Open asimakram11 opened 2 years ago
Hi Team,
Issue :-
Recently we noticed that when "outcome.reason=Sign-on policy evaluation resulted in DENY" come then logs show "action=success" . Our belief is it should be comes as "action=failed".
Example logs :-
_time action eventType outcome.reason client.geographicalContext.country
2022-04-04 19:59:54.257 success policy.evaluate_sign_on Sign-on policy evaluation resulted in DENY United States
2022-04-03 20:01:46.488 success policy.evaluate_sign_on Sign-on policy evaluation resulted in DENY United States
Possible Solution :- The outcome is not added in the lookup table so need to add "Sign-on policy evaluation resulted in DENY" in the okta2_eventType_related_info.csv lookup table (https://github.com/mbegan/Okta-Identity-Cloud-for-Splunk/blob/master/lookups/okta2_eventType_related_info.csv) as "outcome.result=FAILURE".
This is impacting our Splunk SOC task so please corrected ASAP.
Thanks, Asim Akram
Any update on this issue?
Hi Team,
Issue :-
Recently we noticed that when "outcome.reason=Sign-on policy evaluation resulted in DENY" come then logs show "action=success" . Our belief is it should be comes as "action=failed".
Example logs :-
_time action eventType outcome.reason client.geographicalContext.country
2022-04-04 19:59:54.257 success policy.evaluate_sign_on Sign-on policy evaluation resulted in DENY United States
2022-04-03 20:01:46.488 success policy.evaluate_sign_on Sign-on policy evaluation resulted in DENY United States
Possible Solution :- The outcome is not added in the lookup table so need to add "Sign-on policy evaluation resulted in DENY" in the okta2_eventType_related_info.csv lookup table (https://github.com/mbegan/Okta-Identity-Cloud-for-Splunk/blob/master/lookups/okta2_eventType_related_info.csv) as "outcome.result=FAILURE".
This is impacting our Splunk SOC task so please corrected ASAP.
Thanks, Asim Akram