","id":"0pr9ZXY123abcDEF4567","displayName":"Require MFA outside trusted zones"}]}

{"uuid":"f0e1d2c3-b4a5-6789-0abc-def123456789","published":"2025-09-18T13:29:10.235Z","eventType":"user.account.update_profile","displayMessage":"User profile updated","severity":"INFO","actor":{"type":"User","id":"00uAdminUser123","alternateId":"it-admin@example.com","displayName":"IT Admin"},"target":[{"type":"User","id":"00u1abcdEFGH2ijkL3p4","displayName":"Alice Doe","alternateId":"alice@example.com"}],"debugContext":{"debugData":{"changedFields":["title","department"],"oldValues":{"title":"Engineer I","department":"R&D"},"newValues":{"title":"Engineer II","department":"R&D"}}},"outcome":{"result":"SUCCESS"}}

{"uuid":"9a8b7c6d-5e4f-4321-8765-1234abcdef90","published":"2025-09-18T13:31:44.901Z","eventType":"application.oauth2.access_token.grant","displayMessage":"OAuth 2.0 access token granted","severity":"INFO","actor":{"type":"User","id":"00u1abcdEFGH2ijkL3p4","alternateId":"alice@example.com"},"client":{"ipAddress":"203.0.113.10","userAgent":{"rawUserAgent":"okta-auth-js/7.0.0"}},"target":[{"type":"AppInstance","id":"0oaApp123XYZ","displayName":"Salesforce"},{"type":"OAuthClient","id":"0oaClient789","displayName":"sf-prod-client"},{"type":"Scope","displayName":"openid profile email"}],"debugContext":{"debugData":{"grantType":"authorization_code","responseType":"code"}},"outcome":{"result":"SUCCESS"}}

{"uuid":"aa22bb33-cc44-55dd-66ee-77889900aa11","published":"2025-09-18T13:33:00.512Z","eventType":"group.user_membership.add","displayMessage":"User added to group","severity":"INFO","actor":{"type":"User","id":"00uAdminUser123","alternateId":"it-admin@example.com"},"target":[{"type":"User","id":"00u1abcdEFGH2ijkL3p4","displayName":"Alice Doe","alternateId":"alice@example.com"},{"type":"UserGroup","id":"00gGrp001122","displayName":"Salesforce Users"}],"outcome":{"result":"SUCCESS"}}

{"uuid":"0c1d2e3f-4455-6677-8899-aabbccddeeff","published":"2025-09-18T13:35:42.018Z","eventType":"user.mfa.factor.verify","displayMessage":"MFA factor verification failed","severity":"WARN","actor":{"type":"User","id":"00u9xyzABC123","alternateId":"bob@example.com"},"client":{"ipAddress":"198.51.100.29"},"debugContext":{"debugData":{"factorType":"token:software:totp","provider":"OKTA","reason":"INVALID_OTP"}},"outcome":{"result":"FAILURE","reason":"INVALID_CREDENTIALS"},"target":[{"type":"User","id":"00u9xyzABC123","displayName":"Bob Smith"}]}

{"uuid":"11223344-5566-7788-99aa-bbccddeeff00","published":"2025-09-18T13:40:19.300Z","eventType":"security.threat.detected","displayMessage":"Suspicious activity detected for user","severity":"WARN","actor":{"type":"User","id":"00u1abcdEFGH2ijkL3p4","alternateId":"alice@example.com"},"client":{"ipAddress":"45.67.89.10"},"debugContext":{"debugData":{"detector":"New Geo-Location","riskLevel":"HIGH","previousCity":"Austin","currentCity":"Warsaw"}},"outcome":{"result":"ALLOW"},"target":[{"type":"User","id":"00u1abcdEFGH2ijkL3p4"}]}

{"uuid":"77aa88bb-99cc-00dd-11ee-22ff33445566","published":"2025-09-18T13:42:55.610Z","eventType":"user.lifecycle.deactivate","displayMessage":"User deactivated","severity":"INFO","actor":{"type":"User","id":"00uAdminUser123","alternateId":"it-admin@example.com"},"target":[{"type":"User","id":"00u9xyzABC123","displayName":"Bob Smith","alternateId":"bob@example.com"}],"outcome":{"result":"SUCCESS"}}