通过Okta Events API无法提供MFA生命周期操作?

时间:2015-04-17 05:10:27

标签: okta okta-api

您好我正在尝试使用Okta事件API来提取MFA注册和重置事件并将它们泵入SIEM引擎并发送用户警报。我们希望让用户了解注册,重置围绕Okta MFA的事件,其中Okta对该MFA因子注册或重置具有权威性。

我们希望发送电子邮件说明这些内容

您刚注册了一个短信号码  您刚刚启用了推送消息MFA  您只需通过自助服务重置您的MFA设置

我在线查看Okta事件API文档,No Bueno。 http://developer.okta.com/docs/api/rest/events.html

我希望它能够记录下来,或者至少有一个记录它的陷阱,但也许它没有暴露在事件服务中......任何人都有任何想法?

1 个答案:

答案 0 :(得分:1)

获取任何日志信息的最佳方法是执行要为测试用户捕获的事件,并获取发布的Okta Events大于开始时间。

例如,我从最终用户设置页面(https:// {org} .okta.com / enduser / settings)为用户mfa@thomas-kirk.com执行了以下事件:

  1. 设置Google身份验证器因素
  2. 更新了我的安全问题因素
  3. 重置Google身份验证器因素
  4. 然后我使用PostMan在测试开始时间之后拉出所有事件:

    / api / v1 / events?limit = 100& filter = published gt" 2015-04-17T18:21:00.000Z"

    您可以看到以下输出以供参考:

    [
       {
          "eventId": "tevz7MzV49UT8CkaAY7LwOB_g1429294862000",
          "sessionId": "s03khgvyS6nRr61bjallafGHQ",
          "requestId": "VTFPDoXpXQ9fcy12eMvbwgAAA6o",
          "published": "2015-04-17T18:21:02.000Z",
          "action": {
             "message": "User set up Google Authenticator factor",
             "categories": [],
             "objectType": "core.user.factor.activate",
             "requestUri": "/user/settings/factors/soft_token/phone_verify"
          },
          "actors": [
             {
                "id": "00u3ssydqqKOfez5C0h7",
                "displayName": "MFA Test",
                "login": "mfa@thomas-kirk.com",
                "objectType": "User"
             },
             {
                "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36",
                "displayName": "CHROME",
                "ipAddress": "67.223.10.7",
                "objectType": "Client"
             }
          ],
          "targets": [
             {
                "id": "00u3ssydqqKOfez5C0h7",
                "displayName": "MFA Test",
                "login": "mfa@thomas-kirk.com",
                "objectType": "User"
             }
          ]
       },
       {
          "eventId": "tevw_-4GuDETaugWP-m-g7e9w1429294973000",
          "sessionId": "s03khgvyS6nRr61bjallafGHQ",
          "requestId": "VTFPfXHotREXVB8lhZ@XTAAABLc",
          "published": "2015-04-17T18:22:53.000Z",
          "action": {
             "message": "User updated Security Question factor",
             "categories": [],
             "objectType": "core.user.factor.update",
             "requestUri": "/user/settings/security_question_factor/create"
          },
          "actors": [
             {
                "id": "00u3ssydqqKOfez5C0h7",
                "displayName": "MFA Test",
                "login": "mfa@thomas-kirk.com",
                "objectType": "User"
             },
             {
                "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36",
                "displayName": "CHROME",
                "ipAddress": "67.223.10.7",
                "objectType": "Client"
             }
          ],
          "targets": [
             {
                "id": "00u3ssydqqKOfez5C0h7",
                "displayName": "MFA Test",
                "login": "mfa@thomas-kirk.com",
                "objectType": "User"
             }
          ]
       },
       {
          "eventId": "tevszF5O0FwTl6Kh3VPuD43zQ1429295053000",
          "sessionId": "s03khgvyS6nRr61bjallafGHQ",
          "requestId": "VTFPzX72Bs3H2qU5ZzXavQAACiE",
          "published": "2015-04-17T18:24:13.000Z",
          "action": {
             "message": "User reset Google Authenticator factor",
             "categories": [],
             "objectType": "core.user.factor.deactivate",
             "requestUri": "/user/settings/factors/soft_token/phone_deactivate"
          },
          "actors": [
             {
                "id": "00u3ssydqqKOfez5C0h7",
                "displayName": "MFA Test",
                "login": "mfa@thomas-kirk.com",
                "objectType": "User"
             },
             {
                "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36",
                "displayName": "CHROME",
                "ipAddress": "67.223.10.7",
                "objectType": "Client"
             }
          ],
          "targets": [
             {
                "id": "00u3ssydqqKOfez5C0h7",
                "displayName": "MFA Test",
                "login": "mfa@thomas-kirk.com",
                "objectType": "User"
             }
          ]
       },
       {
          "eventId": "tev9bJOoEHAQEK101ZkEBAnvw1429295150000",
          "sessionId": "s01XrjTEzTcRdGT1Zb7FkiOxw",
          "requestId": "VTFQLn72Bs3H2qU5ZzXeIwAACeA",
          "published": "2015-04-17T18:25:50.000Z",
          "action": {
             "message": "User set up Google Authenticator factor",
             "categories": [],
             "objectType": "core.user.factor.activate",
             "requestUri": "/user/settings/factors/soft_token/phone_verify"
          },
          "actors": [
             {
                "id": "00u3ssydqqKOfez5C0h7",
                "displayName": "MFA Test",
                "login": "mfa@thomas-kirk.com",
                "objectType": "User"
             },
             {
                "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36",
                "displayName": "CHROME",
                "ipAddress": "67.223.10.7",
                "objectType": "Client"
             }
          ],
          "targets": [
             {
                "id": "00u3ssydqqKOfez5C0h7",
                "displayName": "MFA Test",
                "login": "mfa@thomas-kirk.com",
                "objectType": "User"
             }
          ]
       }
    ]
    

    这意味着要查询的对象类型是:

    1. 设置Google身份验证器因素:" core.user.factor.activate"
    2. 更新了我的安全问题因素:" core.user.factor.update"
    3. 重置Google身份验证器因素:" core.user.factor.deactivate"
    4. 另请注意: 您不能依赖Events API来获取实时数据。由于ETL,Okta的事件可能落后。我已经看到Events API落后了几个小时。