Mappings: Okta Authentication - sso
| Input | Value |
|---|---|
| Vendor | Okta |
| Product | SSO |
| Log Format | JSON |
| Event ID Regex Pattern | user\.authentication\.sso* |
| Output | Value |
|---|---|
| Vendor | Okta |
| Product | Single Sign-On |
| Record Type | Authentication |
| Cloud SIEM Schema Field | Original Record Key | Notes |
|---|---|---|
| application | target.1.alternateId | |
| cause | outcome.reason | |
| description | displayMessage | |
| device_ip | client.ipAddress | |
| normalizedAction | None | The static text logon is populated in this schema field. |
| sessionId | authenticationContext.externalSessionId | |
| severity | severity | |
| srcDevice_ip | request.ipChain.1.ip | |
| success | outcome.result | This is a lookup field. More info to come in the catalog later... |
| user_authDomain | securityContext.domain | |
| user_userId | actor.id | |
| user_username | user |