Skip to main content

Okta Data Connector

Ingest Okta identity, authentication, and threat events into Torq to power automated analysis and Auto-Triage.

Overview

The Okta data connector provides a native, polling-based ingestion mechanism that continuously brings Okta system log events into Torq for use in processes and Auto-Triage.

Key benefits include:

  • Simplified setup: Configure ingestion through a guided UI without building custom polling logic, handling OAuth flows, or implementing deduplication.

  • Continuous event ingestion: Okta events are retrieved automatically every 5 minutes, ensuring a steady flow of identity and security data into Torq.

  • Historical backfill: During setup, configure a lookback window (up to 14 days) to ingest past events and immediately populate Auto-Triage or downstream processing.

  • Event type selection: Ingest Authentication Events, Security Events, and Identity Threat Protection (ITP) Events, any combination.

  • Built-in reliability: Handle pagination, rate limits, state tracking, and duplicate detection automatically to ensure consistent and accurate ingestion.

Common scenarios

Automated triage and case creation from Okta events

The Okta data connector enables security teams to automatically route authentication and security events into Auto-Triage. Events are enriched, analyzed, and converted into investigation cases, consolidating identity signals, risk context, and activity history into a single workspace for efficient analysis.

Identity threat detection and response

Identity Threat Protection (ITP) events such as session hijacking, credential abuse, and anomalous behavior are ingested into Torq, enabling automated triage and coordinated response across identity, endpoint, and network signals.

Identity lifecycle monitoring and automation

User lifecycle events, such as provisioning, deprovisioning, permission changes, and administrative actions, can be ingested and used to trigger compliance workflows, access reviews, and identity governance automation.

Prerequisites

Before setting up the Okta data connector, ensure the following requirements are met:

  • Okta subscription: Access to the Okta System Log API is required.

  • (Optional) Identity Threat Protection: Required only if you plan to ingest ITP events.

  • API Services application: Create an API Services app in the Okta Admin Console.

  • Authentication setup: Generate an RS256 key pair and configure the application to use private_key_jwt.

  • Permissions and roles:

    • Grant the okta.logs.read scope

    • Assign the Report Admin role

  • Required credentials:

    • Okta Domain (e.g., company.okta.com)

    • Client ID

    • Private Key (PEM)

How to use

Create an API client in Okta

Open the Admin Console

Create an API Services application

  1. Navigate to applications: Go to Applications > Applications > Create App Integration.

  2. Select app type: Choose API Services (machine-to-machine authentication using OAuth 2.0).

  3. Create application: Enter a meaningful name and click Save.

Configure client authentication (private key)

The connector uses OAuth 2.0 client credentials with a JWT signed by an RSA private key (not a client secret).

  1. Enable JWT authentication: In the app settings, configure client authentication using a public key / JWT (wording varies by Okta UI version).

  2. Add signing credential: Upload your public key or register a JWK.

  3. Store private key: Keep the corresponding RSA private key (PEM format), this will be required during Torq setup.

Collect client ID

  • Copy client ID: From the application overview, copy the Client ID for later use.

Disable Proof of Possession (DPoP)

  1. Open general settings: Go to the app’s General tab.

  2. Disable DPoP: Ensure Require Demonstrating Proof of Possession (DPoP) is unchecked.

  3. Save changes: Click Save.

DPoP must remain disabled, otherwise authentication requests from the connector will fail.

Grant System Log scope

  1. Open API scopes: Navigate to the app’s Okta API Scopes (or equivalent).

  2. Grant scope: Add okta.logs.read (required for System Log API access).

  3. Approve access: Ensure the scope is granted and approved for the application.

(Optional) Identify your Okta domain

  • Your Okta domain is your org hostname (e.g., company.okta.com, dev-12345.okta.com).

  • Enter the domain in Torq without the https:// prefix.

Set up the connector in Torq

  1. Navigate to connector: Go to Integrations > Okta Data Connector > Add Instance.

  2. Enter connection details: Provide the Instance Name, Okta Domain, Client ID, and Private Key (PEM).

  3. (Optional) Configure backfill: Set a backfill period (up to 14 days) to ingest historical events.

  4. Select event filters: Choose Authentication Events, Security Events, and/or Identity Threat Protection (ITP) Events.

  5. Save configuration: Save the connector to start ingestion. The connector automatically begins polling every 5 minutes.

When you edit an existing Okta instance, the past data ingestion period cannot be changed. To change it, delete the instance and create a new one.

You’ve successfully set up the Okta data connector in Torq. With the instance configured, Torq will continuously ingest Okta system log events and automatically trigger Auto-Triage based on those events.

Related Articles
Okta
Google Cloud Security Operations Data Connector
SentinelOne Data Connector
Microsoft Defender Data Connector
Microsoft Entra ID Data Connector
Did this answer your question?