This addon will collect audit events from the Okta Advanced Server Access (ASA) API and index them into Splunk. This makes tracking events like permission changes, server logins, credential approvals through ASA simple.
This add-on will require an API key and secret to access the audit data from ASA. We recommend creating a dedicated service account for this purpose and assigning the minimum privleges. Perform the following steps in the ASA webapp.
API Key ID
and API Key Secret
Reporting
permissionWe can now install the Add-on in our Splunk environment. This add-on is primarily a tool for collecting logs and is only required to be installed a heavy forwarder. It does contain saved searches and other knowledge objects so installation on search heads is helpful. Only configure an input on one Splunk server.
Using the Splunk webapp, login and launch the newly installed Okta Advanced Server Access Add-on.
The default settings are appropriate in most cases. Be aware of the advanced Add-on Settings
and Logging
available in the Configuration
menu.
Using the Splunk webapp, login and launch the newly installed Okta Advanced Server Access Add-on.
Before we can define an input we must provide account credentials. Using the API Key ID
and API Key Secret
from our Prerequisites section perform the following.
Add
Account Name
for the account (arbitrary value)API Key ID
API Key Secret
Add
With our Account defined we can now define and Input
Create New Input
Account Name
for the input (arbitrary value)Index
Team Name
you wish to collect audit events for (This is your ASA Team Name and must be correct)ASA Account
defined in the previous stepAdd
This add-on will produce data with a source of source="Okta:ASA"
{
"id": "UhSXLZ2N51GGpjYAnY3nUQ==",
"timestamp": "2020-07-09T15:12:08.314955Z",
"details": {
"actor": {
"id": "a6a33a38-f871-417a-9bf6-d3d05ce20aef",
"name": "mbegan",
"status": "ACTIVE",
"details": {
"first_name": "Matthew",
"last_name": "Egan",
"full_name": "Matthew Egan",
"email": "mbega.n@gmail.com"
},
"user_type": "human",
"oauth_client_application_id": null,
"role_grants": null,
"deleted_at": null
},
"target_user": {
"id": "d54bc50c-7afc-46b0-bdd9-ae0356ed451f",
"name": "SplunkTest",
"status": "ACTIVE",
"details": null,
"user_type": "service",
"oauth_client_application_id": null,
"role_grants": null,
"deleted_at": null
},
"team_id": "a9dcf8ed-a32e-411b-be70-f89932ef4998",
"team_name": "oktabd-dev",
"trace_id": "1-5f0733c8-f1b67bc0b80fa79cdb92630c",
"type": "apikey.rotate",
"user_name": "SplunkTest"
}
}
Look at the logs (index=_interal sourcetype="ta:okta:advanced:server:access:add:on:for:splunk:log"
or the tail -f ta_okta_advanced_server_access_add_on_for_splunk_advanced_server_access.log file
Will update as they come in
Enjoy!
Removed errantly included input
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.