Okta

This guide walks through how to set up Okta System Logs as a source in Scanner Collect, using direct API integration with Okta’s System Log API.

We’ll assume that you want Scanner to both store the logs in S3 and index them for search and detection.

Step 1: Create a New Source

In the Scanner UI, go to the Collect tab.

  • Click Create New Source.

  • Click Select a Source Type.

  • Choose Okta.

You’ll be prompted to choose an Ingest Method:

  • Select API Pull.

  • Then, choose a Destination: Select Scanner.

Click Next.

Step 2: Configure the Source

Set a Display Name, such as my-org-okta-logs.

Click Next.

Step 3: Authenticate with Okta

  • If you’ve previously created an Okta connection, select it from the list.

  • Otherwise, select New Okta Connection and fill in the required fields:

    • Connection Name: Give the connection a recognizable name.

    • Okta Domain: eg. your-domain.okta.com.

    • API Token: Generate this from your Okta admin console.

For help finding these values:

Click Next.

Step 4: Configure the Destination

  • Choose the S3 Bucket where the raw Okta logs should be stored.

  • (Optional) Enter a Key Prefix to organize the data path in your bucket.

  • Choose the Scanner Index where logs will be made searchable.

  • Leave the Source Label as okta:system.

Click Next.

Step 5: Transform and Enrich

  • Keep the default transformation: Normalize to ECS - Okta

    • This maps log fields to the Elastic Common Schema (ECS), making it easier to write cross-source queries and detection rules.

  • (Optional) Add additional transformation or enrichment steps if needed.

Click Next.

Step 6: Timestamp Extraction

Leave the default setting: Extract timestamp from field published.

This field is included in every Okta System Log event and reflects when the event occurred.

Click Next.

Step 7: Review and Create

  • Review all configuration settings.

  • Click Create Source.

What Happens Next

Once created:

  • Scanner will poll the Okta System Log API every 2 minutes.

  • New events will be written to your S3 bucket, under the specified key prefix.

  • Logs will then be indexed for search and detections using your selected Scanner index.

PreviousGoogle Cloud Platform (GCP) AuditNextDirect S3 Integration

Last updated

Was this helpful?