Okta Optimizer

The Okta Optimizer is a transform that filters out routine successful SSO authentication, session start events, and low-severity debug logs from Okta logs, preserving security-critical events to reduce noise, storage, and processing costs while maintaining visibility into authentication failures and policy violations.

Purpose

This transform is designed to optimize Okta logs by selectively filtering routine successful authentication events and low-severity debug events. The transform group is composed of two sequential transforms, each playing a specific role in optimizing log storage and processing while maintaining critical security visibility.

How to Add Okta Optimization to a Pipeline

Follow these steps to apply Okta optimization to your pipeline using the built-in Observo templates:

  1. Choose Your Pipeline Navigate to the list of pipelines and select the pipeline where you want to perform Okta optimization.

  2. Edit the Pipeline Click on Edit Pipeline to open the pipeline configuration screen.

  3. Add a Transform Inside the pipeline editor, click on Add Transform to begin modifying the pipeline.

  4. Import a Template At the top of the transform selection window, click Import.

  5. Choose Observo Templates In the import options, select Use an Observo Template.

  6. Select the Okta Optimizer From the list of available templates, choose Okta Optimizer.

  7. Transforms Added Automatically Once selected, three transforms will be added automatically to your pipeline. These transforms work together to perform Okta optimization.

Usage

The Okta Optimizer filters out high-volume, successful SSO authentication and session start events, and removes debug-level logs, preserving failed authentications and higher-severity security-relevant events to reduce log volume while maintaining critical visibility.

Drop Success SSO Session Events

  • Purpose: Filter out successful SSO authentication and session start events that generate high volume but provide minimal security value.

  • Behavior:

    • Drops events where eventType is "user.authentication.sso" and outcome.result is "SUCCESS".

    • Drops events where eventType is "user.session.start" and outcome.result is "SUCCESS".

    • Uses an OR combinator to match either condition for removal.

    • Preserves all failed authentication attempts and security-relevant events.

Drop Low Severity Events

  • Purpose: Remove debug-level events that are primarily used for troubleshooting but consume storage without providing security insights..

  • Behavior:

    • Drops all events where severity equals "DEBUG".

    • Focuses on eliminating diagnostic and troubleshooting logs.

    • Preserves all higher-severity events (INFO, WARN, ERROR, etc.)

Configuration Options

The Okta Optimizer's configuration options use an OR combinator with nested AND conditions to drop successful SSO and session start events, and a simple AND condition to remove debug-level events, with both transforms enabled by default and set to completely remove matching events.

Drop Success SSO Session Events

  • Filter Configuration

    • Uses an OR combinator with nested AND conditions.

    • Condition 1: eventType = "user.authentication.sso" AND outcome.result = "SUCCESS".

    • Condition 2: eventType = "user.session.start" AND outcome.result = "SUCCESS".

    • Drop Data: Turned on - Events matching conditions are completely removed.

    • Enabled: enable or disable transform. Default : Turned on

Drop Low Severity Events

  • Filter Configuration

    • Uses a simple AND condition.

    • Condition: severity = "DEBUG"

    • Drop Data: Turned on - All debug events are removed from the log stream

    • Enabled: enable or disable transform. Default : Turned on

How This Optimizes Okta Logs

Reduction of Routine Success Events: Okta environments generate enormous volumes of successful SSO authentication and session start events during normal business operations. While these events confirm system functionality, they rarely indicate security issues and can overwhelm security analysts and SIEM platforms.

Elimination of Debug Noise: Debug-level logs are primarily useful for application troubleshooting and development but consume significant storage in production environments without providing security value.

Focus on Security-Relevant Events: By removing routine successful operations and debug messages, the optimizer ensures that security teams can focus on:

  • Failed authentication attempts

  • Suspicious login pattern

  • Policy violations

  • Administrative changes

  • Error conditions

Efficient Use of Resources: The optimization leads to substantial savings in:

  • Storage costs (local disk, cloud storage)

  • Network bandwidth for log transmission

  • SIEM ingestion and processing cost

  • Query performance and analysis speed

  • Alert noise reduction

Examples

Input Events

[
  { "eventType": "user.authentication.sso", "outcome": { "result": "SUCCESS" }, "severity": "INFO", "timestamp": "2025-04-27T12:00:00Z", "actor": { "displayName": "[email protected]" } },
  { "eventType": "user.session.start", "outcome": { "result": "SUCCESS" }, "severity": "INFO", "timestamp": "2025-04-27T12:00:01Z", "actor": { "displayName": "[email protected]" } },
  { "eventType": "user.authentication.sso", "outcome": { "result": "FAILURE" }, "severity": "WARN", "timestamp": "2025-04-27T12:00:02Z", "actor": { "displayName": "[email protected]" } },
  { "eventType": "system.configuration.change", "outcome": { "result": "SUCCESS" }, "severity": "DEBUG", "timestamp": "2025-04-27T12:00:03Z", "actor": { "displayName": "[email protected]" } },
  { "eventType": "user.account.lock", "outcome": { "result": "SUCCESS" }, "severity": "WARN", "timestamp": "2025-04-27T12:00:04Z", "actor": { "displayName": "system" } }
]

After Drop Success SSO Session Events

[
  { "eventType": "user.authentication.sso", "outcome": { "result": "FAILURE" }, "severity": "WARN", "timestamp": "2025-04-27T12:00:02Z", "actor": { "displayName": "[email protected]" } },
  { "eventType": "system.configuration.change", "outcome": { "result": "SUCCESS" }, "severity": "DEBUG", "timestamp": "2025-04-27T12:00:03Z", "actor": { "displayName": "[email protected]" } },
  { "eventType": "user.account.lock", "outcome": { "result": "SUCCESS" }, "severity": "WARN", "timestamp": "2025-04-27T12:00:04Z", "actor": { "displayName": "system" } }
]

After Drop Low Severity Events

[
  { "eventType": "user.authentication.sso", "outcome": { "result": "FAILURE" }, "severity": "WARN", "timestamp": "2025-04-27T12:00:02Z", "actor": { "displayName": "[email protected]" } },
  { "eventType": "user.account.lock", "outcome": { "result": "SUCCESS" }, "severity": "WARN", "timestamp": "2025-04-27T12:00:04Z", "actor": { "displayName": "system" } }
]

Overall Recommendations

Transform
Purpose
Impact

Drop Success SSO Session Events

Remove routine successful authentication events

Eliminates high-volume noise from normal operation

Drop Low Severity Events

Remove debug-level diagnostic events

Focuses on operationally and security-relevant events

In combination, these transforms deliver a focused Okta log optimization solution that dramatically reduces log volume while preserving all security-critical information. The optimization strategy specifically targets Okta's high-volume routine events, ensuring that security teams maintain complete visibility into authentication failures, policy violations, and administrative changes while eliminating the noise that can overwhelm security operations and increase infrastructure costs. This approach enables organizations to maintain comprehensive identity security monitoring while achieving substantial operational efficiencies.

PreviousCisco ASA OptimizerNextMulti-Transform Optimizer

Last updated

Was this helpful?