Integration and Shipping Okta Logs to Cloud SIEM

Importing Okta Logs to Cloud SIEM

The article you are reading is not necessarily up to date with the latest features and current releases of the Platform. Please refer to the Documentation for the latest information

Company security usually depends on your ability to come up with a diverse set of passwords and then manage them. Remembering all of them is considered a tad too difficult for most mere mortals, so a number of password storage apps have emerged. But they too have to be secured, and ultimately results in inefficient access and flawed security. Single-sign on (SSO) is still preferred, but to make it effective, companies like Okta have to secure integration across a number of apps.

Okta is a security identity cloud allowing SSO onto apps via a single set of credentials, usually an organization or company. The advantage of Okta is clear. With a company’s access to a given platform already in hand, all that’s needed is set up of a new company email address for new employees to access a tool. Should someone leave that company, the elimination of the email address automatically cuts off access to all the company’s app accounts (and thus secures its information). is available both as an integratable app to Okta, as well for the import of Okta logs. Tracking Okta’s access logs is a quick way to observe its effectiveness. This tutorial will walk through 1) using Okta integration with and adding it to Okta’s SSO, and 2) exporting Okta logs to the system and a custom Okta dashboard in Kibana.

Okta Rules in Cloud SIEM

Tacking problems with SSO means laying out which cases should prompt your immediate attention. Sign-on failures of various kinds—and particularly muli-factor authentication failures—should be ranked in order of importance. This is where a tool like’s alerting comes into play.

We’ve created a set of 10 default rules for Okta users in Cloud SIEM, ranked by order of severity. The most severe alert triggers itself when multiple failed authentications occur in a short period of time, particularly from several unknown users.

Should this sort of incident occur, you should investigate the event in line with your organization’s security policies, block certain IP addresses, and/or reinforce multi-factor authentication settings in Okta.

Our next highest priority triggers are on failed multi-factor authentication and whenever administrative privileges are granted to a user or to a whole group. Medium-level alerts are set by default for other failed authentication attempts and the change of app sign-on policies. Of course, you can additionally configure alerts for other preferences.

Configure Alerts in Cloud SIEM for Okta

Configure Alerts in Cloud SIEM for Okta

Okta Integration & SSO

First, request SSO access from by sending an email to telling us that you want to set up Okta SAML SSO for your account. Provide your account ID and account token and it should be a fast process. will send you SAML info to plug into Okta.

Second, in Okta, click Admin. Afterwards, in the Shortcuts panel to the right, click Add Applications. On the left, click Create New App. In the Create a New Application Integration panel and on its Platform list, select Web. Next, click the SAML 2.0 option, and then Create

The “Create SAML Integration” page should then appear.

Next, on the Create SAML Integration page, set your App name to “” and hit Next. This will bring you to the Configure SAML tab. In that tab, paste the SAML information you got from Support: your single sign-on URL and audience URI (SP Entity ID):

Keep these settings unchanged: Default RelayState, Name ID format, or Application username. Then in the Attribute Statements, set 1) Name to email, 2) Name format to unspecified, and 3) Value to ${}.

After that, configure Okta to send user groups in the Group Attribute Statements section by setting 1) Name to groups, 2) Name format to unspecified, and 3) typing any expression (the field can’t be left blank) for the groups you want having access to via Filter.

Group Attribute Settings in Okta (optional)

Group Attribute Settings in Okta (optional)

Send Info to Support

On the right side of the page, click Download Okta Certificate. Download the certificate file and zip it. You’ll attach the zip file to your next email to the Support team. Click Next, select I’m an Okta customer adding an internal app, and then click Finish.

Next, you’ll have to grab your endpoint info. Browse to the Sign On tab, and then click View Setup Instructions. Copy the Identity Provider Single Sign-On URL, and paste this in the email that you’ll send to the Support team.

Configure Alerts in Cloud SIEM for Okta

Set Up SAML in Okta

Draft a new email to Support (, and include these items:

  • Your zipped certificate
  • Your Identity Provider Single Sign-On URL

NOTE: If you want, you can restrict access in your organization. By default, all Okta users with access can sign in to your accounts. You can restrict this access from the Manage users page for each of your accounts. Click Add group, then paste your group’s name from Okta. Do this for each group that should have access to this account.

Once Support has created your Okta + connection, you’re done! You can start logging in to through your Apps portal.

Ship Okta Logs to

To ship Okta logs, deploy a Docker container to collect the logs and forward them to You will need Okta admin privileges to access the right info from the Okta developer console.. 

Get the 1) API token and 2) issuer URI from the Okta developer console. 

1) Navigate to API, then Tokens. Create a token and hold onto it (paste it in your text editor for later).
2) Click the Authorization Servers tab. Copy your Okta subdomain from the Issuer URI column and also paste that in your text editor alongside the API token.

Authorization Servers in Okta

Authorization Servers in Okta

In the example above, you’d have copied “dev-123456”. Docker Image

Next, Download the logzio/logzio-okta image.

docker pull logzio/logzio-okta

Then, run the Docker image.

docker run logzio/logzio-okta

Here is the list of configurables you should set in the image.

--detach \
--restart always \
--name Okta \
-t logzio/logzio-okta

Give your logs a few minutes to get from your system to ours, and then open Kibana. From there, look at our available Okta prebuilt security rules and dashboard or create one yourself using the visualization tool.



Observability at scale, powered by open source


2022 Gartner® Magic Quadrant for Application Performance Monitoring and Observability
Forrester Observability Snapshot.

Consolidate Your AWS Data In One Place

Learn More