Skip to content

okta: fill okta.request.ip_chain.* as a flattened object #3326

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
efd6 merged 2 commits into from
May 16, 2022
Merged

okta: fill okta.request.ip_chain.* as a flattened object #3326

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
479730d
okta: fill okta.request.ip_chain.* as a flattened object
efd6 May 11, 2022
9c7cc23
Update packages/okta/changelog.yml
efd6 May 11, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/okta/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.7.0"
changes:
- description: Add flattened `okta.request.ip_chain.*` fields
type: enhancement
link: https://github.com/elastic/integrations/pull/3326
- version: "1.6.0"
changes:
- description: Update to ECS 8.2
Expand Down
72 changes: 72 additions & 0 deletions ...ges/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,24 @@
"outcome": {
"result": "SUCCESS"
},
"request": {
"ip_chain": [
{
"geographical_context": {
"city": "Dublin",
"country": "United States",
"geolocation": {
"lat": 37.7201,
"lon": -121.919
},
"postal_code": "94568",
"state": "California"
},
"ip": "175.16.199.1",
"version": "V4"
}
]
},
"transaction": {
"id": "XkccyyMli2Uay2I93ZgRzQAAB0c",
"type": "WEB"
Expand Down Expand Up @@ -193,6 +211,24 @@
"outcome": {
"result": "SUCCESS"
},
"request": {
"ip_chain": [
{
"geographical_context": {
"city": "Dublin",
"country": "United States",
"geolocation": {
"lat": 37.7201,
"lon": -121.919
},
"postal_code": "94568",
"state": "California"
},
"ip": "175.16.199.1",
"version": "V4"
}
]
},
"transaction": {
"id": "XkccyyMli2Uay2I93ZgRzQAAB0c",
"type": "WEB"
Expand Down Expand Up @@ -316,6 +352,24 @@
"outcome": {
"result": "SUCCESS"
},
"request": {
"ip_chain": [
{
"geographical_context": {
"city": "Dublin",
"country": "United States",
"geolocation": {
"lat": 37.7201,
"lon": -121.919
},
"postal_code": "94568",
"state": "California"
},
"ip": "175.16.199.1",
"version": "V4"
}
]
},
"transaction": {
"id": "XkccyyMli2Uay2I93ZgRzQAAB0c",
"type": "WEB"
Expand Down Expand Up @@ -437,6 +491,24 @@
"outcome": {
"result": "SUCCESS"
},
"request": {
"ip_chain": [
{
"geographical_context": {
"city": "Dublin",
"country": "United States",
"geolocation": {
"lat": 37.7201,
"lon": -121.919
},
"postal_code": "94568",
"state": "California"
},
"ip": "175.16.199.1",
"version": "V4"
}
]
},
"transaction": {
"id": "XkccyyMli2Uay2I93ZgRzQAAB0c",
"type": "WEB"
Expand Down
23 changes: 23 additions & 0 deletions packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -329,6 +329,29 @@ processors:
target_field: okta.security_context.isp
ignore_missing: true
ignore_failure: true
- rename:
field: json.request.ipChain
target_field: okta.request.ip_chain
ignore_missing: true
ignore_failure: true
- foreach:
field: okta.request.ip_chain
processor:
rename:
field: _ingest._value.geographicalContext
target_field: _ingest._value.geographical_context
Comment on lines +341 to +342
Copy link
Contributor

@r00tu53r r00tu53r May 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are renaming fields breaking changes ? Could it break custom dashboards / searches ?

Copy link
Contributor Author

@efd6 efd6 May 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be if the data had got into documents previously, but because of the old parsing these have not previously been available.

ignore_missing: true
ignore_failure: true
ignore_missing: true
- foreach:
field: okta.request.ip_chain
processor:
rename:
field: _ingest._value.geographical_context.postalCode
target_field: _ingest._value.geographical_context.postal_code
ignore_missing: true
ignore_failure: true
ignore_missing: true
- convert:
field: okta.client.user_agent.raw_user_agent
target_field: user_agent.original
Expand Down
2 changes: 1 addition & 1 deletion packages/okta/data_stream/system/fields/fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -227,7 +227,7 @@
type: group
fields:
- name: ip_chain
type: group
type: flattened
fields:
- name: ip
type: ip
Expand Down
2 changes: 1 addition & 1 deletion packages/okta/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: okta
title: Okta Logs
version: 1.6.0
version: 1.7.0
release: ga
description: Collect and parse event logs from Okta API with Elastic Agent.
type: integration
Expand Down