I am trying to create an alert that triggers if a user successfully logs in without first having been successfully authenticated via MFA. The query is below:
index="okta" sourcetype="OktaIM2:log" outcome.result=SUCCESS description="User login to Okta" OR description="Authentication of user via MFA"
| transaction maxspan=1h actor.alternateId, src_ip
| where (mvcount(description) == 1)
| where (mvindex(description, "User login to Okta") == 0)
I keep getting the error
Error in 'where' command: The arguments to the 'mvindex' function are invalid.
Please help me correct my search and explain what I am doing wrong.
The second argument to mvindex must be an integer. I think perhaps you want something like this:
| where (mvindex(description, mvfind(description,"User login to Okta")) == 0)
or, even better
| where (isnotnull(mvfind(description, "User login to Okta")))
but, the mvindex second argument must be a "number".
mvindex(<mv>, <start>, <end>)
This function returns a subset of the multivalue field using the start and end index values.
Usage.....The <mv> argument must be a multivalue field. The <start> and <end> indexes must be numbers.
The <mv> and <start> arguments are required. The <end> argument is optional.
https://docs.splunk.com/Documentation/SCS/current/SearchReference/MultivalueEvalFunctions
The second argument to mvindex must be an integer. I think perhaps you want something like this:
| where (mvindex(description, mvfind(description,"User login to Okta")) == 0)
or, even better
| where (isnotnull(mvfind(description, "User login to Okta")))
The first one still threw an error but the second worked fine, thanks