All Apps and Add-ons

Okta Alert Actions (oktaGroupMemberChange)

brettwilliams
Path Finder

This doesn't seem to work...  we've followed the instructions provided with the TA, but we're getting errors output from the scripts to the effect of basic tokens missing.  Also reaching out to Okta support directly.

 

 

2020-07-10 15:33:13,487 ERROR pid=21467 tid=MainThread file=setup_util.py:log_error:110 | Credential account with username <our okta> can not be found

 

Yeah, we have this configured.

 

 

2020-07-10 15:33:13,487 DEBUG pid=21467 tid=MainThread file=cim_actions.py:message:424 | sendmodaction - worker="$HOSTNAME" signature="_okta_client Invoked with a url of: https://<our okta>/api/v1/groups/<group>/users/<user>" action_name="oktaGroupMemberChange" search_name="<search name>" sid="scheduler__admin_VEEtT2t0YV9JZGVudGl0eV9DbG91ZF9mb3JfU3BsdW5r__RMD5784129dd80607623_at_1594409520_68739" rid="6" app="TA-Okta_Identity_Cloud_for_Splunk" user="admin" digest_mode="0" action_mode="saved"

 

OK, seems normal to me.  It attempts the API call, but what does cim_actions have to do with it?  Yes, we have CIM installed, and the add-on is good for all versions.

 

 

2020-07-10 15:33:13,487 ERROR pid=21467 tid=MainThread file=cim_actions.py:message:424 | sendmodaction - worker="$HOSTNAME" signature="Error: 'NoneType' object has no attribute '__getitem__'. Please double check spelling and also verify that a compatible version of Splunk_SA_CIM is installed." action_name="oktaGroupMemberChange" search_name="<search name>" sid="scheduler__admin_VEEtT2t0YV9JZGVudGl0eV9DbG91ZF9mb3JfU3BsdW5r__RMD5784129dd80607623_at_1594409520_68739" rid="6" app="TA-Okta_Identity_Cloud_for_Splunk" user="admin" digest_mode="0" action_mode="saved" action_status="failure"

 

NoneType has no attribute.  Even more vague.

 

 

2020-07-10 15:33:14,370 INFO pid=21898 tid=MainThread file=cim_actions.py:message:424 | sendmodaction - worker="$HOSTNAME" signature="Invoking modular action" action_name="oktaGroupMemberChange" search_name="<search name>" sid="scheduler__admin_VEEtT2t0YV9JZGVudGl0eV9DbG91ZF9mb3JfU3BsdW5r__RMD5784129dd80607623_at_1594409580_68741" rid="1" app="TA-Okta_Identity_Cloud_for_Splunk" user="admin" digest_mode="0" action_mode="saved"

 

Then it goes ahead and tries to call the modular action anyway.

 

 

07-10-2020 15:39:23.653 -0400 ERROR SearchScheduler - Error in 'sendalert' command: Alert script returned error code 4., search='sendalert oktaGroupMemberChange results_file="/opt/splunk/var/run/splunk/dispatch/scheduler__admin_VEEtT2t0YV9JZGVudGl0eV9DbG91ZF9mb3JfU3BsdW5r__RMD5784129dd80607623_at_1594409940_68784/per_result_alert/tmp_1.csv.gz" results_link="https://<our search head>/app/TA-Okta_Identity_Cloud_for_Splunk/search?q=%7Cloadjob%20scheduler__admin_VEEtT2t0YV9JZGVudGl0eV9DbG91ZF9mb3JfU3BsdW5r__RMD5784129dd80607623_at_1594409940_68784%20%7C%20head%202%20%7C%20tail%201&earliest=0&latest=now"'

 

Error code 4...  nothing more than that.  The part of the script where that error is thrown is related to gathering parameters.  I suspect that maybe this is implemented, but never tested or confirmed to work.  But I could be wrong...

Labels (2)
Tags (2)
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...