Configure Execution Log Streaming
Early Access release
By configuring Okta Workflows to stream detailed execution logs to a SIEM system, you can perform deeper analysis and create alerts for activities related to your flows.
Before you begin
-
You must have super admin privileges to enable the Execution Log Streaming feature for your Okta Workflows org.
-
Review your SIEM system documentation for guidance on configuring streaming events for ingestion by the service.
Start this task
-
In the Workflows Console, open the Settings tab.
-
On the Execution log streaming tab, click Edit to change the configuration settings.
-
Use the toggle to Enable execution log streaming.
-
In the URL field, enter the fully qualified domain name and path for the ingestion point of the SIEM recipient. You may need to include the protocol and any port information in the URL.
The HTTP Event Collector for Splunk, for example, specifies the following format: <protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint>.
-
Select which events to send to the SIEM recipient. Each record includes the fields specified in the Base Schema and any event-specific metadata.
For security purposes, the email address associated with an event appears as a hashed value.
Event name
Description
All
All metadata related to the flow.
Started
Metadata related to the starting conditions of the flow.
Completed
Metadata events recorded when a flow finishes.
Failed
Any metadata about a flow failure.
Canceled
Any metadata for a canceled flow.
Throttled
Metadata events are recorded for flows that enter the throttled state.
For details on the metadata sent for each of these event types, see Event metadata for Execution Log Streaming.
-
In the Authorization header (encrypted) section, enter any key and value pairs needed to authenticate your connection to the SIEM when the events are streamed. These are sent as encrypted information along with the request to the SIEM endpoint.
-
If required, use the Other custom headers section for any necessary key and value pairs to include as part of the streamed event. These custom headers aren't encrypted.
-
If your SIEM recipient requires special wrapping for the body of each event, use the Custom event body (Optional) field. Include any JSON formatting required to match the expected body format. Use "${event}" (including the quotation marks) in the field to indicate where Okta Workflows inserts the event data. For example, Splunk requires each event in the following format:
Copy{
"event": "${event}"
}If you need to reset the custom event body, click Use default event body to return to the basic format.
-
Click Save to confirm your settings.
-
After the configuration is complete, click Send test event to see an example of your streamed event.
-
Click Send to send the example payload and see the response from the SIEM recipient.
-
When you invoke a flow (either through an API call or through the flow builder interface), Okta Workflows sends the logged events to your SIEM recipient. Go to your SIEM client interface to validate that the logged events appear.
Limitations and known issues
-
There are maximum limits on the total number of execution events that can be passed to your SIEM recipient.
-
The events don't include the org ID and user ID. To include these values, you can configure these as separate key and value pairs.