Okta

Overview

AlphaSOC normalizes Okta telemetry into the Open Cybersecurity Schema Framework (OCSF) format. The fields listed below are available for use in Sigma detection rules. For complete field definitions and semantics, refer to the linked OCSF class schema pages.

Okta: Authentication

OCSF Category: Identity & Access Management

OCSF Class: Authentication

OCSF Fields

• activity_id
• activity_name
• actor.user.email_addr
• actor.user.name
• actor.user.type
• actor.user.type_id
• actor.user.uid
• category_name
• category_uid
• class_name
• class_uid
• device.is_managed
• device.name
• device.os.type
• device.os.type_id
• device.os.version
• device.uid
• dst_endpoint.svc_name
• http_request.uid
• http_request.user_agent
• message
• metadata.event_code
• metadata.product.name
• metadata.product.version
• metadata.uid
• metadata.version
• session.issuer
• session.uid
• session.uid_alt
• severity
• severity_id
• src_endpoint.autonomous_system.name
• src_endpoint.autonomous_system.number
• src_endpoint.domain
• src_endpoint.ip
• src_endpoint.isp
• src_endpoint.location.city
• src_endpoint.location.country
• src_endpoint.location.lat
• src_endpoint.location.long
• src_endpoint.location.postal_code
• src_endpoint.type
• src_endpoint.type_id
• src_endpoint.uid
• src_endpoint.zone
• status
• status_detail
• status_id
• time
• type_name
• type_uid
• user.email_addr
• user.name
• user.type
• user.type_id
• user.uid

Further Reading

• Sigma OCSF Support
• OCSF Mappings Overview