Apply metadata to logs to distinguish source

%3CLINGO-SUB%20id%3D%22lingo-sub-1546488%22%20slang%3D%22en-US%22%3EApply%20metadata%20to%20logs%20to%20distinguish%20source%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1546488%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20-%20I've%20added%20two%20Okta%20environments%20to%20Sentinel%20but%20there%20isnt%20anything%20in%20the%20log%20themselves%20to%20identify%20the%20source%20environment.%20Is%20there%20not%20some%20way%20in%20Sentinel%20to%20tag%20some%20metadata%20to%20the%20log%20so%20you%20can%20identify%20the%20source%20environment%20when%20you%20have%20multiples%20using%20the%20same%20connector%3F%3CBR%20%2F%3E%3CBR%20%2F%3EOn%20a%20side%20note%2C%20I%20just%20see%20in%20Sentinel%20that%20the%20Okta%20connector%20is%20%22connected%22%2C%20not%20even%20totally%20sure%20how%20to%20confirm%20logs%20from%20both%20are%20being%20ingested.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1546488%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1546620%22%20slang%3D%22en-US%22%3ERe%3A%20Apply%20metadata%20to%20logs%20to%20distinguish%20source%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1546620%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F740223%22%20target%3D%22_blank%22%3E%40shay126%3C%2FA%3E%26nbsp%3BAs%20this%20connector%20uses%20a%20Function%20app%20to%20make%20a%20call%20to%20the%20Okta's%20System%20log%20API%20and%20then%20saves%20all%20the%20information%20returned%20into%20the%20Log%20Analytics%20table%2C%20Okta_CL%2C%20it%20appears%20the%20only%20way%20for%20this%20to%20happen%20is%20if%20there%20is%20a%20way%20to%20change%20what%20Okta%20itself%20pushes%20to%20its%20logs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20talk%20with%20your%20Okta%20Admin%20or%20Okta%20to%20see%20if%20this%20is%20possible.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1551152%22%20slang%3D%22en-US%22%3ERe%3A%20Apply%20metadata%20to%20logs%20to%20distinguish%20source%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1551152%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20Gary%20-%20is%20there%20an%20easy%20way%20to%20confirm%20both%20Okta%20environments%20are%20being%20ingested%20into%20Sentinel%3F%20I%20added%20both%20but%20not%20totally%20sure%20how%20to%20confirm%20they%20are%20both%20working...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EShay%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1552913%22%20slang%3D%22en-US%22%3ERe%3A%20Apply%20metadata%20to%20logs%20to%20distinguish%20source%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1552913%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F740223%22%20target%3D%22_blank%22%3E%40shay126%3C%2FA%3E%26nbsp%3BNot%20being%20an%20Okta%20expert%20I%20don't%20know.%26nbsp%3B%20I%20don't%20have%20access%20to%20the%20table%20that%20Okta%20writes%20to%20in%20order%20to%20see%20what%20the%20fields%20look%20like.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1553219%22%20slang%3D%22en-US%22%3ERe%3A%20Apply%20metadata%20to%20logs%20to%20distinguish%20source%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1553219%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20reply%20Gary.%20I%20think%20its%20more%20of%20a%20Sentinel%20thing%20though.%20Ideally%20under%20the%20Sentinel%20connector%20it%20would%20show%20its%20connected%20to%20X%20and%20Y%20Okta%20environments.%20I%20did%20look%20at%20logging%20in%20the%20function%20app%20and%20saw%20it%20listing%20an%20HTTP%20status%20of%20200...%20so%20i%20think%20its%20working...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1553671%22%20slang%3D%22en-US%22%3ERe%3A%20Apply%20metadata%20to%20logs%20to%20distinguish%20source%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1553671%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F740223%22%20target%3D%22_blank%22%3E%40shay126%3C%2FA%3E%26nbsp%3B%20There%20is%20nothing%20(yet)%20in%20Azure%20Sentinel%20that%20would%20do%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1561225%22%20slang%3D%22en-US%22%3ERe%3A%20Apply%20metadata%20to%20logs%20to%20distinguish%20source%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1561225%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F740223%22%20target%3D%22_blank%22%3E%40shay126%3C%2FA%3E%26nbsp%3B%3A%20I%20beleve%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F185177%22%20target%3D%22_blank%22%3E%40Yaniv%20Shasha%3C%2FA%3E%26nbsp%3Bis%20working%20on%20an%20update%20to%20the%20connector%20that%20ass%20the%20Okta%20domain.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1562396%22%20slang%3D%22en-US%22%3ERe%3A%20Apply%20metadata%20to%20logs%20to%20distinguish%20source%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1562396%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%20thanks%20for%20adding%20me.%3C%2FP%3E%0A%3CP%3Eindeed%20i%20added%20Github%20issue%20to%20solve%20this%20issue%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fissues%2F925%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fissues%2F925%3C%2FA%3E%3C%2FP%3E%0A%3CP%3Ewill%20update%20once%20it%20will%20publish%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi - I've added two Okta environments to Sentinel but there isnt anything in the log themselves to identify the source environment. Is there not some way in Sentinel to tag some metadata to the log so you can identify the source environment when you have multiples using the same connector?

On a side note, I just see in Sentinel that the Okta connector is "connected", not even totally sure how to confirm logs from both are being ingested. 

 

Thanks in advance.

7 Replies

@shay126 As this connector uses a Function app to make a call to the Okta's System log API and then saves all the information returned into the Log Analytics table, Okta_CL, it appears the only way for this to happen is if there is a way to change what Okta itself pushes to its logs.

 

I would talk with your Okta Admin or Okta to see if this is possible.

@Gary Bushey 

Thanks Gary - is there an easy way to confirm both Okta environments are being ingested into Sentinel? I added both but not totally sure how to confirm they are both working...

 

Shay

@shay126 Not being an Okta expert I don't know.  I don't have access to the table that Okta writes to in order to see what the fields look like.

@Gary Bushey 

 

Thanks for the reply Gary. I think its more of a Sentinel thing though. Ideally under the Sentinel connector it would show its connected to X and Y Okta environments. I did look at logging in the function app and saw it listing an HTTP status of 200... so i think its working...

@shay126  There is nothing (yet) in Azure Sentinel that would do this.

@Gary Bushey @shay126 : I beleve @Yaniv Shasha is working on an update to the connector that ass the Okta domain.

@Ofer_Shezaf  thanks for adding me.

indeed i added Github issue to solve this issue https://github.com/Azure/Azure-Sentinel/issues/925

will update once it will publish

www.000webhost.com