What is a one sentence summary of your feature request?
Extend the Okta add-on with additional authentication eventTypes and improve the Where/What field mapping in transformer.json.
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
The current add-on ships with three queries: user.authentication.sso, user.session.start, and user.authentication.verify. This covers basic login events but leaves significant gaps in authentication visibility.
I would like to propose the following additional eventTypes:
Session lifecycle:
- user.session.end
- user.session.clear
- user.session.access_admin_app
MFA and sign-on policy:
- user.authentication.auth_via_mfa (covers all MFA methods: Okta Verify push, TOTP, Google Authenticator, hardware tokens, etc.)
- policy.evaluate_sign_on
- application.policy.sign_on.deny_access
MFA push notifications:
- system.push.send_factor_verify_push
Administrative actions:
- eventType sw “system.admin”
The sw (starts with) operator captures all current and future Okta administrative eventTypes in a single filter.
Note: TOTP-based methods do not generate a dedicated send eventType in the Okta System Log, as the code is computed locally on the user’s device. All MFA outcomes are captured under user.authentication.auth_via_mfa.
Additionally, in the current transformer.json both the What and Where fields are mapped to client.ipAddress, resulting in identical values for every event. For SSO events, target[0].displayName (destination application name) would be a more meaningful value for the Where field.
Reference: Common System Log filters | Okta Identity Engine
How do you currently solve the challenges you have by not having this feature?
Currently there is no workaround. The missing eventTypes are simply not collected, resulting in incomplete authentication audit trails. The Where/What duplication is not configurable from the Netwrix Auditor interface.