For detection teams and AI SOC agents
Okta System Log streams with attacks, false-positive noise, and a realistic benign baseline. Deterministically generated, so every stream ships with the answer key: which alerts are real, which are noise, and what actually happened.
No forms. Write tim@aginor.ai and the full 42-scenario catalog comes back by reply.
Each scenario generates a full stream, not a snippet: a benign baseline of everyday auth traffic, false positives layered in, and the attack itself a sliver of the volume. Multi-phase kill chains like Scattered Spider and insider threat escalation run end to end today, and the password spray scenario runs with three MFA-path variants. The rest of the catalog is configuration on the same pattern engine, which works from the full Okta event type catalog of 1,025 types.
In a default stream the malicious handful sits inside tens of thousands of ordinary logins, MFA checks, and admin routine. Stream size and attack share are config values, so you decide how deep the needle is buried.
33 false-positive patterns mimic every attack category: travel failures, push-deny-then-approve, help desk resets, VPN IP hops. Same event types as the real thing. The difference is always contextual.
Attack events share the same structure, IDs, and transaction shapes as benign events. No round-number timestamps, no obviously evil names, and attacker IPs overlap legitimate infrastructure. If your agent finds the attack, it found it the way an analyst would.
Seven scenarios have no attack events to find. Golden SAML, token replay, ghost sessions: the tell is that expected Okta events are missing. Systems that only look at what's present can't solve these.
The answer key comes with the logs: which alerts are real, which are noise, and why.
Generation is deterministically seeded. The same scenario re-runs identically, so you can score a new model, a rule change, or a prompt tweak against the exact same stream and know precisely what moved. No labeling step and no analyst time spent building answer keys, because the generator placed every event and wrote the answers in the same pass.
Real investigations cross systems: is the user still active in Workday, was the access ticketed in ServiceNow, does the AWS role match the SSO target, is that service account suspended in the NHI registry. The catalog pairs each scenario with profiles from the external systems that can confirm or deny it, so multi-source reasoning is testable, not just single-log anomaly spotting. Nine sources ship today and new ones get added on request, so if your playbooks cross a system that isn't here, ask for it.
Choose from the catalog: direct attacks, SSO-visible downstream, absence detection, or full kill chains. We match them to what you're testing, whether that's detection rules, playbooks, or an AI agent.
Config-driven, deterministic, pattern-based generation. Benign baseline, false-positive noise, and the attack, all with consistent structure. Ground truth comes out in the same pass.
Grade your agent or rules against the answer key. Same seed means the same stream, so every model upgrade and rule change is measured against a fixed corpus.
Email me and the full 42-scenario catalog comes back by reply: categories, MITRE mappings, and which external sources matter for each. Pick the one that matches what you're testing and we go from there.
Email for the catalogNot on Okta? The pattern engine isn't Okta-specific, so ask about your source. Or write tim@aginor.ai directly.