Skip to content

Instantly share code, notes, and snippets.

@adrwh
Last active September 2, 2022 18:19
Show Gist options
  • Save adrwh/dddc0f9cc0cbc6626feda139720b44a0 to your computer and use it in GitHub Desktop.
Save adrwh/dddc0f9cc0cbc6626feda139720b44a0 to your computer and use it in GitHub Desktop.
Send Okta Hooks to Azure Log Analytics

Send Okta Event Hooks to Azure Log Analytics

In this article we are going to send events from the Okta System Log to Azure Log Analytics using Okta Event Hooks and Azure Logic Apps.

What Are Okta event hooks?

Event hooks are outbound calls from Okta, sent when specified events occur in your org. They take the form of HTTPS REST calls to a URL you specify, encapsulating information about the events in JSON objects in the request body. These calls from Okta are meant to be used as triggers for process flows within your own software systems.

Ref: https://developer.okta.com/docs/concepts/event-hooks/

Need to know summary

  • You will need to know what events you want to send outbound from Okta, such as the "User login to Okta" event.
  • You will need to have an Azure subscription to create an Azure Logic App.
  • You will need to have a little understanding of HTTP requests, headers, response and body properties.
  • You will need administrator access to an Okta tenant to create the event hook.

Let's get started

First Step

Create an Azure Logic App and add the "When a HTTP request is received" trigger. Update the trigger Method to receive HTTP "GET" requests. This GET method is a temporary requirement for the verification step, later we will switch this back to POST. You dont need to add any schema at this stage, you can leave it blank and hit Save. On save, the Logic App will generate the HTTP Post URL, copy that for later. You will need this URL to tell Okta where to send the hook data to. Now add a "Response" action to your app, and add the following response body.

{
    "verification": "triggerOutputs()['headers']['x-okta-verification-challenge']"
}

Your Logic App designer should now look like this.

logic_app_designer

Second Step

With the Logic App ready and listening, we can create the Okta Hook and send a test. Login to your Okta Admin console and go to https://yourdomain-admin.okta.com/admin/workflow/eventhooks. Create a new Event Hook, give it a Name, paste the HTTP POST URL from the Logic App, add option additional auth if you need it, then select the events you want to send. In my case, i selected User sign in attempt, hit Save and you should now be asked to Verify your listening Logic App. When you click Verify, Okta will send a test HTTP request to your Logic App and expect it to send back a response with the {"verification":"nnn-guid-hex-string-thing"}. If your Logic App is configured properly and all goes well, you will get a success message in the Okta UI and your Event Hook will be successfully saved.

What i did to test the Logic App prior to sending an Okta verification, was send my own custom verification, like this. I simply sent my own x-okta-verification-challenge header with a random guid and tested the response, which it clearly worked.

PS /Users/adrw/dev> Invoke-RestMethod -Uri $LogicAppPostURL -Headers @{'x-okta-verification-challenge'=(New-Guid)}

verification
------------
2828833f-df86-4486-9ef1-f2f8ef57ae94

You can also check your Logic App run history and you should see a successful run, looking like this.

logic_app_verification

Third Step

At this point we have the Event Hook and the Logic App ready to go. Next step is we need to go back and modify the Logic App and change the HTTP method back to POST. This is because Okta will only send System Log events using POST requests. In the Logic Apps designer, add the "Send Data" action, give it a name, your Azure Log Analytics Workspace ID and Key. Then you need to select the events you wish to send. You can either send the entire payload that is coming from Okta, or you can do some filtering here if you only want specific events. In my case, I just want the events object. Now give your Custom Log a name, such as OktaSignInLog, hit save and you're done. Azure Log Analytics will automatically apend _CL to your log name, so in my case i will have a custom log named OktaSignInLog_CL.

Your Logic App designer should now look something like this.

logic_app_designer_complete

Okta will start sending user login session events to your Logic App and your Logic App will start sending them on to Azure Log Analytics. Lets go see them.

Fouth Step

Go to your Azure Log Analytics Workspace logs, and type in OktaSignInLog_CL and hit Shift+Return (on Mac, or click Run). It can take 5-10 minutes before the data starts to show up, so if you need to be patient, grab a coffee and come back. You can also go browse to "Custom Logs" in your Workspace to see if the table has been created and you can then look at the fields created.

If things went well, you should see some Okta sign in sessions.

az_log_analytics_oktasigninlog

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment