In this article we are going to send events from the Okta System Log to Azure Log Analytics using Okta Event Hooks and Azure Logic Apps.
Event hooks are outbound calls from Okta, sent when specified events occur in your org. They take the form of HTTPS REST calls to a URL you specify, encapsulating information about the events in JSON objects in the request body. These calls from Okta are meant to be used as triggers for process flows within your own software systems.
Ref: https://developer.okta.com/docs/concepts/event-hooks/
Need to know summary
- You will need to know what events you want to send outbound from Okta, such as the "User login to Okta" event.
- You will need to have an Azure subscription to create an Azure Logic App.
- You will need to have a little understanding of HTTP requests, headers, response and body properties.
- You will need administrator access to an Okta tenant to create the event hook.
Create an Azure Logic App and add the "When a HTTP request is received" trigger. Update the trigger Method to receive HTTP "GET" requests. This GET method is a temporary requirement for the verification step, later we will switch this back to POST. You dont need to add any schema at this stage, you can leave it blank and hit Save. On save, the Logic App will generate the HTTP Post URL, copy that for later. You will need this URL to tell Okta where to send the hook data to. Now add a "Response" action to your app, and add the following response body.
{
"verification": "triggerOutputs()['headers']['x-okta-verification-challenge']"
}Your Logic App designer should now look like this.
With the Logic App ready and listening, we can create the Okta Hook and send a test. Login to your Okta Admin console and go to https://yourdomain-admin.okta.com/admin/workflow/eventhooks. Create a new Event Hook, give it a Name, paste the HTTP POST URL from the Logic App, add option additional auth if you need it, then select the events you want to send. In my case, i selected User sign in attempt, hit Save and you should now be asked to Verify your listening Logic App. When you click Verify, Okta will send a test HTTP request to your Logic App and expect it to send back a response with the {"verification":"nnn-guid-hex-string-thing"}. If your Logic App is configured properly and all goes well, you will get a success message in the Okta UI and your Event Hook will be successfully saved.
What i did to test the Logic App prior to sending an Okta verification, was send my own custom verification, like this. I simply sent my own x-okta-verification-challenge header with a random guid and tested the response, which it clearly worked.
PS /Users/adrw/dev> Invoke-RestMethod -Uri $LogicAppPostURL -Headers @{'x-okta-verification-challenge'=(New-Guid)}
verification
------------
2828833f-df86-4486-9ef1-f2f8ef57ae94
You can also check your Logic App run history and you should see a successful run, looking like this.
At this point we have the Event Hook and the Logic App ready to go. Next step is we need to go back and modify the Logic App and change the HTTP method back to POST. This is because Okta will only send System Log events using POST requests. In the Logic Apps designer, add the "Send Data" action, give it a name, your Azure Log Analytics Workspace ID and Key. Then you need to select the events you wish to send. You can either send the entire payload that is coming from Okta, or you can do some filtering here if you only want specific events. In my case, I just want the events object. Now give your Custom Log a name, such as OktaSignInLog, hit save and you're done. Azure Log Analytics will automatically apend _CL to your log name, so in my case i will have a custom log named OktaSignInLog_CL.
Your Logic App designer should now look something like this.
Okta will start sending user login session events to your Logic App and your Logic App will start sending them on to Azure Log Analytics. Lets go see them.
Go to your Azure Log Analytics Workspace logs, and type in OktaSignInLog_CL and hit Shift+Return (on Mac, or click Run). It can take 5-10 minutes before the data starts to show up, so if you need to be patient, grab a coffee and come back. You can also go browse to "Custom Logs" in your Workspace to see if the table has been created and you can then look at the fields created.
If things went well, you should see some Okta sign in sessions.
