search

mbegan / Okta-Identity-Cloud-for-Splunk

Public REPO for splunkbase app
https://splunkbase.splunk.com/app/3682/
Other
19 stars 13 forks source link

"Sign-on policy evaluation resulted in DENY" entry missing on lookup table #46

Open asimakram11 opened 2 years ago

asimakram11 commented 2 years ago

Hi Team,

Issue :-

Recently we noticed that when "outcome.reason=Sign-on policy evaluation resulted in DENY" come then logs show "action=success" . Our belief is it should be comes as "action=failed".

Example logs :-

_time action eventType outcome.reason client.geographicalContext.country

2022-04-04 19:59:54.257 success policy.evaluate_sign_on Sign-on policy evaluation resulted in DENY United States

2022-04-03 20:01:46.488 success policy.evaluate_sign_on Sign-on policy evaluation resulted in DENY United States

Possible Solution :- The outcome is not added in the lookup table so need to add "Sign-on policy evaluation resulted in DENY" in the okta2_eventType_related_info.csv lookup table (https://github.com/mbegan/Okta-Identity-Cloud-for-Splunk/blob/master/lookups/okta2_eventType_related_info.csv) as "outcome.result=FAILURE".

This is impacting our Splunk SOC task so please corrected ASAP.

Thanks, Asim Akram

asimakram11 commented 2 years ago

Hi Team,

Any update on this issue?