When using Falco (0.36.2) to monitor Okta logs with the Okta plugin (0.10.0), when an event that contains application data is detected, the application name is not captured. While there is an actual application name in the Okta audit logs, the falco event logs and the okta.app field return empty values (respectively NA & null) instead of the app name.
How to reproduce it
Activate the below default rule in your Okta ruleset.
- rule: Adding user to application membership in OKTA
desc: Detect a user who has been added to application membership in OKTA
condition: okta.evt.type = "application.user_membership.add"
output: "A user has been added to an application membership in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name, app=%okta.app)"
priority: NOTICE
source: okta
tags: [okta]
Assign an application to a user
Check your Falco logs
Confirm the alert does not contain the application name
Expected behaviour
The Falco alert as well as the okta.app container captures the application name in one from the appropriate target block in Okta logs. The application name is visible in alerts forwarded by Falcosidekick.
Screenshots
Environment
Falco version: 0.36.2
Okta plugin version: 0.10.0
System info:
Fri Mar 8 15:45:44 2024: Falco version: 0.36.2 (x86_64)
Fri Mar 8 15:45:44 2024: Falco initialized with configuration file: /etc/falco/falco.yaml
Fri Mar 8 15:45:44 2024: Loading plugin 'json' from file /usr/share/falco/plugins/libjson.so
Fri Mar 8 15:45:44 2024: Loading plugin 'okta' from file /usr/local/share/falco/plugins/libokta.so
Fri Mar 8 15:45:44 2024: Loading rules from file /etc/falco/rules.d/okta-rules.yaml
{
"machine": "x86_64",
"nodename": "979e08f07dd0",
"release": "6.2.0-1012-aws",
"sysname": "Linux",
"version": "12~22.04.1-Ubuntu SMP Thu Sep 7 14:01:24 UTC 2023"
}
Cloud provider or hardware configuration: AWS EC2 instance
Description of the Bug
When using Falco (0.36.2) to monitor Okta logs with the Okta plugin (0.10.0), when an event that contains application data is detected, the application name is not captured. While there is an actual application name in the Okta audit logs, the falco event logs and the okta.app field return empty values (respectively NA & null) instead of the app name.
How to reproduce it
Expected behaviour
The Falco alert as well as the okta.app container captures the application name in one from the appropriate target block in Okta logs. The application name is visible in alerts forwarded by Falcosidekick.
Screenshots
Environment