Reference Library for Okta Falco Threat Detection Rules

Sysdig Secure enables you to create and customize Threat Detection Rules to secure your environment. This topic provides all the fields and events that apply to Falco rules for Okta.

Fields

Field Class: JSON

Name	Type	Description
`json.value`	CHARBUF	Extracts a value from a JSON-encoded input. Syntax is json.value[], where is a json pointer (see https://datatracker.ietf.org/doc/html/rfc6901)
`json.obj`	CHARBUF	The full json message as a text string.
`json.rawtime`	CHARBUF	The time of the event, identical to evt.rawtime.
`jevt.value`	CHARBUF	Alias for json.value, provided for backwards compatibility.
`jevt.obj`	CHARBUF	Alias for json.obj, provided for backwards compatibility.
`jevt.rawtime`	CHARBUF	Alias for json.rawtime, provided for backwards compatibility.

Field Class: Okta

Name	Type	Description
`okta.app`	CHARBUF	Application
`okta.org`	CHARBUF	Organization
`okta.evt.type`	CHARBUF	Event Type
`okta.evt.legacytype`	CHARBUF	Event Legacy Type
`okta.severity`	CHARBUF	Severity
`okta.message`	CHARBUF	Message
`okta.published`	CHARBUF	Event Source Timestamp
`okta.actor.id`	CHARBUF	Actor ID
`okta.actor.Type`	CHARBUF	Actor Type
`okta.actor.alternateid`	CHARBUF	Actor Alternate ID
`okta.actor.name`	CHARBUF	Actor Display Name
`okta.client.zone`	CHARBUF	Client Zone
`okta.client.ip`	CHARBUF	Client IP Address
`okta.client.device`	CHARBUF	Client Device
`okta.client.id`	CHARBUF	Client ID
`okta.client.geo.city`	CHARBUF	Client Geographical City
`okta.client.geo.state`	CHARBUF	Client Geographical State
`okta.client.geo.country`	CHARBUF	Client Geographical Country
`okta.client.geo.postalcode`	CHARBUF	Client Geographical Postal Code
`okta.client.geo.lat`	CHARBUF	Client Geographical Latitude
`okta.client.geo.lon`	CHARBUF	Client Geographical Longitude
`okta.useragent.os`	CHARBUF	Useragent OS
`okta.useragent.browser`	CHARBUF	Useragent Browser
`okta.useragent.raw`	CHARBUF	Raw Useragent
`okta.result`	CHARBUF	Outcome Result
`okta.reason`	CHARBUF	Outcome Reason
`okta.transaction.id`	CHARBUF	Transaction ID
`okta.transaction.type`	CHARBUF	Transaction Type
`okta.requesturi`	CHARBUF	Request URI
`okta.principal.id`	CHARBUF	Principal ID
`okta.principal.alternateid`	CHARBUF	Principal Alternate ID
`okta.principal.type`	CHARBUF	Principal Type
`okta.principal.name`	CHARBUF	Principal Name
`okta.authentication.step`	CHARBUF	Authentication Step
`okta.authentication.sessionid`	CHARBUF	External Session ID
`okta.security.asnumber`	UINT64	Security AS Number
`okta.security.asorg`	CHARBUF	Security AS Org
`okta.security.isp`	CHARBUF	Security ISP
`okta.security.domain`	CHARBUF	Security Domain
`okta.target.user.id`	CHARBUF	Target User ID
`okta.target.user.alternateid`	CHARBUF	Target User Alternate ID
`okta.target.user.name`	CHARBUF	Target User Name
`okta.target.group.id`	CHARBUF	Target Group ID
`okta.target.group.alternateid`	CHARBUF	Target Group Alternate ID
`okta.target.group.name`	CHARBUF	Target Group Name