Cloud

Okta Identity Provider

Okta System Log — SSO sign-in logs, MFA events, admin audit events, user lifecycle management, group and application membership changes, and sign-on policy evaluations.

View on GitHub

Quick Start

uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
  --path generators/identity-okta/generator.yml \
  --id okta \
  --live-mode true

Event Types

Event ID	Description	Frequency	Category
user.session.start	Successful user sign-in	~20%	authentication
user.authentication.sso	SSO to application	~18%	authentication
user.authentication.auth_via_mfa	MFA challenge	~12%	authentication
policy.evaluate_sign_on	Sign-on policy evaluation	~10%	configuration
user.session.end	User sign-out	~8%	session
user.mfa.factor.verify	MFA factor verification	~8%	authentication
user.session.start (failed)	Failed user sign-in	~4%	authentication
group.user_membership.add	Group membership change	~3%	iam
application.user_membership.add	Application assignment	~2.5%	iam
user.account.update_password	Self-service password change	~2%	iam
user.session.access_admin_app	Admin console access	~2%	configuration
user.mfa.factor.update	MFA factor enrollment	~1.5%	iam
user.account.lock	Account lockout	~1%	iam
user.lifecycle.create	New user provisioning	~1%	iam
user.lifecycle.activate	User activation	~1%	iam
user.account.reset_password	Admin password reset	~1%	iam
user.lifecycle.deactivate	User deactivation	~0.5%	iam
system.api_token.create	API token creation	~0.5%	configuration

Realism Features

6 event categories — SSO sign-in, MFA, policy evaluation, account management, user lifecycle, admin operations
Shared state correlations — user.session.start stores sessions; SSO and session end events reuse same user identity
6 login failure scenarios — INVALID_CREDENTIALS, LOCKED_OUT, PASSWORD_EXPIRED, VERIFICATION_ERROR, AUTH_FAILED, INVALID_LOGIN
6 MFA factor types — Okta Verify Push, TOTP, SMS, Email, WebAuthn/FIDO, YubiKey
15 SSO applications — Salesforce, Slack, AWS, Jira, GitHub, Google Workspace, and more
22 users across 10 departments + 2 admin accounts with admin-only operations

Sample Output

{
    "@timestamp": "2026-03-04T14:22:31+00:00",
    "event": {
        "action": "user.session.start",
        "category": ["session", "authentication"],
        "dataset": "okta.system",
        "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
        "kind": "event",
        "module": "okta",
        "outcome": "success",
        "type": ["start", "info"]
    },
    "user": {
        "email": "sarah.jones@acmecorp.com",
        "full_name": "Sarah Jones",
        "id": "00u1a2b3c4d5e6f7g8",
        "name": "sarah.jones@acmecorp.com"
    },
    "okta": {
        "actor": {
            "alternate_id": "sarah.jones@acmecorp.com",
            "display_name": "Sarah Jones",
            "id": "00u1a2b3c4d5e6f7g8",
            "type": "User"
        },
        "authentication_context": {
            "authentication_provider": "OKTA_AUTHENTICATION_PROVIDER",
            "authentication_step": 0,
            "credential_type": "PASSWORD",
            "external_session_id": "idx1a2b3c4d5e6f7g8"
        },
        "display_message": "User login to Okta",
        "event_type": "user.session.start",
        "outcome": {
            "reason": null,
            "result": "SUCCESS"
        },
        "request": {
            "ip_chain": [
                {
                    "geographicalContext": {
                        "city": "San Francisco",
                        "country": "United States",
                        "geolocation": { "lat": 37.7749, "lon": -122.4194 },
                        "postalCode": "94105",
                        "state": "California"
                    },
                    "ip": "203.0.113.42",
                    "version": "V4"
                }
            ]
        },
        "security_context": {
            "as": {
                "number": 13335,
                "organization": { "name": "Cloudflare Inc" }
            },
            "domain": "cloudflare.com",
            "is_proxy": false,
            "isp": "Cloudflare Inc"
        },
        "severity": "INFO",
        "version": "0",
        "uuid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
    }
}

Parameters

Parameter	Default	Description
agent_id	a1b2c3d4-...	Filebeat agent UUID
agent_name	okta-system-forwarder	Agent hostname
agent_version	8.17.0	Elastic Agent version

Related Generators

Cloud

AWS CloudTrail Management Events

AWS CloudTrail audit trail — API calls across EC2, IAM, STS, and S3 from a multi-account organization. Includes console logins, role assumptions, error injection, and 4 identity types.

Cloud

AWS GuardDuty Findings

AWS GuardDuty threat detection findings across EC2, IAM, and S3 resources. Covers 8 categories — Recon, UnauthorizedAccess, Policy, Trojan, Impact, CryptoCurrency, Stealth, and Backdoor — with 27 finding types, 10 threat actor IPs, and geo/ASN enrichment.

Cloud

AWS VPC Flow Logs

AWS VPC Flow Logs (v5) — network traffic records across multiple accounts, VPCs, and subnets. TCP/UDP/ICMP flows with ACCEPT/REJECT actions, NAT gateway traffic, and realistic byte/packet distributions.