您好我正在尝试使用Okta事件API来提取MFA注册和重置事件并将它们泵入SIEM引擎并发送用户警报。我们希望让用户了解注册,重置围绕Okta MFA的事件,其中Okta对该MFA因子注册或重置具有权威性。
我们希望发送电子邮件说明这些内容
您刚注册了一个短信号码 您刚刚启用了推送消息MFA 您只需通过自助服务重置您的MFA设置
我在线查看Okta事件API文档,No Bueno。 http://developer.okta.com/docs/api/rest/events.html
我希望它能够记录下来,或者至少有一个记录它的陷阱,但也许它没有暴露在事件服务中......任何人都有任何想法?
答案 0 :(得分:1)
获取任何日志信息的最佳方法是执行要为测试用户捕获的事件,并获取发布的Okta Events大于开始时间。
例如,我从最终用户设置页面(https:// {org} .okta.com / enduser / settings)为用户mfa@thomas-kirk.com执行了以下事件:
然后我使用PostMan在测试开始时间之后拉出所有事件:
/ api / v1 / events?limit = 100& filter = published gt" 2015-04-17T18:21:00.000Z"
您可以看到以下输出以供参考:
[
{
"eventId": "tevz7MzV49UT8CkaAY7LwOB_g1429294862000",
"sessionId": "s03khgvyS6nRr61bjallafGHQ",
"requestId": "VTFPDoXpXQ9fcy12eMvbwgAAA6o",
"published": "2015-04-17T18:21:02.000Z",
"action": {
"message": "User set up Google Authenticator factor",
"categories": [],
"objectType": "core.user.factor.activate",
"requestUri": "/user/settings/factors/soft_token/phone_verify"
},
"actors": [
{
"id": "00u3ssydqqKOfez5C0h7",
"displayName": "MFA Test",
"login": "mfa@thomas-kirk.com",
"objectType": "User"
},
{
"id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36",
"displayName": "CHROME",
"ipAddress": "67.223.10.7",
"objectType": "Client"
}
],
"targets": [
{
"id": "00u3ssydqqKOfez5C0h7",
"displayName": "MFA Test",
"login": "mfa@thomas-kirk.com",
"objectType": "User"
}
]
},
{
"eventId": "tevw_-4GuDETaugWP-m-g7e9w1429294973000",
"sessionId": "s03khgvyS6nRr61bjallafGHQ",
"requestId": "VTFPfXHotREXVB8lhZ@XTAAABLc",
"published": "2015-04-17T18:22:53.000Z",
"action": {
"message": "User updated Security Question factor",
"categories": [],
"objectType": "core.user.factor.update",
"requestUri": "/user/settings/security_question_factor/create"
},
"actors": [
{
"id": "00u3ssydqqKOfez5C0h7",
"displayName": "MFA Test",
"login": "mfa@thomas-kirk.com",
"objectType": "User"
},
{
"id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36",
"displayName": "CHROME",
"ipAddress": "67.223.10.7",
"objectType": "Client"
}
],
"targets": [
{
"id": "00u3ssydqqKOfez5C0h7",
"displayName": "MFA Test",
"login": "mfa@thomas-kirk.com",
"objectType": "User"
}
]
},
{
"eventId": "tevszF5O0FwTl6Kh3VPuD43zQ1429295053000",
"sessionId": "s03khgvyS6nRr61bjallafGHQ",
"requestId": "VTFPzX72Bs3H2qU5ZzXavQAACiE",
"published": "2015-04-17T18:24:13.000Z",
"action": {
"message": "User reset Google Authenticator factor",
"categories": [],
"objectType": "core.user.factor.deactivate",
"requestUri": "/user/settings/factors/soft_token/phone_deactivate"
},
"actors": [
{
"id": "00u3ssydqqKOfez5C0h7",
"displayName": "MFA Test",
"login": "mfa@thomas-kirk.com",
"objectType": "User"
},
{
"id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36",
"displayName": "CHROME",
"ipAddress": "67.223.10.7",
"objectType": "Client"
}
],
"targets": [
{
"id": "00u3ssydqqKOfez5C0h7",
"displayName": "MFA Test",
"login": "mfa@thomas-kirk.com",
"objectType": "User"
}
]
},
{
"eventId": "tev9bJOoEHAQEK101ZkEBAnvw1429295150000",
"sessionId": "s01XrjTEzTcRdGT1Zb7FkiOxw",
"requestId": "VTFQLn72Bs3H2qU5ZzXeIwAACeA",
"published": "2015-04-17T18:25:50.000Z",
"action": {
"message": "User set up Google Authenticator factor",
"categories": [],
"objectType": "core.user.factor.activate",
"requestUri": "/user/settings/factors/soft_token/phone_verify"
},
"actors": [
{
"id": "00u3ssydqqKOfez5C0h7",
"displayName": "MFA Test",
"login": "mfa@thomas-kirk.com",
"objectType": "User"
},
{
"id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36",
"displayName": "CHROME",
"ipAddress": "67.223.10.7",
"objectType": "Client"
}
],
"targets": [
{
"id": "00u3ssydqqKOfez5C0h7",
"displayName": "MFA Test",
"login": "mfa@thomas-kirk.com",
"objectType": "User"
}
]
}
]
这意味着要查询的对象类型是:
另请注意: 您不能依赖Events API来获取实时数据。由于ETL,Okta的事件可能落后。我已经看到Events API落后了几个小时。