IdP audit-log observability Okta / Entra / Workspace audit-log ingest + IdpSecurityDetector (MFA fatigue, OAuth phishing, impossible travel, password spray, federation tampering).

Most modern breaches start above the host: MFA fatigue, consent-grant phishing, anomalous geo-velocity, admin role grants, Storm-0539 / Storm-0558 / Golden SAML federation tampering. digger's IdP module ingests the audit stream from your identity provider and runs the six canonical detection layers (I1–I6) against it.

Providers supported

Okta — System Log API NDJSON or JSON-array exports (--provider okta)
Microsoft Entra (Azure AD) — Sign-in + Audit logs (--provider entra or --provider azure)
Google Workspace — Admin SDK Reports API (--provider workspace or --provider google)

Event types are normalized into a digger-internal vocabulary (auth / mfa_auth / mfa_denied / oauth_grant / admin_grant / federation_change / auth_failure) so one rule set runs across all three. ingest_file() accepts both NDJSON (one event per line) and JSON-array files; supports actor / after-ts / before-ts / limit filters; caps log size at 4 GiB; truncates per-field at 8 KiB.

Detection layers (I1–I6)

ID	Severity	What it catches	MITRE
I1	high → critical	MFA fatigue: ≥5 mfa_denied for one actor within a 10-min sliding window. Escalates to critical if a successful auth follows within 30 min (the actor caved to push-spam).	T1621
I2	high	OAuth consent grant — Storm-0539 / illicit-consent phishing vector. Verify the granted app + scope is expected.	T1098.001
I3	high	Admin / role-grant operation. Pair with the actor's auth history.	T1098
I4	critical	Impossible travel: same-actor country mismatch within 1 hour. No legitimate travel bridges the gap.	T1078.004
I5	critical	Password spray: ≥10 failures from one src_ip across ≥5 distinct actors in 10 min.	T1110.003
I6	critical	Federation / IdP-config change. New federated IdP / authentication domain is the Storm-0558 / Golden SAML persistence playbook.	T1556.007

CLI

$ digger idp ingest \
    --provider okta \
    --log /path/to/okta-syslog.ndjson \
    --case-dir /tmp/case \
    [--actors alice@example.com,bob@example.com] \
    [--after 1716000000] [--before 1716100000] \
    [--limit 10000] [--verbose]

[idp/okta] events: 12483 total, 12480 emitted, 3 skipped
[idp/okta] elapsed: 0.8s

Event-type distribution:
  auth                              7421
  mfa_auth                          3204
  oauth_grant                         42
  admin_grant                          9
  federation_change                    1

Then run digger scan — IdpSecurityDetector executes automatically alongside the rest of the registry.

Tunables

Per-window thresholds are module constants in digger.detectors.idp_security: MFA_FATIGUE_WINDOW_S (600), MFA_FATIGUE_MIN_DENIES (5), MFA_FATIGUE_FOLLOWUP_S (1800), IMPOSSIBLE_TRAVEL_WINDOW_S (3600), SPRAY_WINDOW_S (600), SPRAY_MIN_FAILURES (10), SPRAY_MIN_DISTINCT_ACTORS (5). Adjust by editing the detector file — they're deliberately not env vars so a tuned threshold shows up in source review.