While using the configuration of risk rule policies per application, we observed that the “app” field—present in the payload of the APIs /iarisk/v1/UserRiskScoreEvaluator and /iarisk/v1/PostUserRiskScoreEvaluator—is not consistently logged in the IDSP application logs (i.e., logs forwarded to Kibana/ELK).

Currently, the “app” field is captured only in a single log entry (and is correctly persisted in the database). However, it is not included in other relevant log traces for these APIs. This limitation prevents effective filtering and accurate counting of risk evaluations and post-risk evaluations performed using application-level risk policies.

At present, the application field is visible only in the following log entry:

IARisk EvaluateRisk Initiated. Request - {userId:<user_id>,userAgent:<userAgent>,keyValuePair:[{key:deviceSignature,value:<deviceSignature>},{key:persistAdditionalContextInRiskEvent,value:false}],action:signin,app:<app_name>,identitySourceId:IA_RISK_CUS,type:null,channel:null}

Symantec Identity Security Platform - IDSP (formerly VIP Authentication Hub) 3.4.8