CIM compatibility of Okta System Logs¶

The table below describes the CIM data models mapped to respective Okta System Log eventTypes as of version 2.0.0 of the Splunk Add-on for Okta Identity Cloud.

Okta System Log eventType	CIM data model mapped
`system.org.rate_limit.warning`, `system.agent.ad.write_ldap`, `system.import.incremental_converted_to_full`, `application.provision.group_push.mapping.update.or.delete.failed.with.error`, `system.agent.ad.write_ldap`, `system.org.rate_limit.violation`, `app.oauth2.token.detect_reuse`, `system.operation.rate_limit.violation`, `core.concurrency.org.limit.violation`, `system.email.new_device_notification.sent_message`, `user.account.report_suspicious_activity_by_enduser`	Alerts
`user.session.start`, `user.authentication.verify`, `user.authentication.sso`, `user.authentication.auth_via_mfa`, `user.authentication.auth_via_mfa`, `user.session.start`, `app.oauth2.authorize.code`, `policy.evaluate_sign_on`, `app.oauth2.authorize`, `app.generic.unauth_app_access_attempt`, `policy.evaluate_sign_on`, `policy.evaluate_sign_on`, `app.oauth2.as.authorize.implicit.access_token`, `app.oauth2.as.authorize.implicit.id_token`, `user.authentication.auth_via_social`, `app.oauth2.as.authorize.code`, `app.oauth2.as.authorize`, `user.mfa.okta_verify.deny_push`, `user.authentication.auth_via_radius`, `user.authentication.auth_via_AD_agent`, `user.authentication.auth_via_IDP`, `app.oauth2.authorize.implicit.id_token`, `application.policy.sign_on.deny_access`, `app.access_request.expire`, `system.push.send_factor_verify_push`	Authentication
`app.oauth2.credentials.lifecycle.delete`, `app.oauth2.client.lifecycle.delete`, `app.oauth2.client.lifecycle.deactivate`, `app.oauth2.client.lifecycle.activate`, `app.oauth2.client.lifecycle.create`, `app.oauth2.credentials.lifecycle.create`, `policy.mapping.create`, `app.oauth2.client.lifecycle.update`, `app.oauth2.token.grant.access_token`, `application.lifecycle.deactivate`, `application.user_membership.add`, `system.agent.ad.connect`, `app.oauth2.token.grant.id_token`, `group.user_membership.remove`, `policy.rule.add`, `application.lifecycle.create`, `directory.mapping.update`, `directory.app_user_profile.bootstrap`, `system.import.user.create`, `application.provision.user.deprovision`, `application.provision.user.deactivate`, `system.import.user.delete`, `application.user_membership.remove`, `system.import.group.create`, `app.user_management.user_group_import.upsert_success`, `system.agent.ad.import_user`, `system.import.group.delete`, `app.user_management.user_group_import.delete_success`, `group.application_assignment.remove`, `system.import.roadblock.updated`, `app.oauth2.token.grant.refresh_token`, `system.agent.ad.connect`, `policy.rule.update`, `policy.lifecycle.update`, `system.email.challenge_factor_redeemed`, `policy.lifecycle.create`, `system.agent.ad.realtimesync`, `application.provision.user.push_profile`, `application.user_membership.update`, `policy.lifecycle.delete`, `system.agent.ad.start`, `policy.rule.deactivate`, `system.api_token.create`, `application.user_membership.change_password`, `application.lifecycle.delete`, `group.application_assignment.update`, `group.application_assignment.add`, `directory.app_user_profile.update`, `self_service.disabled`, `application.lifecycle.update`, `application.provision.group_push.delete_appgroup`, `application.provision.group_push.push_memberships`, `application.provision.group_push.mapping.created`, `system.import.group.update`, `system.agent.ad.reactivate`, `system.api_token.enable`, `system.api_token.revoke`, `system.agent.ad.deactivate`, `application.provision.user.push`, `application.provision.field_mapping_rule.change`, `system.import.custom_object.create`, `system.agent.ad.create`, `group.profile.update`, `iam.resourceset.bindings.add`, `iam.resourceset.create`, `directory.user_profile.update`, `directory.non_default_user_profile.create`, `system.mfa.factor.activate`, `self_service.enabled`, `oauth2.as.created`, `directory.linked_object.create`, `security.threat.configuration.update`, `zone.create`, `directory.user_profile.bootstrap`, `system.brand.create`, `app.oauth2.credentials.lifecycle.deactivate`, `app.oauth2.credentials.lifecycle.activate`, `application.configuration.enable_fed_broker_mode`, `system.api_token.update`, `oauth2.as.deleted`, `app.oauth2.api_resource.delete`, `oauth2.claim.deleted`, `oauth2.scope.deleted`, `oauth2.as.deactivated`, `oauth2.scope.updated`, `oauth2.as.updated`, `oauth2.claim.created`, `policy.lifecycle.deactivate`, `policy.lifecycle.activate`, `security.authenticator.lifecycle.activate`, `security.authenticator.lifecycle.update`, `application.lifecycle.activate`, `system.log_stream.lifecycle.delete`, `iam.role.create`, `application.configuration.disable_fed_broker_mode`, `system.log_stream.lifecycle.deactivate`, `system.log_stream.lifecycle.create`, `system.log_stream.lifecycle.activate`, `system.log_stream.lifecycle.update`, `device.lifecycle.activate`, `device.enrollment.create`, `app.oauth2.as.token.grant.access_token`, `oauth2.scope.created`, `group.user_membership.add`, `group.lifecycle.create`, `group.lifecycle.delete`, `device.lifecycle.delete`, `device.lifecycle.deactivate`, `device.lifecycle.unsuspend`, `device.lifecycle.suspend`, `application.user_membership.restore_password`, `application.user_membership.restore`, `application.configuration.update_logo`, `application.configuration.reset_logo`, `application.policy.sign_on.rule.create`, `plugin.script_status`, `policy.rule.activate`, `system.import.user.update`, `application.provision.user.reactivate`, `application.user_membership.change_username`, `system.agent.ad.update_user`, `app.oauth2.trusted_server.delete`, `app.oauth2.trusted_server.add`, `app.access_request.approver.deny`, `app.access_request.deny`, `app.access_request.delete`, `security.behavior.settings.update`, `system.idp.lifecycle.delete`, `system.idp.lifecycle.create`, `system.idp.lifecycle.activate`, `system.idp.lifecycle.deactivate`, `policy.rule.delete`	All_Changes
`user.session.end`, `app.oauth2.token.grant`, `app.oauth2.admin.consent.revoke`, `system.sms.send_account_unlock_message`, `user.account.lock`, `app.oauth2.token.revoke`, `user.mfa.factor.activate`, `system.sms.send_phone_verification_message`, `user.account.update_password`, `user.account.update_profile`, `user.lifecycle.unsuspend`, `user.lifecycle.suspend`, `user.lifecycle.create`, `system.import.complete`, `system.import.group_membership.complete`, `system.import.group.complete`, `system.import.user.complete`, `system.import.user_matching.complete`, `system.import.complete_batch`, `system.import.user_matching.start`, `system.import.membership_processing.complete`, `system.import.membership_processing.start`, `app.user_management`, `system.import.implicit_deletion.start`, `system.import.implicit_deletion.complete`, `system.sms.send_factor_verify_message`, `user.account.unlock_by_admin`, `user.account.unlock`, `user.lifecycle.reactivate`, `system.import.custom_object.complete`, `user.lifecycle.deactivate`, `user.account.privilege.revoke`, `app.user_management.push_new_user_success`, `user.account.privilege.grant`, `user.lifecycle.activate`, `app.oauth2.admin.consent.grant`, `device.user.add`, `app.oauth2.as.token.grant`, `app.oauth2.as.consent.revoke.implicit.client`, `user.mfa.factor.reset_all`, `user.mfa.factor.deactivate`, `user.account.reset_password`, `user.mfa.factor.unsuspend`, `user.mfa.factor.suspend`, `system.sms.send_okta_push_verify_message`, `app.realtimesync.import.details.update_user`, `system.sms.send_password_reset_message`, `user.account.update_secondary_email`, `system.agent.ad.reset_user_password`, `user.mfa.factor.update`, `app.access_request.request`, `app.access_request.approver.approve`, `device.user.remove`, `user.account.expire_password`	Account_Management
`security.request.blocked`	Network Traffic