I am trying to build a workflow for a custom alert. However, I am having a difficult time targeting a specific log. I have multiple logs from Okta that are spread across different log sets. (Ingress Auth, SSO Auth, Cloud Admin, etc.) In my case, I only need logs that are located under SSO Auth log set.
I am using InsightIDR “Advanced Query on Log” plugin and search for Okta, but the search stops after it encounters the first match on Okta. Was wondering if anyone encountered the same issue, or am I doing something wrong?