Login
      Contents x
      Okta Workforce Identity Ingest Details
      • 30 Aug 2024
      • 1 Minute to read
      • PDF
      Contents

      Okta Workforce Identity Ingest Details

      • Updated on 30 Aug 2024
      • 1 Minute to read
      • PDF
      Article summary

      This article leads you through the kind of alerts and telemetry Red Canary ingests from Okta Workforce identity.

      Environments covered

      • Okta Workforce Identity Alert Source

      • Okta Workforce Identity Telemetry Source

      Ingest Details

      Red Canary collects events from the Okta Workforce Identity System Log API.

      Additionally, Red Canary polls the List Users API once per day to retrieve the total number of users for licensing purposes.

      Red Canary ingests System Log activities from Okta as telemetry and analyzes this data for suspicious activity, the data we collect and analyze is listed below.

      • Application Activity:

        • app.generic.unauth_app_access_attempt

        • application.lifecycle.create

        • application.policy.lifecycle.create

        • application.user_membership.add

      • Device Activity:

        • device.enrollment.create

        • device.user.add

      • Group Activity:

        • group.user_membership.add

      • Policy Activity:

        • policy.lifecycle.create

        • policy.evaluate_sign_on

      • System Activity:

        • system.api_token.create

        • system.email.new_device_notification.sent_message

        • system.idp.lifecycle.create

        • system.mfa.factor.deactivate

        • system.sms.send_*_message

        • system.voice.send_*_call

        • user.account.lock

        • user.account.privilege.grant

        • user.account.reset_password

        • user.account.update_password

      • User Authentication Activity:

        • user.authentication.auth_via_AD_agent

        • user.authentication.auth_via_IDP

        • user.authentication.auth_via_inbound_delauth

        • user.authentication.auth_via_inbound_SAML

        • user.authentication.auth_via_iwa

        • user.authentication.auth_via_LDAP_agent

        • user.authentication.auth_via_radius

        • user.authentication.auth_via_richclient

        • user.authentication.auth_via_social

        • user.authentication.authenticate

      • User Lifecycle Activity:

        • user.lifecycle.activate

        • user.lifecycle.deactivate

        • user.lifecycle.suspend

      • User Multi-Factor Authentication (MFA) Activity:

        • user.mfa.factor.activate

        • user.mfa.factor.deactivate

        • user.mfa.factor.reset_all

        • user.mfa.factor.update

        • User Session Activity:

        • user.session.access_admin_app

        • user.session.end

        • user.session.start

      • Zone Activity:

        • zone.create

        • Zone.update

      This format clarifies the categories of activities and uses clearer descriptions for each item.

      The following Okta Event Types are treated as alerts in the Red Canary platform:

      • security.threat.detected

      • user.account.report_suspicious_activity_by_enduser

      • user.mfa.attempt_bypass

      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout