TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: API Log Source
ENVIRONMENT: Okta System Log
SUMMARY: Configuration Guide for Okta System Log Ingestion
AVAILABILITY: General Availability
Vendor Information
| Vendor | Okta |
| Collection Method | REST API |
| Query Syntax | event.provider == "Okta" |
| Billable Sources Calculation | 1 Log Source Per Okta Domain |
| Additional Information | Okta API Token Documentation |
Source Configuration
Configure Okta API Access
To successfully integrate the Huntress Managed SIEM with Okta System Log, an API token with the following minimum permissions is required:
- Read-Only Administrator (or Super Administrator)
To acquire an API token, follow these steps:
- Sign in to the Okta Admin Console.
- Navigate to Security > API > Tokens.
- Click Create Token.
- Enter a descriptive name (e.g. Huntress SIEM) and click Create Token.
- Copy the token value — it is only shown once.
- Note your Okta domain from the browser address bar (e.g. yourcompany.okta.com).
Note: Custom-branded Okta domains (e.g. sso.yourcompany.com) are not currently supported. The domain must end in .okta.com or .oktapreview.com.
Create the Huntress SIEM Integration
- Navigate to Huntress SIEM > Source Management.
- Select the green +Add button to create a new Okta System Log configuration.
-
Enter the configuration details:
- Select the appropriate Organization from the drop-down menu.
- Enter a unique Name for the source.
- Enter the Okta Domain (e.g. yourcompany.okta.com).
- Enter the API Token from Step 5 above.
- Select Save.