Send OKTA Logs to Azure Event Hubs

By | October 22, 2020

Have you ever wondered how to Send OKTA Logs to Azure Event Hubs? You might have a requirement from your security team so that they can easily audit these logs together with other systems and pushes into your SIEM?  I had tried using event hooks in OTKA but even if I had configured it correctly, it always give me an error that “Unable to verify event hook. Hook “Azure Event Hub” execution failed. Remote server responded with client error, responseCode=400 message=Bad Request” every time I hit verify.  Upon checking the logs I always get a “Event hook verification failed” which is not helpful where it went wrong. I gave up and thought why not use Azure’s Logic Apps to Integrate both API’s, the System Log API from OKTA and the Shared access policies of the Event Hubs Instance.


Now there is no coding involved here and that is the beauty of Logic Apps, everything is drag and drop, then some configuration. In a matter of minutes you have a running middleware that integrates both system from OKTA to Event Hubs. So how did I do it?

I will work under the premise that you already have and Azure Event Hub set up as well as an OKTA environment, so all that I will discuss here is how we did it in Logic Apps.

Lets start.


Go to your Azure Tenant and search for Logic App

Create a logic app by clicking on the add button


add the basic configurations. Choose the right subscription, resource group, logic app name and location.  Then click review and create.


Now go to the designer view and start adding steps.  First add a schedule, this will basically trigger the logic app and we will set it every 10 minutes.  If you make this longer the data will be huge depending on how busy your OKTA instance is, and if it is big it might not successfully save in Event Hubs as there is a limit for data ingestion, its better to do it in small chunks at a time.

Once you had chosen a schedule, choose recurrence and set it up to run every 10 minutes.


Next lets go to Date Time, this will be the parameter you will pass on OKTA’s System Log Api, so you get the last 10 minutes of data.  Choose Date time, then get past time.

In the get past time, get the last 10 minutes since you are running every 10 minutes.

Next step is to perform an HTTP Get, search for HTTP

Then set the method to Get, URI will be {{YourTenantName}}/api/v1/logs?since= then we put a dynamic value after since using the Past time you configured before, if you want further filters, it is fully documented in OKTA System Log section.

Now add the following headers:

Accept:application/json
Content-Type:application/json
Authorization:SSWS {{yourAPIKey}}

The API Key can be generated in OKTA and I will describe it after this step.  Meanwhile put some dummy characters in it.

Now to generate an API key, go to your OKTA tenant and under Security then API

Go to Tokens then create Token, name it accordingly and it will show you the token.

Copy this token to the HTTP Get under Authorization that you created earlier.

Now the next step now that you have a Get Request is to post that to the Event Hub.  Choose Event Hub.

Choose the appropriate event hub, my one is called Okta.  Then on the content, get the result from the step prior to this, it will be the Body

At this stage its done, but if you want some confirmation.  Create another step and send an email to you, just for sanity check.  You can remove this later.  Add a step, search for Gmail.

Choose Send Email then Configure the account to connect to it.  Populate the To information with your email, and in the Body add the Status Code and the Body from the OKTA Event Api,  this way you will see the HTTP Response code which you should get 200 and what data was sent to the Event Hub.

Save it, then run.

Now check the records if it was sent properly to the Event Hub.  Go to your event hub, choose process data

Run the test query and you should see your records.

That simple!

Recommended

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.