Falco also distributes out-of-the-box rules that can be used to identify interesting/suspicious/notable events in Okta logs, including:
- Creating a new OKTA user account
- Detecting a locked-out user
- Assigning admin permissions to an okta user
See the README for information on configuring the plugin. This simply involves providing the
organization/api token as part of init params. These can be added to
falco.yaml under the
plugins configuration key key.
The plugin does not use any open params configuration.
For example, when using a dummy rule as follows:
- rule: Dummy
output: "evt=%okta.evt.type user=%okta.actor.name ip=%okta.client.ip app=%okta.app"
The dummy rule will emit an alert for each Okta log entry, like the following:
19:12:25.439350000: Debug evt=user.authentication.sso user=User1 ip=x.x.x.x app=google
19:12:30.675628000: Debug evt=user.authentication.sso user=User2 ip=x.x.x.x app=github
19:12:35.918456000: Debug evt=user.authentication.sso user=User3 ip=x.x.x.x app=office365
Was this page helpful?
Let us know! You feedback will help us to improve the content and to stay in touch with our users.
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.