Okta's Enhanced System Log Report - Part II Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.

Okta's Enhanced System Log Report - Part II

Jul 28, 2016 | by Eric Karlinsky in Security
Last week I have introduced to this community some improvements of Okta’s System Log reporting, powered by Okta’s new platform-level big data analytics service. Today I want to take a closer look at advanced searches and meta-data drill downs. Stay with me, it will be worth it! If you missed the first part of this series, read it here.

Advanced Search

Advanced Search lets admins filter the System Log data according to one or more specific data comparisons. Let's give it a try: Click on Advanced Filter (Under the search bar, on the right, near the magnifying glass. There, you got it).
User-added image
You'll see the blank Advanced Search screen, which looks like this:

Its simplicity belies its power... let's put it to work! If you've got a filter in mind, you can enter it here. The interface will help you by resolving object types and enumerated values in real-time as you type. If you don't have a filter in mind yet, you can use the one here as an example:
User-added image

This filter shows all delegated AD authentication events that failed. It's not a big deal if this happens once in a while (we all mistype our passwords sometimes), but if it is happening a lot for a specific user, that's worth investigating. Why? Because this could indicate that a brute force attack is being attempted to hack into your system. Or it could mean something as simple as Jill went back to the office after Happy Hour and had a bit of trouble logging in. The point is: you can investigate patterns that you deem suspicious.

This filter shows you quickly whether anything suspicious is happening in your org. Once you apply the filter by clicking Apply Filter, the System Log goes to work showing you the right data. You'll see something like this:

User-added image

Feel free to play around with these filters to drill into whatever events you are interested in. If you're looking for inspiration, here are some of my favourite filters:
client.geographicalContext.country eq "United Kingdom"Show only events that originated from the United Kingdom. Any other geographical region works too. Best practice would be to watch for access from locations that you don’t have employees working in.
client.device eq "Mobile"Just show activity from Mobile Devices
eventType eq "application.user_membership.add" and target.displayName eq "Salesforce.com"Everyone who's ever been given Salesforce.com access. Any other app works too.
eventType eq "user.authentication.auth_via_mfa" and outcome.result eq "FAILURE"Show all failed MFA attempts
eventType eq "user.went_home_early" and target.displayName sw "Hank"Show every time Hank from Accounts Payable left work early, which seems to be pretty much every day.*
*This filter is not currently possible, but maybe one day, who knows?

Once you get comfortable with the object model, I think you'll agree that Advanced Filters are pretty powerful. You may even wonder how you ever did your job without them (don't worry, they're not going anywhere). We hope you have some fun messing around with filters and that the capability meets your needs. If you have handy tips and tricks or have a favorite advanced filter, share it with the community by posting it at Tips & Tricks Community Group.

Metadata Drill-Downs

I call this “Sleuth Mode”. There’s only so much real estate on a given monitor, so we can’t show everything neatly in a single table, but we know that’s not enough. If you haven’t already, go ahead and click on the right arrow on the left hand side of any event in the Events Pane. It looks like this:

User-added image

When you do, the event expands to reveal a ton of metadata about the given event. Let’s go back to the previous scenario with the series of failed login attempts. Let’s say you want to investigate it and see whether it really is Jill or if it’s a nefarious hacker. Taking a look at the metadata, you can see that the failed attempt came from OFF_NETWORK (based on your Okta Network Zones settings). You can also see the geolocation data. The Client IP Address is also shown.

User-added image

You can use this metadata to investigate whether this event is outside of expected behaviour. And if you click on any of the values - (go ahead, give it a try, I’ll wait) - it adds it to the filters and shows you only other events with the same value. Any of the metadata elements in the drill down panel are filterable on the Okta System Log. Now how cool is that?

Oh, and don't hesitate to ask questions or provide feedback via the Okta Community or on Twitter @Okta. We'd love to hear from you.