Enrich Okta Security Logs
Enriches Okta authentication and administrative events with MITRE ATT&CK context based on event type and outcome.
Included Processors
1
Parse JSON Body
Parses the JSON string body into a map for field access.
2
Enrich Brute Force Authentication
Adds MITRE context for repeated Okta authentication failures.
3
Enrich Valid Account Usage
Adds MITRE context for successful Okta authentications.
4
Enrich Account Manipulation
Adds MITRE context for Okta administrative account or policy changes.
5
Enrich MFA Push Attacks
Adds MITRE context for MFA push rejection events indicating possible fatigue attacks.
6
Delete Empty Values
Removes null and empty values after enrichment.
Example Telemetry
Log
| Name | Before | After |
|---|---|---|
| observed_time | 2026-01-02T15:04:05Z | 2026-01-02T15:04:05Z |
| time | 2026-01-02T15:04:05Z | 2026-01-02T15:04:05Z |
| severity_text | WARN | WARN |
| severity_number | 13 | 13 |
Body
{"eventId":"3OWe8zE3SBhJpvWYR0g5","timestamp":"2026-01-02T15:04:05Z","eventType":"user.authentication_failed","version":"0","severity":"WARN","displayMessage":"User authentication of type OKTA failed","actor":{"id":"unknown","displayName":"attacker@unknown.com","objectType":"User"},"outcome":{"result":"FAILURE","reason":"Invalid credentials"},"target":[],"transaction":{"id":"YbCJlmQ_mJVCQWVcQCIJ0gAAB","type":"WEB","detail":{}},"debugContext":{"debugData":{"logOnlySecurityData":"true"}},"legacyEventType":"core.user_auth.login_failed","authentication":{"authenticationProvider":"OKTA","authenticationType":"PASSWORD","issuer":{"id":"00oat2a6kp5TbAV9J0g7","displayName":"Okta"}},"securityContext":{"isProxy":false}}| actor["displayName"] | attacker@unknown.com |
| actor["id"] | unknown |
| actor["objectType"] | User |
| authentication["authenticationProvider"] | OKTA |
| authentication["authenticationType"] | PASSWORD |
| authentication["issuer"]["displayName"] | Okta |
| authentication["issuer"]["id"] | 00oat2a6kp5TbAV9J0g7 |
| debugContext["debugData"]["logOnlySecurityData"] | true |
| displayMessage | User authentication of type OKTA failed |
| eventId | 3OWe8zE3SBhJpvWYR0g5 |
| eventType | user.authentication_failed |
| legacyEventType | core.user_auth.login_failed |
| outcome["reason"] | Invalid credentials |
| outcome["result"] | FAILURE |
| securityContext["isProxy"] | false |
| severity | WARN |
| timestamp | 2026-01-02T15:04:05Z |
| transaction["id"] | YbCJlmQ_mJVCQWVcQCIJ0gAAB |
| transaction["type"] | WEB |
| version | 0 |
Resource
| Name | Before | After |
|---|---|---|
| host.name | okta-tenant-01 | okta-tenant-01 |
| service.name | okta | okta |