- 30 Aug 2024
- 1 Minute to read
- PDF
Okta Workforce Identity Ingest Details
- Updated on 30 Aug 2024
- 1 Minute to read
- PDF
This article leads you through the kind of alerts and telemetry Red Canary ingests from Okta Workforce identity.
Environments covered
Okta Workforce Identity Alert Source
Okta Workforce Identity Telemetry Source
Ingest Details
Red Canary collects events from the Okta Workforce Identity System Log API.
Additionally, Red Canary polls the List Users API once per day to retrieve the total number of users for licensing purposes.
Red Canary ingests System Log activities from Okta as telemetry and analyzes this data for suspicious activity, the data we collect and analyze is listed below.
Application Activity:
app.generic.unauth_app_access_attempt
application.lifecycle.create
application.policy.lifecycle.create
application.user_membership.add
Device Activity:
device.enrollment.create
device.user.add
Group Activity:
group.user_membership.add
Policy Activity:
policy.lifecycle.create
policy.evaluate_sign_on
System Activity:
system.api_token.create
system.email.new_device_notification.sent_message
system.idp.lifecycle.create
system.mfa.factor.deactivate
system.sms.send_*_message
system.voice.send_*_call
user.account.lock
user.account.privilege.grant
user.account.reset_password
user.account.update_password
User Authentication Activity:
user.authentication.auth_via_AD_agent
user.authentication.auth_via_IDP
user.authentication.auth_via_inbound_delauth
user.authentication.auth_via_inbound_SAML
user.authentication.auth_via_iwa
user.authentication.auth_via_LDAP_agent
user.authentication.auth_via_radius
user.authentication.auth_via_richclient
user.authentication.auth_via_social
user.authentication.authenticate
User Lifecycle Activity:
user.lifecycle.activate
user.lifecycle.deactivate
user.lifecycle.suspend
User Multi-Factor Authentication (MFA) Activity:
user.mfa.factor.activate
user.mfa.factor.deactivate
user.mfa.factor.reset_all
user.mfa.factor.update
User Session Activity:
user.session.access_admin_app
user.session.end
user.session.start
Zone Activity:
zone.create
Zone.update
This format clarifies the categories of activities and uses clearer descriptions for each item.
The following Okta Event Types are treated as alerts in the Red Canary platform:
security.threat.detected
user.account.report_suspicious_activity_by_enduser
user.mfa.attempt_bypass