MFA Life-cycle actions not available via Okta Events API?

Question

Hi I am trying to use the Okta Event API to extract MFA registration and reset events and pump them into a SIEM engine and send the user alerts. We are wanting to make users aware of enrollment, reset events surrounding Okta MFA where Okta is authoritative for that MFA factor enrollment or reset.

We would like to send out emails stating something like these

You just registered a SMS number You just Enabled Push Message MFA You just reset your MFA settings through self service

I was looking through Okta events API doc online, No Bueno. http://developer.okta.com/docs/api/rest/events.html

I am hoping its logged, or at least there is a trap for logging it, but maybe its not exposed in the events service.. anyone have any ideas?

Answer 1

The best approach to get any log information is to perform the events you want to capture for a test user and grab Okta Events published greater than the start time.

For example I performed the following events for the user mfa@thomas-kirk.com from the end user settings page (https://{org}.okta.com/enduser/settings):

1. Setup Google Authenticator Factor
2. Updated my Security Question Factor
3. Reset Google Authenticator Factor

I then use PostMan to pull all events after the start time of testing:

/api/v1/events?limit=100&filter=published gt "2015-04-17T18:21:00.000Z"

You can see the following output for reference:

[
   {
      "eventId": "tevz7MzV49UT8CkaAY7LwOB_g1429294862000",
      "sessionId": "s03khgvyS6nRr61bjallafGHQ",
      "requestId": "VTFPDoXpXQ9fcy12eMvbwgAAA6o",
      "published": "2015-04-17T18:21:02.000Z",
      "action": {
         "message": "User set up Google Authenticator factor",
         "categories": [],
         "objectType": "core.user.factor.activate",
         "requestUri": "/user/settings/factors/soft_token/phone_verify"
      },
      "actors": [
         {
            "id": "00u3ssydqqKOfez5C0h7",
            "displayName": "MFA Test",
            "login": "mfa@thomas-kirk.com",
            "objectType": "User"
         },
         {
            "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36",
            "displayName": "CHROME",
            "ipAddress": "67.223.10.7",
            "objectType": "Client"
         }
      ],
      "targets": [
         {
            "id": "00u3ssydqqKOfez5C0h7",
            "displayName": "MFA Test",
            "login": "mfa@thomas-kirk.com",
            "objectType": "User"
         }
      ]
   },
   {
      "eventId": "tevw_-4GuDETaugWP-m-g7e9w1429294973000",
      "sessionId": "s03khgvyS6nRr61bjallafGHQ",
      "requestId": "VTFPfXHotREXVB8lhZ@XTAAABLc",
      "published": "2015-04-17T18:22:53.000Z",
      "action": {
         "message": "User updated Security Question factor",
         "categories": [],
         "objectType": "core.user.factor.update",
         "requestUri": "/user/settings/security_question_factor/create"
      },
      "actors": [
         {
            "id": "00u3ssydqqKOfez5C0h7",
            "displayName": "MFA Test",
            "login": "mfa@thomas-kirk.com",
            "objectType": "User"
         },
         {
            "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36",
            "displayName": "CHROME",
            "ipAddress": "67.223.10.7",
            "objectType": "Client"
         }
      ],
      "targets": [
         {
            "id": "00u3ssydqqKOfez5C0h7",
            "displayName": "MFA Test",
            "login": "mfa@thomas-kirk.com",
            "objectType": "User"
         }
      ]
   },
   {
      "eventId": "tevszF5O0FwTl6Kh3VPuD43zQ1429295053000",
      "sessionId": "s03khgvyS6nRr61bjallafGHQ",
      "requestId": "VTFPzX72Bs3H2qU5ZzXavQAACiE",
      "published": "2015-04-17T18:24:13.000Z",
      "action": {
         "message": "User reset Google Authenticator factor",
         "categories": [],
         "objectType": "core.user.factor.deactivate",
         "requestUri": "/user/settings/factors/soft_token/phone_deactivate"
      },
      "actors": [
         {
            "id": "00u3ssydqqKOfez5C0h7",
            "displayName": "MFA Test",
            "login": "mfa@thomas-kirk.com",
            "objectType": "User"
         },
         {
            "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36",
            "displayName": "CHROME",
            "ipAddress": "67.223.10.7",
            "objectType": "Client"
         }
      ],
      "targets": [
         {
            "id": "00u3ssydqqKOfez5C0h7",
            "displayName": "MFA Test",
            "login": "mfa@thomas-kirk.com",
            "objectType": "User"
         }
      ]
   },
   {
      "eventId": "tev9bJOoEHAQEK101ZkEBAnvw1429295150000",
      "sessionId": "s01XrjTEzTcRdGT1Zb7FkiOxw",
      "requestId": "VTFQLn72Bs3H2qU5ZzXeIwAACeA",
      "published": "2015-04-17T18:25:50.000Z",
      "action": {
         "message": "User set up Google Authenticator factor",
         "categories": [],
         "objectType": "core.user.factor.activate",
         "requestUri": "/user/settings/factors/soft_token/phone_verify"
      },
      "actors": [
         {
            "id": "00u3ssydqqKOfez5C0h7",
            "displayName": "MFA Test",
            "login": "mfa@thomas-kirk.com",
            "objectType": "User"
         },
         {
            "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36",
            "displayName": "CHROME",
            "ipAddress": "67.223.10.7",
            "objectType": "Client"
         }
      ],
      "targets": [
         {
            "id": "00u3ssydqqKOfez5C0h7",
            "displayName": "MFA Test",
            "login": "mfa@thomas-kirk.com",
            "objectType": "User"
         }
      ]
   }
]

Which means the object types to query are:

1. Setup Google Authenticator Factor: "core.user.factor.activate"
2. Updated my Security Question Factor: "core.user.factor.update"
3. Reset Google Authenticator Factor: "core.user.factor.deactivate"

Also to note: You can't rely on the Events API for live data. Okta's Events can get behind because of ETL. I have seen the Events API get behind by a factor of hours.