Getting Started

How to Connect Okta System Log to Xpernix

Wire Okta System Log streaming into your Xpernix tenant so authentication, MFA, and admin events are available for detection and compliance reporting.

2 min read Last updated: May 2026

Overview

Okta is often the front door to AWS, SaaS, and VPN. If Okta events are missing from your SIEM, you are blind to half the modern breach path.

Estimated time: 30–45 minutes
Required: Okta Super Admin or a delegated admin who can create API service integrations

Step 1: Create the Okta API Service Integration

In Okta Admin Console:

  1. Go to Applications → Applications → Create App Integration.
  2. Choose API Services and name it Xpernix SIEM (read-only).
  3. Under API scopes, grant the minimum needed for System Log read (follow the principle of least privilege in your org’s policy).
  4. Save the client ID and private key (JWT auth) or client secret, depending on the auth method your Xpernix onboarding doc specifies.

Store credentials in your password manager until they are pasted into Xpernix—do not commit them to git.

Step 2: Register the Integration in Xpernix

  1. Log in to the Xpernix portal.
  2. Navigate to Integrations → Log Sources → Add Connector → Okta.
  3. Enter your Okta domain (e.g. company.okta.com), issuer, and credentials from Step 1.
  4. Run the built-in Test Connection; fix scope or clock skew errors before saving.

If you are also shipping AWS CloudTrail via S3, map both sources to the same customer workspace so analysts can correlate AssumeRole with Okta logins.

Step 3: Validate Event Delivery

  1. Open Live Stream filtered to source = okta.
  2. Perform a controlled test: MFA enrollment, failed password, or admin policy change.
  3. Confirm fields such as event_type, actor, outcome, and client.ip are populated.

If events are delayed more than a few minutes, check Okta rate limits and whether a network egress allowlist is required.

Step 4: Enable Default Okta Detections

Start with high-signal rules (MFA reset storms, new admin roles, token grants to unknown OAuth clients). Use Backtest (see How to Configure Custom Alert Rules) before turning on noisy geography rules for a distributed team.

Step 5: Document Retention for Auditors

Agree in writing on:

  • How long Okta logs stay in hot storage vs. archive.
  • Who can request exports.
  • How deletion requests are honored without breaking incident investigations.

Need Help?

Xpernix can help you validate Okta coverage against your real AWS and SaaS footprint. Reach out in your dedicated channel or book a discovery call if you want help wiring identity logs end-to-end.

Ready to get started?

Book a free discovery call — we'll have your managed SIEM environment live within hours.

Book a Discovery Call