Forum Discussion

shay126's avatar
shay126
Copper Contributor
Jul 26, 2020

Apply metadata to logs to distinguish source

Hi - I've added two Okta environments to Sentinel but there isnt anything in the log themselves to identify the source environment. Is there not some way in Sentinel to tag some metadata to the log so you can identify the source environment when you have multiples using the same connector?

On a side note, I just see in Sentinel that the Okta connector is "connected", not even totally sure how to confirm logs from both are being ingested. 

 

Thanks in advance.

  • GaryBushey's avatar
    GaryBushey
    Bronze Contributor

    shay126 As this connector uses a Function app to make a call to the Okta's System log API and then saves all the information returned into the Log Analytics table, Okta_CL, it appears the only way for this to happen is if there is a way to change what Okta itself pushes to its logs.

     

    I would talk with your Okta Admin or Okta to see if this is possible.

    • shay126's avatar
      shay126
      Copper Contributor

      GaryBushey 

      Thanks Gary - is there an easy way to confirm both Okta environments are being ingested into Sentinel? I added both but not totally sure how to confirm they are both working...

       

      Shay

      • GaryBushey's avatar
        GaryBushey
        Bronze Contributor

        shay126 Not being an Okta expert I don't know.  I don't have access to the table that Okta writes to in order to see what the fields look like.

Resources