ASIM Authentication: New Okta OktaSystemLogs Parser Enables Normalized Identity Event Analysis

What Changed

New ASIM Authentication parser for Okta OktaSystemLogs table, providing normalized schema-compliant authentication event processing.

Parser Impact

This parser adds Okta authentication event visibility to the ASIM normalized Authentication schema. The parser processes user.session.start and user.session.end events from the OktaSystemLogs table, mapping Okta-specific fields to standardized ASIM field names.

Key normalization capabilities:

• Maps Okta authentication outcome codes to standard EventResultDetails
• Normalizes device type classifications (Computer, Mobile Device)
• Extracts geolocation and ISP context from Okta events
• Provides filtering parameters for targeted authentication analysis

Detection Surface Unlocked

SOC teams can now leverage existing ASIM Authentication detection rules against Okta authentication events without source-specific modifications. The parser enables:

• Cross-platform authentication correlation using normalized field names
• Consistent user behavior analysis across multiple identity providers
• Simplified hunting queries targeting authentication patterns regardless of source system
• Integration with ASIM-based detections for credential-based attack scenarios

Both full (ASimAuthenticationOktaSystemLogs) and filtering (vimAuthenticationOktaSystemLogs) parser variants are available, supporting both comprehensive analysis and performance-optimized queries.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/OktaSystemLogs.json
Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json
Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaSystemLogs/ASimAuthenticationOktaSystemLogs.json
Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaSystemLogs/README.md
Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json
Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json
Parsers/ASimAuthentication/ARM/vimAuthenticationOktaSystemLogs/README.md
Parsers/ASimAuthentication/ARM/vimAuthenticationOktaSystemLogs/vimAuthenticationOktaSystemLogs.json
Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md
Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationOktaSystemLogs.md
Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md
Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationOktaSystemLogs.md
Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml
Parsers/ASimAuthentication/Parsers/ASimAuthenticationOktaSystemLogs.yaml
Parsers/ASimAuthentication/Parsers/imAuthentication.yaml
Parsers/ASimAuthentication/Parsers/vimAuthenticationOktaSystemLogs.yaml