Okta Identity Integration
Overview
Okta provides cloud-based identity and access management with single sign-on, MFA, and lifecycle management. KYRA MDR collects Okta system logs via the Events API for identity threat detection and access monitoring.
Prerequisites
- A KYRA MDR Collector installed and running
- Okta organization with administrative access
- API token with Read-only Admin or higher privileges
- Okta production tenant
Configuration
Configure Okta log collection:
- Log in to the Okta Admin Console
- Navigate to Security > API > Tokens
- Click Create Token and name it
KYRA-MDR - Copy the token value (shown only once)
- Configure the KYRA MDR collector:
sources: - type: okta domain: <your-org>.okta.com api_token: <api-token> poll_interval: 60s- Restart the collector service
Collected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| Authentication | User login and MFA events | Brute force, credential stuffing detection |
| Authorization | Access grant and deny events | Privilege escalation detection |
| User Lifecycle | User creation, suspension, deletion | Account management auditing |
| Application | Application access events | Shadow IT, unauthorized access |
| System | Okta system configuration changes | Security policy monitoring |
| Directory | Directory sync and provisioning events | Identity lifecycle tracking |
Troubleshooting
API token expired: Okta API tokens expire after 30 days of inactivity. Generate a new token if authentication errors occur.
Rate limiting: Okta enforces API rate limits. Set the poll interval to at least 60 seconds.
Missing events: Okta system logs have a retention period based on your subscription. Poll frequently to avoid gaps.
Contact kyra@seekerslab.com for support.