Jul 26 2020
- last edited on
Dec 23 2021
Hi - I've added two Okta environments to Sentinel but there isnt anything in the log themselves to identify the source environment. Is there not some way in Sentinel to tag some metadata to the log so you can identify the source environment when you have multiples using the same connector?
On a side note, I just see in Sentinel that the Okta connector is "connected", not even totally sure how to confirm logs from both are being ingested.
Thanks in advance.
Jul 26 2020 08:39 AM
@shay126 As this connector uses a Function app to make a call to the Okta's System log API and then saves all the information returned into the Log Analytics table, Okta_CL, it appears the only way for this to happen is if there is a way to change what Okta itself pushes to its logs.
I would talk with your Okta Admin or Okta to see if this is possible.
Jul 29 2020 07:14 AM
Thanks for the reply Gary. I think its more of a Sentinel thing though. Ideally under the Sentinel connector it would show its connected to X and Y Okta environments. I did look at logging in the function app and saw it listing an HTTP status of 200... so i think its working...
Aug 03 2020 03:14 AM
@Ofer_Shezaf thanks for adding me.
indeed i added Github issue to solve this issue https://github.com/Azure/Azure-Sentinel/issues/925
will update once it will publish