How do you target a specific log in IDR?

Hey all,

I am trying to build a workflow for a custom alert. However, I am having a difficult time targeting a specific log. I have multiple logs from Okta that are spread across different log sets. (Ingress Auth, SSO Auth, Cloud Admin, etc.) In my case, I only need logs that are located under SSO Auth log set.

I am using InsightIDR “Advanced Query on Log” plugin and search for Okta, but the search stops after it encounters the first match on Okta. Was wondering if anyone encountered the same issue, or am I doing something wrong?

Log Output

@ddundukov Thank you for reaching out.

Since you know exactly what log set you are looking for I would suggest that you try a different action. Instead of Advanced Query on Log you can try the Advanced Query on Log Set. Then you will be able to select SSO Auth Logs as seen below in my screenshots.

Screen Shot 2022-12-12 at 1.59.00 PM
Screen Shot 2022-12-12 at 1.59.20 PM

Please let me know if that works for you.

It worked. Thank you!