We're adding support for pulling logs and enrichment data from identity and auth sources to your Matano data lake. This means you can query failed/successful sign-in attempts, view audit logs, and query user information from popular SaaS sources directly using SQL and write detection rules to detect threats in realtime using Python!
Identity logs, generated from solutions such as Okta, Azure AD, and Duo, play a crucial role in understanding user activity and behavior within your organization. Matano now fully supports centralizing all your identity data into a structured data lake in your AWS account.
New Log Sources
In this release, we're adding support for ingesting authentication activity and identity data from Okta, Duo, 1Password, Microsoft Azure Active Directory (Azure AD), and Google Workspace.
| Log Source | Tables |
|---|---|
| 1Password | item_usages signin_attempts |
| Duo | admin auth offline_enrollment summary telephony |
| Google Workspace | login |
| Microsoft Azure AD | aad_signinlogs |
| Okta | system |
Sample queries
You can use the full power of SQL to analyze sign-in behavior and other authentication activity. Here are some sample SQL queries that you could run on your identity data:
Recent failed sign-in attempts from 1Password
SELECT *
FROM "matano"."onepassword_signin_attempts"
WHERE ts > current_timestamp - interval '7' day
AND event.outcome = 'failure'
View activity per user in Okta today
SELECT user.full_name AS user_name,
count(*) AS count_logs
FROM "matano"."okta_system"
WHERE ts > current_timestamp - interval '1' day
GROUP BY user.full_name
Up next
In the near future, we'll be expanding our Identity & Auth integrations further by adding support for synchronizing enrichment data (users, roles, lookup tables, etc.) into your data lake. We also are working on new managed integration sources, so feel free to reach out if there is a log source you'd like to see in this list!
Get started now
You can ingest and analyze any of these log sources in your AWS account out of the box today. View the complete documentation for more information.