diff --git a/packages/okta/changelog.yml b/packages/okta/changelog.yml index a47019c5ec1..d1af29ea33b 100644 --- a/packages/okta/changelog.yml +++ b/packages/okta/changelog.yml @@ -1,4 +1,15 @@ # newer versions go on top +- version: "1.8.0" + changes: + - description: Add `okta.debug_context.debug_data.risk_level` field + type: enhancement + link: https://github.com/elastic/integrations/pull/3362 + - description: Add flattened `okta.debug_context.debug_data.flattened.log_only_security_data.*` fields + type: enhancement + link: https://github.com/elastic/integrations/pull/3362 + - description: Fix mapping type for `client.as.number` + type: bugfix + link: https://github.com/elastic/integrations/pull/3362 - version: "1.7.0" changes: - description: Add flattened `okta.request.ip_chain.*` fields diff --git a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json index 97feb48c4e9..6bbc0787e32 100644 --- a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json +++ b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json @@ -11,6 +11,12 @@ }, { "message": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"null\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"null\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"null\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}" + }, + { + "message": "{\"actor\":{\"alternateId\":\"test@test.com\",\"detailEntry\":null,\"displayName\":\"test@test.com\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"xxxxxx\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Unknown\",\"geographicalContext\":{\"city\":\"Ashburn\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.1469,\"lon\":-77.5903},\"postalCode\":\"20149\",\"state\":\"Virginia\"},\"id\":null,\"ipAddress\":\"81.2.69.144\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Unknown\",\"rawUserAgent\":\"blah\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"logOnlySecurityData\":\"{\\\"risk\\\":{\\\"reasons\\\":\\\"Anomalous Location, Anomalous Device\\\",\\\"level\\\":\\\"HIGH\\\"},\\\"behaviors\\\":{\\\"New Geo-Location\\\":\\\"POSITIVE\\\",\\\"New Device\\\":\\\"BAD_REQUEST\\\",\\\"New IP\\\":\\\"POSITIVE\\\",\\\"New State\\\":\\\"POSITIVE\\\",\\\"New Country\\\":\\\"POSITIVE\\\",\\\"Velocity\\\":\\\"NEGATIVE\\\",\\\"New City\\\":\\\"POSITIVE\\\"}}\",\"originalPrincipal\":{\"alternateId\":\"test@test.com\",\"detailEntry\":null,\"displayName\":\"Test\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"device\":null,\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2022-05-11T09:25:18.716Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Ashburn\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.1469,\"lon\":-77.5903},\"postalCode\":\"20149\",\"state\":\"Virginia\"},\"ip\":\"81.2.69.144\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":14618,\"asOrg\":\"amazon data services nova\",\"domain\":\"amazonaws.com\",\"isProxy\":false,\"isp\":\"amazon.com inc.\"},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{\"requestApiTokenId\":\"MDU0ZTEyM2QwYjc2N2FiZDI2YzViZDRiODVkNGNhZDFkZjg4YjU2ZiAgLQo=\"},\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}" + }, + { + "message": "{\"actor\":{\"alternateId\":\"test1@test.com\",\"detailEntry\":null,\"displayName\":\"None\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Mobile\",\"geographicalContext\":{\"city\":\"Purcellville\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.64,\"lon\":-77.8346},\"postalCode\":\"20132\",\"state\":\"Virginia\"},\"id\":null,\"ipAddress\":\"67.43.156.14\",\"userAgent\":{\"browser\":\"SAFARI\",\"os\":\"Mac OS X (iPhone)\",\"rawUserAgent\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 15_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Safari\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"behaviors\":\"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, New City=NEGATIVE}\",\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify?autoPush=false\u0026rememberDevice=false\"}},\"device\":null,\"displayMessage\":\"Verify user identity\",\"eventType\":\"user.authentication.verify\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2022-05-11T09:27:08.708Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Purcellville\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.64,\"lon\":-77.8346},\"postalCode\":\"20132\",\"state\":\"Virginia\"},\"ip\":\"67.43.156.14\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":7922,\"asOrg\":\"comcast\",\"domain\":\"comcast.net\",\"isProxy\":false,\"isp\":\"comcast\"},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}" } ] } \ No newline at end of file diff --git a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json-expected.json b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json-expected.json index 138ee5d14d7..579a962a405 100644 --- a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json-expected.json +++ b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json-expected.json @@ -59,6 +59,13 @@ }, "debug_context": { "debug_data": { + "flattened": { + "authnRequestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestId": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "requestUri": "/login/signout", + "threatSuspected": "false", + "url": "/login/signout?message=login_page_messages.session_has_expired" + }, "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", "request_uri": "/login/signout", "threat_suspected": "false", @@ -200,6 +207,13 @@ }, "debug_context": { "debug_data": { + "flattened": { + "authnRequestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestId": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "requestUri": "/login/signout", + "threatSuspected": "false", + "url": "/login/signout?message=login_page_messages.session_has_expired" + }, "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", "request_uri": "/login/signout", "threat_suspected": "false", @@ -341,6 +355,13 @@ }, "debug_context": { "debug_data": { + "flattened": { + "authnRequestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestId": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "requestUri": "/login/signout", + "threatSuspected": "false", + "url": "/login/signout?message=login_page_messages.session_has_expired" + }, "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", "request_uri": "/login/signout", "threat_suspected": "false", @@ -480,6 +501,13 @@ }, "debug_context": { "debug_data": { + "flattened": { + "authnRequestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestId": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "requestUri": "/login/signout", + "threatSuspected": "false", + "url": "/login/signout?message=login_page_messages.session_has_expired" + }, "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", "request_uri": "/login/signout", "threat_suspected": "false", @@ -545,6 +573,358 @@ }, "version": "72.0." } + }, + { + "@timestamp": "2022-05-11T09:25:18.716Z", + "client": { + "as": { + "organization": { + "name": "amazon data services nova" + } + }, + "domain": "amazonaws.com", + "geo": { + "city_name": "Ashburn", + "country_name": "United States", + "location": { + "lat": 39.1469, + "lon": -77.5903 + }, + "region_name": "Virginia" + }, + "ip": "81.2.69.144", + "user": { + "full_name": "test@test.com", + "id": "00u1abvz4pYqdM8ms4x6" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "user.session.start", + "category": [ + "authentication", + "session" + ], + "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"test@test.com\",\"detailEntry\":null,\"displayName\":\"test@test.com\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"xxxxxx\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Unknown\",\"geographicalContext\":{\"city\":\"Ashburn\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.1469,\"lon\":-77.5903},\"postalCode\":\"20149\",\"state\":\"Virginia\"},\"id\":null,\"ipAddress\":\"81.2.69.144\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Unknown\",\"rawUserAgent\":\"blah\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"logOnlySecurityData\":\"{\\\"risk\\\":{\\\"reasons\\\":\\\"Anomalous Location, Anomalous Device\\\",\\\"level\\\":\\\"HIGH\\\"},\\\"behaviors\\\":{\\\"New Geo-Location\\\":\\\"POSITIVE\\\",\\\"New Device\\\":\\\"BAD_REQUEST\\\",\\\"New IP\\\":\\\"POSITIVE\\\",\\\"New State\\\":\\\"POSITIVE\\\",\\\"New Country\\\":\\\"POSITIVE\\\",\\\"Velocity\\\":\\\"NEGATIVE\\\",\\\"New City\\\":\\\"POSITIVE\\\"}}\",\"originalPrincipal\":{\"alternateId\":\"test@test.com\",\"detailEntry\":null,\"displayName\":\"Test\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"device\":null,\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2022-05-11T09:25:18.716Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Ashburn\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.1469,\"lon\":-77.5903},\"postalCode\":\"20149\",\"state\":\"Virginia\"},\"ip\":\"81.2.69.144\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":14618,\"asOrg\":\"amazon data services nova\",\"domain\":\"amazonaws.com\",\"isProxy\":false,\"isp\":\"amazon.com inc.\"},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{\"requestApiTokenId\":\"MDU0ZTEyM2QwYjc2N2FiZDI2YzViZDRiODVkNGNhZDFkZjg4YjU2ZiAgLQo=\"},\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "start", + "user" + ] + }, + "okta": { + "actor": { + "alternate_id": "test@test.com", + "display_name": "test@test.com", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "xxxxxx" + }, + "client": { + "device": "Unknown", + "ip": "81.2.69.144", + "user_agent": { + "browser": "UNKNOWN", + "os": "Unknown", + "raw_user_agent": "blah" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "flattened": { + "logOnlySecurityData": { + "behaviors": { + "New City": "POSITIVE", + "New Country": "POSITIVE", + "New Device": "BAD_REQUEST", + "New Geo-Location": "POSITIVE", + "New IP": "POSITIVE", + "New State": "POSITIVE", + "Velocity": "NEGATIVE" + }, + "risk": { + "level": "HIGH", + "reasons": "Anomalous Location, Anomalous Device" + } + }, + "originalPrincipal": { + "alternateId": "test@test.com", + "displayName": "Test", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "requestId": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "requestUri": "/api/v1/authn", + "threatSuspected": "false", + "url": "/api/v1/authn?" + }, + "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "request_uri": "/api/v1/authn", + "risk_level": "HIGH", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "User login to Okta", + "event_type": "user.session.start", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Ashburn", + "country": "United States", + "geolocation": { + "lat": 39.1469, + "lon": -77.5903 + }, + "postal_code": "20149", + "state": "Virginia" + }, + "ip": "81.2.69.144", + "version": "V4" + } + ] + }, + "security_context": { + "as": { + "number": 14618, + "organization": { + "name": "amazon data services nova" + } + }, + "domain": "amazonaws.com", + "is_proxy": false, + "isp": "amazon.com inc." + }, + "transaction": { + "id": "00u1abvz4pYqdM8ms4x6", + "type": "WEB" + }, + "uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd" + }, + "related": { + "ip": [ + "81.2.69.144" + ], + "user": [ + "test@test.com" + ] + }, + "source": { + "domain": "amazonaws.com", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "user": { + "full_name": "test@test.com", + "id": "00u1abvz4pYqdM8ms4x6" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "test@test.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "blah" + } + }, + { + "@timestamp": "2022-05-11T09:27:08.708Z", + "client": { + "as": { + "organization": { + "name": "comcast" + } + }, + "domain": "comcast.net", + "geo": { + "city_name": "Purcellville", + "country_name": "United States", + "location": { + "lat": 39.64, + "lon": -77.8346 + }, + "region_name": "Virginia" + }, + "ip": "67.43.156.14", + "user": { + "full_name": "None", + "id": "00u1abvz4pYqdM8ms4x6" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "user.authentication.verify", + "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"test1@test.com\",\"detailEntry\":null,\"displayName\":\"None\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Mobile\",\"geographicalContext\":{\"city\":\"Purcellville\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.64,\"lon\":-77.8346},\"postalCode\":\"20132\",\"state\":\"Virginia\"},\"id\":null,\"ipAddress\":\"67.43.156.14\",\"userAgent\":{\"browser\":\"SAFARI\",\"os\":\"Mac OS X (iPhone)\",\"rawUserAgent\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 15_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Safari\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"behaviors\":\"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, New City=NEGATIVE}\",\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify?autoPush=false\u0026rememberDevice=false\"}},\"device\":null,\"displayMessage\":\"Verify user identity\",\"eventType\":\"user.authentication.verify\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2022-05-11T09:27:08.708Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Purcellville\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.64,\"lon\":-77.8346},\"postalCode\":\"20132\",\"state\":\"Virginia\"},\"ip\":\"67.43.156.14\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":7922,\"asOrg\":\"comcast\",\"domain\":\"comcast.net\",\"isProxy\":false,\"isp\":\"comcast\"},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", + "outcome": "success" + }, + "okta": { + "actor": { + "alternate_id": "test1@test.com", + "display_name": "None", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102nZHzd6OHSfGG51vsoc22gw" + }, + "client": { + "device": "Mobile", + "ip": "67.43.156.14", + "user_agent": { + "browser": "SAFARI", + "os": "Mac OS X (iPhone)", + "raw_user_agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 15_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Safari" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "flattened": { + "authnRequestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "behaviors": { + "New City": "NEGATIVE", + "New Country": "NEGATIVE", + "New Device": "NEGATIVE", + "New Geo-Location": "NEGATIVE", + "New IP": "NEGATIVE", + "New State": "NEGATIVE" + }, + "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "requestId": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "requestUri": "/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify", + "risk": { + "level": "LOW" + }, + "threatSuspected": "false", + "url": "/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify?autoPush=false\u0026rememberDevice=false" + }, + "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "request_uri": "/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify", + "risk_level": "LOW", + "threat_suspected": "false", + "url": "/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify?autoPush=false\u0026rememberDevice=false" + } + }, + "display_message": "Verify user identity", + "event_type": "user.authentication.verify", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Purcellville", + "country": "United States", + "geolocation": { + "lat": 39.64, + "lon": -77.8346 + }, + "postal_code": "20132", + "state": "Virginia" + }, + "ip": "67.43.156.14", + "version": "V4" + } + ] + }, + "security_context": { + "as": { + "number": 7922, + "organization": { + "name": "comcast" + } + }, + "domain": "comcast.net", + "is_proxy": false, + "isp": "comcast" + }, + "transaction": { + "id": "00u1abvz4pYqdM8ms4x6", + "type": "WEB" + }, + "uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd" + }, + "related": { + "ip": [ + "67.43.156.14" + ], + "user": [ + "None" + ] + }, + "source": { + "as": { + "number": 35908 + }, + "domain": "comcast.net", + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.14", + "user": { + "full_name": "None", + "id": "00u1abvz4pYqdM8ms4x6" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "None" + }, + "user_agent": { + "device": { + "name": "iPhone" + }, + "name": "Mobile Safari", + "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 15_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Safari", + "os": { + "full": "iOS 15.4.1", + "name": "iOS", + "version": "15.4.1" + } + } } ] } \ No newline at end of file diff --git a/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml index 8b308e6173e..2f8904dc41f 100644 --- a/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml +++ b/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml @@ -244,6 +244,51 @@ processors: target_field: okta.transaction.type ignore_missing: true ignore_failure: true + - set: + field: okta.debug_context.debug_data.flattened + copy_from: json.debugContext.debugData + ignore_failure: true + - json: + field: okta.debug_context.debug_data.flattened.logOnlySecurityData + ignore_failure: true + - dissect: + field: okta.debug_context.debug_data.flattened.behaviors + pattern: "{%{okta.debug_context.debug_data.flattened.behaviors}}" + ignore_missing: true + ignore_failure: true + - kv: + field: okta.debug_context.debug_data.flattened.behaviors + field_split: ", " + value_split: "=" + target_field: _behaviors_object + if: ctx.okta?.debug_context?.debug_data?.flattened?.behaviors != null + - remove: + field: okta.debug_context.debug_data.flattened.behaviors + if: ctx._behaviors_object != null + - rename: + field: _behaviors_object + target_field: okta.debug_context.debug_data.flattened.behaviors + ignore_missing: true + ignore_failure: true + - dissect: + field: okta.debug_context.debug_data.flattened.risk + pattern: "{%{okta.debug_context.debug_data.flattened.risk}}" + ignore_missing: true + ignore_failure: true + - kv: + field: okta.debug_context.debug_data.flattened.risk + field_split: ", " + value_split: "=" + target_field: _risk_object + if: ctx.okta?.debug_context?.debug_data?.flattened?.risk != null + - remove: + field: okta.debug_context.debug_data.flattened.risk + if: ctx._risk_object != null + - rename: + field: _risk_object + target_field: okta.debug_context.debug_data.flattened.risk + ignore_missing: true + ignore_failure: true - rename: field: json.debugContext.debugData.deviceFingerprint target_field: okta.debug_context.debug_data.device_fingerprint @@ -269,6 +314,14 @@ processors: target_field: okta.debug_context.debug_data.url ignore_missing: true ignore_failure: true + - set: + field: okta.debug_context.debug_data.risk_level + value: "{{{okta.debug_context.debug_data.flattened.logOnlySecurityData.risk.level}}}" + if: 'ctx.okta?.debug_context?.debug_data?.flattened?.logOnlySecurityData?.risk?.level != null && ctx.okta?.debug_context?.debug_data?.flattened?.logOnlySecurityData?.risk?.level != ""' + - set: + field: okta.debug_context.debug_data.risk_level + value: "{{{okta.debug_context.debug_data.flattened.risk.level}}}" + if: 'ctx.okta?.debug_context?.debug_data?.risk_level == null && ctx.okta?.debug_context?.debug_data?.flattened?.risk != null && ctx.okta?.debug_context?.debug_data?.flattened?.risk != ""' - rename: field: json.authenticationContext.authenticationProvider target_field: okta.authentication_context.authentication_provider @@ -370,11 +423,6 @@ processors: target_field: event.action type: string ignore_failure: true - - convert: - field: okta.security_context.as.number - target_field: client.as.number - type: string - ignore_failure: true - convert: field: okta.security_context.as.organization.name target_field: client.as.organization.name diff --git a/packages/okta/data_stream/system/fields/fields.yml b/packages/okta/data_stream/system/fields/fields.yml index 4ec76b884fe..88055c4d482 100644 --- a/packages/okta/data_stream/system/fields/fields.yml +++ b/packages/okta/data_stream/system/fields/fields.yml @@ -147,10 +147,18 @@ type: keyword description: | Threat suspected. + - name: risk_level + type: keyword + description: | + The risk level assigned to the sign in attempt. - name: url type: keyword description: | The URL. + - name: flattened + type: flattened + description: | + The complete debug_data object. - name: okta.authentication_context title: Authentication Context type: group diff --git a/packages/okta/data_stream/system/sample_event.json b/packages/okta/data_stream/system/sample_event.json index 19b62009406..f50738dcc04 100644 --- a/packages/okta/data_stream/system/sample_event.json +++ b/packages/okta/data_stream/system/sample_event.json @@ -1,12 +1,11 @@ { "@timestamp": "2020-02-14T20:18:57.718Z", "agent": { - "ephemeral_id": "ef00e489-67a9-4e8f-999c-81305f2350f5", - "hostname": "docker-fleet-agent", - "id": "dd014e06-ac12-40b1-a20a-4453a5f99c84", + "ephemeral_id": "3347d5a2-0d81-41c5-8cbf-a69aebcdb56a", + "id": "dbc761fd-dec4-4bc7-acec-8e5cb02a0cb6", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.17.0" + "version": "8.2.1" }, "client": { "geo": { @@ -33,9 +32,9 @@ "version": "8.2.0" }, "elastic_agent": { - "id": "dd014e06-ac12-40b1-a20a-4453a5f99c84", - "snapshot": false, - "version": "7.17.0" + "id": "dbc761fd-dec4-4bc7-acec-8e5cb02a0cb6", + "snapshot": true, + "version": "8.2.1" }, "event": { "action": "user.session.start", @@ -44,10 +43,10 @@ "authentication", "session" ], - "created": "2022-04-07T02:23:26.399Z", + "created": "2022-05-18T08:57:39.484Z", "dataset": "okta.system", "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", - "ingested": "2022-04-07T02:23:27Z", + "ingested": "2022-05-18T08:57:40Z", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", "outcome": "success", @@ -83,6 +82,13 @@ "debug_context": { "debug_data": { "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "flattened": { + "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestUri": "/api/v1/authn", + "threatSuspected": "false", + "url": "/api/v1/authn?" + }, "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", "request_uri": "/api/v1/authn", "threat_suspected": "false", @@ -94,6 +100,24 @@ "outcome": { "result": "SUCCESS" }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "108.255.197.247", + "version": "V4" + } + ] + }, "transaction": { "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", "type": "WEB" diff --git a/packages/okta/docs/README.md b/packages/okta/docs/README.md index dc66e020ab8..d14118f0d9a 100644 --- a/packages/okta/docs/README.md +++ b/packages/okta/docs/README.md @@ -14,12 +14,11 @@ An example event for `system` looks as following: { "@timestamp": "2020-02-14T20:18:57.718Z", "agent": { - "ephemeral_id": "ef00e489-67a9-4e8f-999c-81305f2350f5", - "hostname": "docker-fleet-agent", - "id": "dd014e06-ac12-40b1-a20a-4453a5f99c84", + "ephemeral_id": "3347d5a2-0d81-41c5-8cbf-a69aebcdb56a", + "id": "dbc761fd-dec4-4bc7-acec-8e5cb02a0cb6", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.17.0" + "version": "8.2.1" }, "client": { "geo": { @@ -46,9 +45,9 @@ An example event for `system` looks as following: "version": "8.2.0" }, "elastic_agent": { - "id": "dd014e06-ac12-40b1-a20a-4453a5f99c84", - "snapshot": false, - "version": "7.17.0" + "id": "dbc761fd-dec4-4bc7-acec-8e5cb02a0cb6", + "snapshot": true, + "version": "8.2.1" }, "event": { "action": "user.session.start", @@ -57,10 +56,10 @@ An example event for `system` looks as following: "authentication", "session" ], - "created": "2022-04-07T02:23:26.399Z", + "created": "2022-05-18T08:57:39.484Z", "dataset": "okta.system", "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", - "ingested": "2022-04-07T02:23:27Z", + "ingested": "2022-05-18T08:57:40Z", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", "outcome": "success", @@ -96,6 +95,13 @@ An example event for `system` looks as following: "debug_context": { "debug_data": { "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "flattened": { + "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestUri": "/api/v1/authn", + "threatSuspected": "false", + "url": "/api/v1/authn?" + }, "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", "request_uri": "/api/v1/authn", "threat_suspected": "false", @@ -107,6 +113,24 @@ An example event for `system` looks as following: "outcome": { "result": "SUCCESS" }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "108.255.197.247", + "version": "V4" + } + ] + }, "transaction": { "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", "type": "WEB" @@ -252,8 +276,10 @@ An example event for `system` looks as following: | okta.client.user_agent.raw_user_agent | The raw informaton of the user agent. | keyword | | okta.client.zone | The zone information of the client. | keyword | | okta.debug_context.debug_data.device_fingerprint | The fingerprint of the device. | keyword | +| okta.debug_context.debug_data.flattened | The complete debug_data object. | flattened | | okta.debug_context.debug_data.request_id | The identifier of the request. | keyword | | okta.debug_context.debug_data.request_uri | The request URI. | keyword | +| okta.debug_context.debug_data.risk_level | The risk level assigned to the sign in attempt. | keyword | | okta.debug_context.debug_data.threat_suspected | Threat suspected. | keyword | | okta.debug_context.debug_data.url | The URL. | keyword | | okta.display_message | The display message of the LogEvent. | keyword | diff --git a/packages/okta/manifest.yml b/packages/okta/manifest.yml index 90fa9e27612..ef0e5684ee9 100644 --- a/packages/okta/manifest.yml +++ b/packages/okta/manifest.yml @@ -1,6 +1,6 @@ name: okta title: Okta Logs -version: 1.7.0 +version: 1.8.0 release: ga description: Collect and parse event logs from Okta API with Elastic Agent. type: integration