Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Okta System Logs data connector provides the capability to ingest audit and event logs from the Okta Sysem Log API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Platform and uses the Okta System Log API to fetch the events. The connector supports DCR-based ingestion time transformations that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | - |
| Categories | Security |
| Solutions | SecurityInsights |
| Basic log | Yes |
| Ingestion-time transformation | No |
| Sample Queries | Yes |
Columns
| Column | Type | Description |
|---|---|---|
| ActingAppName | string | The name of the application initiating the action. |
| ActingAppType | string | The type of the application initiating the action (e.g., Browser, API client). |
| ActorDetailEntry | dynamic | Detailed information about the actor performing the action, if available. |
| ActorDisplayName | string | The display name of the actor performing the action. |
| ActorSessionId | string | The session ID associated with the actor performing the action. |
| ActorUserId | string | The user ID of the actor performing the action, if applicable. |
| ActorUserIdType | string | The type of user ID for the actor (e.g., OktaId). |
| ActorUsername | string | The username of the actor performing the action. |
| ActorUsernameType | string | The type of username for the actor (e.g., UPN). |
| ActorUserType | string | The type of the actor (e.g., Regular, System Principal). |
| AuthenticationContextAuthenticationProvider | string | The authentication provider used in the context of the action. |
| AuthenticationContextAuthenticationStep | int | The step in the authentication process when the action occurred. |
| AuthenticationContextCredentialProvider | string | The credential provider used during the authentication process. |
| AuthenticationContextInterface | string | The interface used during the authentication process (e.g., web, mobile). |
| AuthenticationContextIssuerId | string | The ID of the issuer involved in the authentication process. |
| AuthenticationContextIssuerType | string | The type of the issuer involved in the authentication process. |
| _BilledSize | real | The record size in bytes |
| DebugData | dynamic | Additional debugging data related to the event. |
| DvcAction | string | The result of the device action (e.g., Allow, Deny, Partial). |
| EventMessage | string | A descriptive message associated with the event. |
| EventOriginalResultDetails | string | Details of the original result of the event outcome. |
| EventOriginalType | string | The original type of the event before transformation. |
| EventOriginalUid | string | The unique identifier for the original event. |
| EventResult | string | The high-level result of the event (e.g., Success, Failure). |
| EventSeverity | string | The severity level of the event (e.g., Informational, High). |
| HttpUserAgent | string | The raw user-agent string of the client initiating the event. |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| LegacyEventType | string | The legacy type identifier for the event, if applicable. |
| LogonMethod | string | The method used for logging in (e.g., password, token). |
| OriginalActorAlternateId | string | The alternate ID of the actor in the original event data. |
| OriginalClientDevice | string | The type of client device initiating the event (e.g., Computer). |
| OriginalOutcomeResult | string | The raw outcome result of the original event. |
| OriginalSeverity | string | The raw severity level of the original event. |
| OriginalTarget | dynamic | The original target(s) involved in the event. |
| OriginalUserId | string | The original user ID in the event data. |
| OriginalUserType | string | The type of user in the original event data. |
| Request | dynamic | Details of the request associated with the event. |
| SecurityContextAsNumber | int | The autonomous system (AS) number in the security context. |
| SecurityContextAsOrg | string | The organization associated with the AS number in the security context. |
| SecurityContextDomain | string | The domain involved in the security context. |
| SecurityContextIsProxy | bool | Indicates whether a proxy is used in the security context. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| SrcDeviceType | string | The type of the source device (e.g., Computer). |
| SrcDvcId | string | The unique identifier for the source device. |
| SrcDvcIdType | string | The type of source device ID (e.g., OktaId). |
| SrcDvcOs | string | The operating system of the source device. |
| SrcGeoCity | string | The city of the source device's geographic location. |
| SrcGeoCountry | string | The country of the source device's geographic location. |
| SrcGeoLatitude | real | The latitude of the source device's geographic location. |
| SrcGeoLongtitude | real | The longitude of the source device's geographic location. |
| SrcGeoPostalCode | string | The postal code of the source device's geographic location. |
| SrcGeoRegion | string | The region/state of the source device's geographic location. |
| SrcIpAddr | string | The IP address of the source device. |
| SrcIsp | string | The Internet Service Provider (ISP) of the source device. |
| SrcZone | string | The network zone of the source device. |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The time the event was generated. |
| TransactionDetail | dynamic | Details about the transaction associated with the event. |
| TransactionId | string | The unique identifier of the transaction. |
| TransactionType | string | The type of transaction associated with the event. |
| Type | string | The name of the table |
| Version | string | The version of the event format or schema. |