Bindplane is excited to join Dynatrace!Learn more
Back to Blueprints

Enrich Okta Security Logs

Enriches Okta authentication and administrative events with MITRE ATT&CK context based on event type and outcome.

Included Processors

1

Parse JSON Body

Parses the JSON string body into a map for field access.

2

Enrich Brute Force Authentication

Adds MITRE context for repeated Okta authentication failures.

3

Enrich Valid Account Usage

Adds MITRE context for successful Okta authentications.

4

Enrich Account Manipulation

Adds MITRE context for Okta administrative account or policy changes.

5

Enrich MFA Push Attacks

Adds MITRE context for MFA push rejection events indicating possible fatigue attacks.

6

Delete Empty Values

Removes null and empty values after enrichment.

Example Telemetry

Log

NameBeforeAfter
observed_time2026-01-02T15:04:05Z2026-01-02T15:04:05Z
time2026-01-02T15:04:05Z2026-01-02T15:04:05Z
severity_textWARNWARN
severity_number1313

Body

{"eventId":"3OWe8zE3SBhJpvWYR0g5","timestamp":"2026-01-02T15:04:05Z","eventType":"user.authentication_failed","version":"0","severity":"WARN","displayMessage":"User authentication of type OKTA failed","actor":{"id":"unknown","displayName":"attacker@unknown.com","objectType":"User"},"outcome":{"result":"FAILURE","reason":"Invalid credentials"},"target":[],"transaction":{"id":"YbCJlmQ_mJVCQWVcQCIJ0gAAB","type":"WEB","detail":{}},"debugContext":{"debugData":{"logOnlySecurityData":"true"}},"legacyEventType":"core.user_auth.login_failed","authentication":{"authenticationProvider":"OKTA","authenticationType":"PASSWORD","issuer":{"id":"00oat2a6kp5TbAV9J0g7","displayName":"Okta"}},"securityContext":{"isProxy":false}}
actor["displayName"]attacker@unknown.com
actor["id"]unknown
actor["objectType"]User
authentication["authenticationProvider"]OKTA
authentication["authenticationType"]PASSWORD
authentication["issuer"]["displayName"]Okta
authentication["issuer"]["id"]00oat2a6kp5TbAV9J0g7
debugContext["debugData"]["logOnlySecurityData"]true
displayMessageUser authentication of type OKTA failed
eventId3OWe8zE3SBhJpvWYR0g5
eventTypeuser.authentication_failed
legacyEventTypecore.user_auth.login_failed
outcome["reason"]Invalid credentials
outcome["result"]FAILURE
securityContext["isProxy"]false
severityWARN
timestamp2026-01-02T15:04:05Z
transaction["id"]YbCJlmQ_mJVCQWVcQCIJ0gAAB
transaction["type"]WEB
version0

Resource

NameBeforeAfter
host.nameokta-tenant-01okta-tenant-01
service.nameoktaokta

Related Blueprints