When trying to find user.authentication.auth_via_mfa okta
events using Panther Search, they do not appear. When I query select * from okta_systemlog where eventType = "user.authentication.auth_via_mfa" and p_occurs_since(7d)
in Panther Data Explorer, the following error occurs:
Your query did not return any results
However, the events can be found in the Okta admin console. How can I troubleshoot this?
To troubleshoot this issue:
Try querying panther_rule_matches
instead of panther_logs
.
For example, replace okta_systemlog
in your Data Explorer query with panther_rule_matches.public.okta_systemlog
. Some databases, especially the panther_rule_matches
database, can be easily confused with the logs database when querying.
Check to see if event filtering is enabled in your log source. If it is, verify that it is not filtering out the events you are looking for.
Check to see if any events are returned if you perform a Panther search beyond the date/time parameters you have set.
Try creating a new Okta integration and see if it still fails to capture these events.
If the issue still persists, please contact your Support team and include answers to the following questions:
Is this the first time you have been unable to query this particular event or have you been able to query them before?
When was the most recent time you received this event in your Panther Console?
This issue can occur when querying the wrong database. Using Fully Qualified Table Names (FQTNs) wherever possible can help eliminate ambiguity around which database to use and prevent accidentally querying the wrong database.