SourcesSource TypesOkta

Okta Security Logs

Okta Security logs allow you to view audit events from your Okta admin dashboard as well as user authentication attempts.

Okta stores 30 days worth of logs for your account, when adding the Okta source, we will backfill your account with whatever logs Okta has available. After the initial load, RunReveal will attempt to poll the Okta API to download your security logs every 60 seconds.

Setup

Give your Okta source a descriptive name to help find it later. The two fields we require from your Okta account are your Okta domain and an API token. Your Okta domain is the domain that was assigned to your Org.

Okta Domain

To find your Okta domain:

  1. Sign in to your Okta org admin dashboard.
  2. Look in the header under your profile dropdown.
  3. Click the copy button and paste the results into RunReveal.

Your Okta domain may look like one of the ones below. When pasting your domain, make sure it does not have -admin and do not include trailing slashes or the schema https://

  • example.oktapreview.com
  • example.okta.com
  • example.okta-emea.com

API Token

An API token is required to authorize RunReveal to access your Okta logs. API tokens remain active as long as they are being used. If a token is unused for 30 days it will be revoked by Okta and a new one must be issued. API tokens must be linked to an active Okta user. When a user is removed all of the API tokens they created will be revoked and a new one will need to be generated.

To generate a new token, from your Okta admin dashboard, open the Security -> API page in the lefthand navigation panel. Click on the Tokens option and you will be presented with a list of all of your API tokens. Click the “Create Token” button and enter a descriptive name for your token, like “RunReveal”. You will be presented with your token value, copy this value and paste it into RunReveal.

Okta API tokens are scoped to the user creating them. For additional security consider creating a new user with lower permissions and generating an API token from that account.

Verify Its working

Once added the source logs should begin flowing within a minute.

You can validate we are receiving your logs by running the following SQL query.

SELECT * FROM runreveal.logs WHERE sourceType = 'okta' LIMIT 1

Schema

The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.

Table: okta_logs (66 columns)

ColumnType
workspaceIDString
sourceIDString
sourceTypeLowCardinality(String)
sourceTTLUInt32
receivedAtDateTime
idString
eventTimeDateTime
eventNameString
eventIDString
srcIPString
srcASCountryCodeString
srcASNumberUInt32
srcASOrganizationString
srcCityString
srcConnectionTypeString
srcISPString
srcLatitudeFloat64
srcLongitudeFloat64
srcUserTypeString
dstIPString
dstASCountryCodeString
dstASNumberUInt32
dstASOrganizationString
dstCityString
dstConnectionTypeString
dstISPString
dstLatitudeFloat64
dstLongitudeFloat64
dstUserTypeString
actorMap(String, String)
tagsMap(String, String)
resourcesArray(String)
serviceNameString
ColumnType
enrichmentsArray(Tuple(data Map(String, String), name String, provider String, type String, value String))
readOnlyBool
rawLogString
publishedDateTime
eventTypeString
legacyEventTypeString
displayMessageString
uuidString
outcomeString
severityString
srcDomainString
srcGeoLocationString
srcPostalCodeString
srcStateString
actor.alternateIDString
actor.displayNameString
actor.idString
actor.typeString
client.deviceString
client.userAgentString
client.osString
client.browserString
client.zoneString
targetArray(String)
request.ipChainArray(String)
authenticationContextString
debugContextString
transaction.idString
transaction.typeString
debugContext.debugDataString
debugContext.debugData.riskString
debugContext.debugData.threatSuspectedString
debugContext.debugData.behaviorsString
Obsidian SecurityOpal