0

您好我正在尝试使用 Okta 事件 API 来提取 MFA 注册和重置事件并将它们泵入 SIEM 引擎并发送用户警报。我们希望让用户了解有关 Okta MFA 的注册和重置事件,其中 Okta 是该 MFA 因素注册或重置的权威。

我们想发送电子邮件,说明此类内容

您刚刚注册了一个短信号码 您刚刚启用了推送消息 MFA 您刚刚通过自助服务重置了您的 MFA 设置

我在网上浏览 Okta 事件 API 文档,No Bueno。 http://developer.okta.com/docs/api/rest/events.html

我希望它被记录下来,或者至少有一个记录它的陷阱,但它可能没有暴露在事件服务中..有人有什么想法吗?

4

1 回答 1

1

获取任何日志信息的最佳方法是执行您要为测试用户捕获的事件并获取发布时间大于开始时间的 Okta 事件。

例如,我从最终用户设置页面 (https://{org}.okta.com/enduser/settings) 为用户 mfa@thomas-kirk.com 执行了以下事件:

  1. 设置 Google 身份验证器因素
  2. 更新了我的安全问题因素
  3. 重置 Google 身份验证器因素

然后我使用PostMan在测试开始时间后提取所有事件:

/api/v1/events?limit=100&filter=published gt "2015-04-17T18:21:00.000Z"

您可以看到以下输出以供参考:

[
   {
      "eventId": "tevz7MzV49UT8CkaAY7LwOB_g1429294862000",
      "sessionId": "s03khgvyS6nRr61bjallafGHQ",
      "requestId": "VTFPDoXpXQ9fcy12eMvbwgAAA6o",
      "published": "2015-04-17T18:21:02.000Z",
      "action": {
         "message": "User set up Google Authenticator factor",
         "categories": [],
         "objectType": "core.user.factor.activate",
         "requestUri": "/user/settings/factors/soft_token/phone_verify"
      },
      "actors": [
         {
            "id": "00u3ssydqqKOfez5C0h7",
            "displayName": "MFA Test",
            "login": "mfa@thomas-kirk.com",
            "objectType": "User"
         },
         {
            "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36",
            "displayName": "CHROME",
            "ipAddress": "67.223.10.7",
            "objectType": "Client"
         }
      ],
      "targets": [
         {
            "id": "00u3ssydqqKOfez5C0h7",
            "displayName": "MFA Test",
            "login": "mfa@thomas-kirk.com",
            "objectType": "User"
         }
      ]
   },
   {
      "eventId": "tevw_-4GuDETaugWP-m-g7e9w1429294973000",
      "sessionId": "s03khgvyS6nRr61bjallafGHQ",
      "requestId": "VTFPfXHotREXVB8lhZ@XTAAABLc",
      "published": "2015-04-17T18:22:53.000Z",
      "action": {
         "message": "User updated Security Question factor",
         "categories": [],
         "objectType": "core.user.factor.update",
         "requestUri": "/user/settings/security_question_factor/create"
      },
      "actors": [
         {
            "id": "00u3ssydqqKOfez5C0h7",
            "displayName": "MFA Test",
            "login": "mfa@thomas-kirk.com",
            "objectType": "User"
         },
         {
            "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36",
            "displayName": "CHROME",
            "ipAddress": "67.223.10.7",
            "objectType": "Client"
         }
      ],
      "targets": [
         {
            "id": "00u3ssydqqKOfez5C0h7",
            "displayName": "MFA Test",
            "login": "mfa@thomas-kirk.com",
            "objectType": "User"
         }
      ]
   },
   {
      "eventId": "tevszF5O0FwTl6Kh3VPuD43zQ1429295053000",
      "sessionId": "s03khgvyS6nRr61bjallafGHQ",
      "requestId": "VTFPzX72Bs3H2qU5ZzXavQAACiE",
      "published": "2015-04-17T18:24:13.000Z",
      "action": {
         "message": "User reset Google Authenticator factor",
         "categories": [],
         "objectType": "core.user.factor.deactivate",
         "requestUri": "/user/settings/factors/soft_token/phone_deactivate"
      },
      "actors": [
         {
            "id": "00u3ssydqqKOfez5C0h7",
            "displayName": "MFA Test",
            "login": "mfa@thomas-kirk.com",
            "objectType": "User"
         },
         {
            "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36",
            "displayName": "CHROME",
            "ipAddress": "67.223.10.7",
            "objectType": "Client"
         }
      ],
      "targets": [
         {
            "id": "00u3ssydqqKOfez5C0h7",
            "displayName": "MFA Test",
            "login": "mfa@thomas-kirk.com",
            "objectType": "User"
         }
      ]
   },
   {
      "eventId": "tev9bJOoEHAQEK101ZkEBAnvw1429295150000",
      "sessionId": "s01XrjTEzTcRdGT1Zb7FkiOxw",
      "requestId": "VTFQLn72Bs3H2qU5ZzXeIwAACeA",
      "published": "2015-04-17T18:25:50.000Z",
      "action": {
         "message": "User set up Google Authenticator factor",
         "categories": [],
         "objectType": "core.user.factor.activate",
         "requestUri": "/user/settings/factors/soft_token/phone_verify"
      },
      "actors": [
         {
            "id": "00u3ssydqqKOfez5C0h7",
            "displayName": "MFA Test",
            "login": "mfa@thomas-kirk.com",
            "objectType": "User"
         },
         {
            "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36",
            "displayName": "CHROME",
            "ipAddress": "67.223.10.7",
            "objectType": "Client"
         }
      ],
      "targets": [
         {
            "id": "00u3ssydqqKOfez5C0h7",
            "displayName": "MFA Test",
            "login": "mfa@thomas-kirk.com",
            "objectType": "User"
         }
      ]
   }
]

这意味着要查询的对象类型是:

  1. 设置 Google 身份验证器因子:“core.user.factor.activate”
  2. 更新了我的安全问题因素:“core.user.factor.update”
  3. 重置 Google 身份验证器因素:“core.user.factor.deactivate”

另请注意:您不能依赖事件 API 来获取实时数据。由于 ETL,Okta 的事件可能会落后。我已经看到事件 API 落后了几个小时。

于 2015-04-17T19:16:08.730 回答