diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index d3f002d25991..0466b6a390f5 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -206,6 +206,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff] - Add support for new Rabbitmq timestamp format for logs {pull}34211[34211] - Allow user configuration of timezone offset in Cisco ASA and FTD modules. {pull}34436[34436] - Allow user configuration of timezone offset in Checkpoint module. {pull}34472[34472] +- Fill okta.request.ip_chain.* as a flattened object in Okta module. {pull}34621[34621] *Auditbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 9c266c021ae0..7e4d063fc3f2 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -112415,93 +112415,13 @@ Fields that let you store information about the request, in the form of list of -[float] -=== ip_chain - -List of ip_chain objects. - - - -*`okta.request.ip_chain.ip`*:: -+ --- -IP address. - - -type: ip - --- - -*`okta.request.ip_chain.version`*:: -+ --- -IP version. Must be one of V4, V6. - - -type: keyword - --- - -*`okta.request.ip_chain.source`*:: -+ --- -Source information. - - -type: keyword - --- - -[float] -=== geographical_context - -Geographical information. - - - -*`okta.request.ip_chain.geographical_context.city`*:: -+ --- -The city. - -type: keyword - --- - -*`okta.request.ip_chain.geographical_context.state`*:: +*`okta.request.ip_chain`*:: + -- -The state. - -type: keyword - --- - -*`okta.request.ip_chain.geographical_context.postal_code`*:: -+ --- -The postal code. - -type: keyword - --- - -*`okta.request.ip_chain.geographical_context.country`*:: -+ --- -The country. - -type: keyword - --- - -*`okta.request.ip_chain.geographical_context.geolocation`*:: -+ --- -Geolocation information. +List of ip_chain objects. -type: geo_point +type: flattened -- diff --git a/x-pack/filebeat/module/okta/fields.go b/x-pack/filebeat/module/okta/fields.go index 4601d65c4e29..08f24735f977 100644 --- a/x-pack/filebeat/module/okta/fields.go +++ b/x-pack/filebeat/module/okta/fields.go @@ -19,5 +19,5 @@ func init() { // AssetOkta returns asset data. // This is the base64 encoded zlib format compressed contents of module/okta. func AssetOkta() string { - return "eJzsWktz6rgS3p9f0XXWnizuYxZZ3CoHnBxPCKZsSCorl2Ia0I2xGEkmh/n1t+QXxpYfgJm6i8MOP77v61ar1Wr5N/jEwz2wT0m+AUgqQ7wHJ/23RBFwupOURffwn28AAC9sGYcIK8ZhQ6JlSKM1iIOQuIWQrQWsONsmr999A1hRDJfiPnnxN4jIFgsi9ZOHHd7DmrN4l13REKrfY4Jziq1+ZfwyRxzTZXGxMGqxsMelq2LDuLyH+QYhjuifMQJdYiTpiiIHtgK5wYQMJmxt7TGSd6WXG4Sq32WAqS8+8fDF+FF7zTJU7/nq4bp9CSbMT++VrFRv5TousKnr9Z4W7JELyqK6/NfajZL27K0r5PdA6GmBwD1yKg91E7z6nZIN+XtXGNEIAS+xkPCBwKJkkMbWw+LJAHv66BjwZrpTAxgHy3Ud9wKLl1TsQnLwtygEWWtCb5w+AC+1B0r2ZyiQoVzhhjOQelpIAsl43S6zcjmzJstHGW3ybpIRLzAng5IbIiFECQcWg5CMI9BoxfiWyFLQdjPVUypo8mTpVu6Ak4TZ5LYOWwDsWsJLJN+1MVeS2cXc81J+6mYloUQeEYn+MJabOZ4m6XerySeY+jeEmnw+KrwuFbmGIKQYyfocGFWvn04C8sFimRCkAA10A0yC3kyXT4KdxvmVi+0xuEGwZ0CWS46iSBCp3NYAiAVyn6xPHd1BVhsABQIJiC55VFU0e6rVV0fNnHz5DbrbArfDqtSJnHwVNhxNOBqodWapyBTDynG8kpoO7g/OvgTyYQVkoBqf9Aiuv1g0TIbdYILVJ7p0SQ73NBhMSKOGjKdVyjA5P5FRy/aNniiCM5YB22qqKCe90VbOnObe3gkzo7xROtagX5yCORJxsgm4anRStNyhNZ1afhGHcjh+hVblrxTr9+AtRiPL8wx4NO3JwrUM8J7t2cwaG2BOJs6bAWNr+m7A6Ic5mVjTJ8uAxfR56rxNW8JMEr5GzXo+r14vleghFana5BlxRkne8mbqv1VIpMQIl7/q0l916Tl1qeQkEiSQ2qbBXHvzgizJMSQSl2W2G2TLDpb/u92bVuct50q5z1TirrY3vr9ZD98N+P6H8/C9JXSW+BGv/YBFEn9qMuFY3YZR7faFi2zCBhnbjZbaRo6LQyf10ZIUXdmew5QqUe8NuKVISzd/RaM18h2nQ28rSsB5iLdUi+Wq4M8Yhazm5Kv11HNyxtRTT8zpwPuuFBgWrt0hQW44EumLWOwwkDioYxQyFMhdvqDi0w9xj+HArqDiExJcIELQdaTyNksGSf0DGoGqaLa7rsGK+cDKFu6kg1JXbEFrKdaTOmDbXYgSS2kD2Md/MehyghpNGlAWC1/l9P1pl7wn+xEEcpAsr6RnQ7IlLzVnpo7cBJ17e+gY0h7WQWWfH4vGuIfacVBQd+aAkhQ6fG2QYxr7mjGQjH3CLiSNeVSjmcWR5LeUnRIMr7y2BgwoOmEAe9xfTDWUoalveZYOe5avRyWn4b658VZXFhJJZbzERn2rkJHq8n6GxBx/+AEOWbS+rfScYHjtQhLZrPvq+Ezgh1ddKvX/hulVYjtnqtX2OLeQdtj18VqtvT2gEMcrpn76WUeysrYPOQuCmPdasCTdopBk25y2lvoA7qm+wFdGfG0wylsMJaF6pUUDJpYbVZQHydarefNonjw3zC7ylPuGW8luoov3kxX/7Tjb02WlZBqo7X/cFlfsyUlrfQPneW765mL+w5rO7ZE5t52pP3OdV3tsuQaYo7n9avlj27VGc8d9N2AyNmcGPFpjy00eNsBzRrY5MeDRVI8UL7f39E5dIiRqzxkjieuKozrdUTFcQbdKCTgmW04S/g0jcyTrGJGRa43ViJiT0mi4nmmA9/5iTufWyIAnx3maWAaMF44B74sH+9l672vqkO2pVjOT/F0zcT4zwHvxDJiZnvfmuGMDTM+z3DSi7DfTAOvFtCcGOCo2/2HAH29zA0bqiUcVppYBM9fyvR+ma4197/3lxZq79sh/tt6NzIMT25rOfc/yvAR0bL3aI8tfjBsWuKJxKER8bszpp2CKpOsFEc7JaaHfqxd0+15LVbK+z1Ff9q8UUv6QrkVCUX38TDr4oS9QCE2FdEUsZ4i5a46eyTmPT6yARIf2UIok8hUZ8oQ3A0x3w4B36zsDnFiGjH0a4KxWNMB//v5vA77EnMdCNi/qAoOYU3loXs697IlhFvKc74ZLeBvF5Yu30AxevWPSZ1liEduqIjGtIu/On/9RvP1o+IxCt1T2mnqml8F2fT/C1ySif5HKuVKbT3rxl3HTYWZfkUimnEZaD2eV3FU9ooPOPUFnTV2TrEg61hNdaXPR9LfV9I9Qgod8TwOEWV5DtAlYsi2hg30/kKL1MVuVUz8PGt4PxkIkUX/etw3KDXKgEqgAAgkwMA4Ra/uqJOvc1zObW7tx4flW7Whi0JOtDN0Amu7Z1DNqOco/LKA7P9gQOtB5aQbWf1QmFRlZ11sMePhVa9g19PE6pu3x+8OOJFf/Eh+uK27sWY5Zq4Ff/2XA6+9dZwQs5sGAxZaX4JXjrUPAGtmak92GBiTUlAo9KJ9KCHrislUXnEUUuxtdz/+MdJ939ht7NsWgaDuKZzIlIJ1UOyZk4nhN6/VMwhQKFFQnbdNRxLneTGE66dbIQhboSoseK/LT8eW28CoCDJm/YzSS3/4XAAD//6REDj8=" + return "eJzsWktz6rgS3p9f0XXWnizuYxZZ3CoHnBxPCKZsSCorl2Ia0I2xGEkmh/n1t+QXxpYfgJm6i8MOP77v61ar1Wr5N/jEwz2wT0m+AUgqQ7wHJ/23RBFwupOURffwn28AAC9sGYcIK8ZhQ6JlSKM1iIOQuIWQrQWsONsmr999A1hRDJfiPnnxN4jIFgsi9ZOHHd7DmrN4l13REKrfY4Jziq1+ZfwyRxzTZXGxMGqxsMelq2LDuLyH+QYhjuifMQJdYiTpiiIHtgK5wYQMJmxt7TGSd6WXG4Sq32WAqS8+8fDF+FF7zTJU7/nq4bp9CSbMT++VrFRv5TousKnr9Z4W7JELyqK6/NfajZL27K0r5PdA6GmBwD1yKg91E7z6nZIN+XtXGNEIAS+xkPCBwKJkkMbWw+LJAHv66BjwZrpTAxgHy3Ud9wKLl1TsQnLwtygEWWtCb5w+AC+1B0r2ZyiQoVzhhjOQelpIAsl43S6zcjmzJstHGW3ybpIRLzAng5IbIiFECQcWg5CMI9BoxfiWyFLQdjPVUypo8mTpVu6Ak4TZ5LYOWwDsWsJLJN+1MVeS2cXc81J+6mYloUQeEYn+MJabOZ4m6XerySeY+jeEmnw+KrwuFbmGIKQYyfocGFWvn04C8sFimRCkAA10A0yC3kyXT4KdxvmVi+0xuEGwZ0CWS46iSBCp3NYAiAVyn6xPHd1BVhsABQIJiC55VFU0e6rVV0fNnHz5DbrbArfDqtSJnHwVNhxNOBqodWapyBTDynG8kpoO7g/OvgTyYQVkoBqf9Aiuv1g0TIbdYILVJ7p0SQ73NBhMSKOGjKdVyjA5P5FRy/aNniiCM5YB22qqKCe90VbOnObe3gkzo7xROtagX5yCORJxsgm4anRStNyhNZ1afhGHcjh+hVblrxTr9+AtRiPL8wx4NO3JwrUM8J7t2cwaG2BOJs6bAWNr+m7A6Ic5mVjTJ8uAxfR56rxNW8JMEr5GzXo+r14vleghFana5BlxRkne8mbqv1VIpMQIl7/q0l916Tl1qeQkEiSQ2qbBXHvzgizJMSQSl2W2G2TLDpb/u92bVuct50q5z1TirrY3vr9ZD98N+P6H8/C9JXSW+BGv/YBFEn9qMuFY3YZR7faFi2zCBhnbjZbaRo6LQyf10ZIUXdmew5QqUe8NuKVISzd/RaM18h2nQ28rSsB5iLdUi+Wq4M8Yhazm5Kv11HNyxtRTT8zpwPuuFBgWrt0hQW44EumLWOwwkDioYxQyFMhdvqDi0w9xj+HArqDiExJcIELQdaTyNksGSf0DGoGqaLa7rsGK+cDKFu6kg1JXbEFrKdaTOmDbXYgSS2kD2Md/MehyghpNGlAWC1/l9P1pl7wn+xEEcpAsr6RnQ7IlLzVnpo7cBJ17e+gY0h7WQWWfH4vGuIfacVBQd+aAkhQ6fG2QYxr7mjGQjH3CLiSNeVSjmcWR5LeUnRIMr7y2BgwoOmEAe9xfTDWUoalveZYOe5avRyWn4b658VZXFhJJZbzERn2rkJHq8n6GxBx/+AEOWbS+rfScYHjtQhLZrPvq+Ezgh1ddKvX/hulVYjtnqtX2OLeQdtj18VqtvT2gEMcrpn76WUeysrYPOQuCmPdasCTdopBk25y2lvoA7qm+wFdGfG0wylsMJaF6pUUDJpYbVZQHydarefNonjw3zC7ylPuGW8luoov3kxX/7Tjb02WlZBqo7X/cFlfsyUlrfQPneW765mL+w5rO7ZE5t52pP3OdV3tsuQaYo7n9avlj27VGc8d9N2AyNmcGPFpjy00eNsBzRrY5MeDRVI8UL7f39E5dIiRqzxkjieuKozrdUTFcQbdKCTgmW04S/g0jcyTrGJGRa43ViJiT0mi4nmmA9/5iTufWyIAnx3maWAaMF44B74sH+9l672vqkO2pVjOT/F0zcT4zwHvxDJiZnvfmuGMDTM+z3DSi7DfTAOvFtCcGOCo2/2HAH29zA0bqiUcVppYBM9fyvR+ma4197/3lxZq79sh/tt6NzIMT25rOfc/yvAR0bL3aI8tfjBsWuKJxKER8bszpp2CKpOsFEc7JaaHfqxd0+15LVbK+z1Ff9q8UUv6QrkVCUX38TDr4oS9QCE2FdEUsZ4i5a46eyTmPT6yARIf2UIok8hUZ8oQ3A0x3w4B36zsDnFiGjH0a4KxWNMB//v5vA77EnMdCNi/qAoOYU3loXs697IlhFvKc74ZLeBvF5Yu30AxevWPSZ1liEduqIjGtIu/On/9RvP1o+IxCt1T2mnqml8F2fT/C1ySif5HKuVKbT3rxl3HTYWZfkUimnEZaD2eV3FU9ooPOPUFnTV2TrEg61hNdaXPR9LfV9I9Qgod8TwOEWV5DtAlYsi2hg30/kKL1MVuVUz8PGt4PxkIkUX/etw3KDXKgEqgAAgkwMA4Ra/uqJOvc1zObW7tx4flW7Whi0JOtDN0Amu7Z1DNqOco/LKA7P9gQOtB5aQbWf1QmFRlZ11voCh59f71f0VNNKg29vI6pe/wGsSPR1b/Gh+sKHHuWY9bq4Nd/GfD6e9c5AYt5MGDB5SV45ZjrELBGtuZkt6EBCTXlQg/KpxKCnrhs1QXnEcUOR9f3PyPl5939xr5NMSjaruKZTAlIJ9WOCZk4XtN+PZMwhQIF1UnbdBxxrjdTmE66NbKQBbryoseq/HR8uS28igBD5u8YjeS3/wUAAP//jnYPyQ==" } diff --git a/x-pack/filebeat/module/okta/system/_meta/fields.yml b/x-pack/filebeat/module/okta/system/_meta/fields.yml index fb75e987c0a7..8b7b87893948 100644 --- a/x-pack/filebeat/module/okta/system/_meta/fields.yml +++ b/x-pack/filebeat/module/okta/system/_meta/fields.yml @@ -399,7 +399,7 @@ - name: ip_chain description: > List of ip_chain objects. - type: group + type: flattened fields: - name: ip diff --git a/x-pack/filebeat/module/okta/system/ingest/pipeline.yml b/x-pack/filebeat/module/okta/system/ingest/pipeline.yml index 8d0545cc6091..9bf1c84f41d7 100644 --- a/x-pack/filebeat/module/okta/system/ingest/pipeline.yml +++ b/x-pack/filebeat/module/okta/system/ingest/pipeline.yml @@ -455,6 +455,29 @@ processors: target_field: okta.security_context.isp ignore_missing: true ignore_failure: true + - rename: + field: json.request.ipChain + target_field: okta.request.ip_chain + ignore_missing: true + ignore_failure: true + - foreach: + field: okta.request.ip_chain + processor: + rename: + field: _ingest._value.geographicalContext + target_field: _ingest._value.geographical_context + ignore_missing: true + ignore_failure: true + ignore_missing: true + - foreach: + field: okta.request.ip_chain + processor: + rename: + field: _ingest._value.geographical_context.postalCode + target_field: _ingest._value.geographical_context.postal_code + ignore_missing: true + ignore_failure: true + ignore_missing: true - convert: field: okta.client.user_agent.raw_user_agent target_field: user_agent.original diff --git a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json index e71aa36a9fa2..b6eccae38df6 100644 --- a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json +++ b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json @@ -51,6 +51,22 @@ "okta.display_message": "User logout from Okta", "okta.event_type": "user.session.end", "okta.outcome.result": "SUCCESS", + "okta.request.ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "67.43.156.12", + "version": "V4" + } + ], "okta.transaction.id": "XkccyyMli2Uay2I93ZgRzQAAB0c", "okta.transaction.type": "WEB", "okta.uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd", @@ -138,6 +154,22 @@ "okta.display_message": "User login to Okta", "okta.event_type": "user.session.start", "okta.outcome.result": "SUCCESS", + "okta.request.ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "67.43.156.12", + "version": "V4" + } + ], "okta.transaction.id": "XkcAsWb8WjwDP76xh@1v8wAABp0", "okta.transaction.type": "WEB", "okta.uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546", @@ -223,6 +255,22 @@ "okta.event_type": "policy.evaluate_sign_on", "okta.outcome.reason": "Sign-on policy evaluation resulted in ALLOW", "okta.outcome.result": "ALLOW", + "okta.request.ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "67.43.156.12", + "version": "V4" + } + ], "okta.target": [ { "alternate_id": "unknown", @@ -346,6 +394,22 @@ "okta.event_type": "policy.evaluate_sign_on", "okta.outcome.reason": "Sign-on policy evaluation resulted in ALLOW", "okta.outcome.result": "ALLOW", + "okta.request.ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "67.43.156.12", + "version": "V4" + } + ], "okta.target": [ { "alternate_id": "unknown", @@ -459,6 +523,22 @@ "okta.display_message": "User report suspicious activity", "okta.event_type": "user.account.report_suspicious_activity_by_enduser", "okta.outcome.result": "SUCCESS", + "okta.request.ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "67.43.156.12", + "version": "V4" + } + ], "okta.security_context.as.number": 7018, "okta.security_context.as.organization.name": "AT&T Services, Inc.", "okta.security_context.domain": "att.com", @@ -572,6 +652,22 @@ "okta.display_message": "User login to Okta", "okta.event_type": "user.session.start", "okta.outcome.result": "SUCCESS", + "okta.request.ip_chain": [ + { + "geographical_context": { + "city": "Ashburn", + "country": "United States", + "geolocation": { + "lat": 39.1469, + "lon": -77.5903 + }, + "postal_code": "20149", + "state": "Virginia" + }, + "ip": "81.2.69.144", + "version": "V4" + } + ], "okta.security_context.as.number": 14618, "okta.security_context.as.organization.name": "amazon data services nova", "okta.security_context.domain": "amazonaws.com", @@ -666,6 +762,22 @@ "okta.display_message": "Verify user identity", "okta.event_type": "user.authentication.verify", "okta.outcome.result": "SUCCESS", + "okta.request.ip_chain": [ + { + "geographical_context": { + "city": "Purcellville", + "country": "United States", + "geolocation": { + "lat": 39.64, + "lon": -77.8346 + }, + "postal_code": "20132", + "state": "Virginia" + }, + "ip": "67.43.156.14", + "version": "V4" + } + ], "okta.security_context.as.number": 7922, "okta.security_context.as.organization.name": "comcast", "okta.security_context.domain": "comcast.net", @@ -764,6 +876,22 @@ "okta.display_message": "Verify user identity", "okta.event_type": "user.authentication.verify", "okta.outcome.result": "SUCCESS", + "okta.request.ip_chain": [ + { + "geographical_context": { + "city": "City", + "country": "Country", + "geolocation": { + "lat": 0, + "lon": 0 + }, + "postal_code": "00000", + "state": "State" + }, + "ip": "81.2.69.144", + "version": "V4" + } + ], "okta.security_context.as.number": 1828, "okta.security_context.as.organization.name": "org", "okta.security_context.domain": "domain.com",