All Apps and Add-ons

Okta Alert Actions (oktaGroupMemberChange)

brettwilliams
Path Finder

This doesn't seem to work...  we've followed the instructions provided with the TA, but we're getting errors output from the scripts to the effect of basic tokens missing.  Also reaching out to Okta support directly.

 

 

2020-07-10 15:33:13,487 ERROR pid=21467 tid=MainThread file=setup_util.py:log_error:110 | Credential account with username <our okta> can not be found

 

Yeah, we have this configured.

 

 

2020-07-10 15:33:13,487 DEBUG pid=21467 tid=MainThread file=cim_actions.py:message:424 | sendmodaction - worker="$HOSTNAME" signature="_okta_client Invoked with a url of: https://<our okta>/api/v1/groups/<group>/users/<user>" action_name="oktaGroupMemberChange" search_name="<search name>" sid="scheduler__admin_VEEtT2t0YV9JZGVudGl0eV9DbG91ZF9mb3JfU3BsdW5r__RMD5784129dd80607623_at_1594409520_68739" rid="6" app="TA-Okta_Identity_Cloud_for_Splunk" user="admin" digest_mode="0" action_mode="saved"

 

OK, seems normal to me.  It attempts the API call, but what does cim_actions have to do with it?  Yes, we have CIM installed, and the add-on is good for all versions.

 

 

2020-07-10 15:33:13,487 ERROR pid=21467 tid=MainThread file=cim_actions.py:message:424 | sendmodaction - worker="$HOSTNAME" signature="Error: 'NoneType' object has no attribute '__getitem__'. Please double check spelling and also verify that a compatible version of Splunk_SA_CIM is installed." action_name="oktaGroupMemberChange" search_name="<search name>" sid="scheduler__admin_VEEtT2t0YV9JZGVudGl0eV9DbG91ZF9mb3JfU3BsdW5r__RMD5784129dd80607623_at_1594409520_68739" rid="6" app="TA-Okta_Identity_Cloud_for_Splunk" user="admin" digest_mode="0" action_mode="saved" action_status="failure"

 

NoneType has no attribute.  Even more vague.

 

 

2020-07-10 15:33:14,370 INFO pid=21898 tid=MainThread file=cim_actions.py:message:424 | sendmodaction - worker="$HOSTNAME" signature="Invoking modular action" action_name="oktaGroupMemberChange" search_name="<search name>" sid="scheduler__admin_VEEtT2t0YV9JZGVudGl0eV9DbG91ZF9mb3JfU3BsdW5r__RMD5784129dd80607623_at_1594409580_68741" rid="1" app="TA-Okta_Identity_Cloud_for_Splunk" user="admin" digest_mode="0" action_mode="saved"

 

Then it goes ahead and tries to call the modular action anyway.

 

 

07-10-2020 15:39:23.653 -0400 ERROR SearchScheduler - Error in 'sendalert' command: Alert script returned error code 4., search='sendalert oktaGroupMemberChange results_file="/opt/splunk/var/run/splunk/dispatch/scheduler__admin_VEEtT2t0YV9JZGVudGl0eV9DbG91ZF9mb3JfU3BsdW5r__RMD5784129dd80607623_at_1594409940_68784/per_result_alert/tmp_1.csv.gz" results_link="https://<our search head>/app/TA-Okta_Identity_Cloud_for_Splunk/search?q=%7Cloadjob%20scheduler__admin_VEEtT2t0YV9JZGVudGl0eV9DbG91ZF9mb3JfU3BsdW5r__RMD5784129dd80607623_at_1594409940_68784%20%7C%20head%202%20%7C%20tail%201&earliest=0&latest=now"'

 

Error code 4...  nothing more than that.  The part of the script where that error is thrown is related to gathering parameters.  I suspect that maybe this is implemented, but never tested or confirmed to work.  But I could be wrong...

Labels (2)
Tags (2)
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...