diff --git a/packages/okta/data_stream/system/_dev/test/pipeline/test-system-events.json b/packages/okta/data_stream/system/_dev/test/pipeline/test-system-events.json new file mode 100644 index 00000000000..dbec3980282 --- /dev/null +++ b/packages/okta/data_stream/system/_dev/test/pipeline/test-system-events.json @@ -0,0 +1,13 @@ +{ + "events": [ + { + "message": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}" + }, + { + "message": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}" + }, + { + "message": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}" + } + ] +} \ No newline at end of file diff --git a/packages/okta/data_stream/system/_dev/test/pipeline/test-system-events.json-config.json b/packages/okta/data_stream/system/_dev/test/pipeline/test-system-events.json-config.json new file mode 100644 index 00000000000..2d21b70ac8f --- /dev/null +++ b/packages/okta/data_stream/system/_dev/test/pipeline/test-system-events.json-config.json @@ -0,0 +1,8 @@ +{ + "fields": { + "@timestamp": "2020-04-28T11:07:58.223Z" + }, + "dynamic_fields": { + "event.ingested": "^.*$" + } +} \ No newline at end of file diff --git a/packages/okta/data_stream/system/_dev/test/pipeline/test-system-events.json-expected.json b/packages/okta/data_stream/system/_dev/test/pipeline/test-system-events.json-expected.json new file mode 100644 index 00000000000..e8092ca4092 --- /dev/null +++ b/packages/okta/data_stream/system/_dev/test/pipeline/test-system-events.json-expected.json @@ -0,0 +1,373 @@ +{ + "expected": [ + { + "@timestamp": "2020-02-14T22:18:51.843Z", + "related": { + "user": [ + "xxxxxx" + ], + "ip": [ + "108.255.197.247" + ] + }, + "client": { + "geo": { + "country_name": "United States", + "city_name": "Dublin", + "location": { + "lon": -121.919, + "lat": 37.7201 + }, + "region_name": "California" + }, + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6" + }, + "ip": "108.255.197.247" + }, + "source": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-CA", + "city_name": "Dublin", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "California", + "location": { + "lon": -121.919, + "lat": 37.7201 + } + }, + "as": { + "number": 7018, + "organization": { + "name": "AT\u0026T Services, Inc." + } + }, + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6" + }, + "ip": "108.255.197.247" + }, + "event": { + "ingested": "2021-02-16T11:12:28.827203700Z", + "kind": "event", + "action": "user.session.end", + "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "category": [ + "authentication", + "session" + ], + "type": [ + "end", + "user" + ], + "outcome": "success" + }, + "okta": { + "actor": { + "id": "00u1abvz4pYqdM8ms4x6", + "display_name": "xxxxxx", + "type": "User", + "alternate_id": "xxxxxx@elastic.co" + }, + "debug_context": { + "debug_data": { + "threat_suspected": "false", + "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "request_uri": "/login/signout", + "url": "/login/signout?message=login_page_messages.session_has_expired" + } + }, + "event_type": "user.session.end", + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102nZHzd6OHSfGG51vsoc22gw" + }, + "display_message": "User logout from Okta", + "client": { + "zone": "null", + "device": "Computer", + "user_agent": { + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "browser": "FIREFOX" + }, + "ip": "108.255.197.247" + }, + "uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "outcome": { + "result": "SUCCESS" + }, + "transaction": { + "type": "WEB", + "id": "XkccyyMli2Uay2I93ZgRzQAAB0c" + } + }, + "user": { + "full_name": "xxxxxx" + }, + "user_agent": { + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "name": "Mac OS X", + "version": "10.15", + "full": "Mac OS X 10.15" + }, + "device": { + "name": "Mac" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T22:18:51.843Z", + "related": { + "user": [ + "xxxxxx" + ], + "ip": [ + "108.255.197.247" + ] + }, + "client": { + "geo": { + "country_name": "United States", + "city_name": "Dublin", + "location": { + "lon": -121.919, + "lat": 37.7201 + }, + "region_name": "California" + }, + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6" + }, + "ip": "108.255.197.247" + }, + "source": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-CA", + "city_name": "Dublin", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "California", + "location": { + "lon": -121.919, + "lat": 37.7201 + } + }, + "as": { + "number": 7018, + "organization": { + "name": "AT\u0026T Services, Inc." + } + }, + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6" + }, + "ip": "108.255.197.247" + }, + "event": { + "ingested": "2021-02-16T11:12:28.827232900Z", + "kind": "event", + "action": "user.session.end", + "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "category": [ + "authentication", + "session" + ], + "type": [ + "end", + "user" + ], + "outcome": "success" + }, + "okta": { + "actor": { + "id": "00u1abvz4pYqdM8ms4x6", + "display_name": "xxxxxx", + "type": "User", + "alternate_id": "xxxxxx@elastic.co" + }, + "debug_context": { + "debug_data": { + "threat_suspected": "false", + "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "request_uri": "/login/signout", + "url": "/login/signout?message=login_page_messages.session_has_expired" + } + }, + "event_type": "user.session.end", + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102nZHzd6OHSfGG51vsoc22gw" + }, + "display_message": "User logout from Okta", + "client": { + "zone": "null", + "device": "Computer", + "user_agent": { + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "browser": "FIREFOX" + }, + "ip": "108.255.197.247" + }, + "uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "outcome": { + "result": "SUCCESS" + }, + "transaction": { + "type": "WEB", + "id": "XkccyyMli2Uay2I93ZgRzQAAB0c" + } + }, + "user": { + "full_name": "xxxxxx" + }, + "user_agent": { + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "name": "Mac OS X", + "version": "10.15", + "full": "Mac OS X 10.15" + }, + "device": { + "name": "Mac" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T22:18:51.843Z", + "related": { + "user": [ + "xxxxxx" + ], + "ip": [ + "108.255.197.247" + ] + }, + "client": { + "geo": { + "country_name": "United States", + "city_name": "Dublin", + "location": { + "lon": -121.919, + "lat": 37.7201 + }, + "region_name": "California" + }, + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6" + }, + "ip": "108.255.197.247" + }, + "source": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-CA", + "city_name": "Dublin", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "California", + "location": { + "lon": -121.919, + "lat": 37.7201 + } + }, + "as": { + "number": 7018, + "organization": { + "name": "AT\u0026T Services, Inc." + } + }, + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6" + }, + "ip": "108.255.197.247" + }, + "event": { + "ingested": "2021-02-16T11:12:28.827245800Z", + "kind": "event", + "action": "user.session.end", + "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "category": [ + "authentication", + "session" + ], + "type": [ + "end", + "user" + ], + "outcome": "success" + }, + "okta": { + "actor": { + "id": "00u1abvz4pYqdM8ms4x6", + "display_name": "xxxxxx", + "type": "User", + "alternate_id": "xxxxxx@elastic.co" + }, + "debug_context": { + "debug_data": { + "threat_suspected": "false", + "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "request_uri": "/login/signout", + "url": "/login/signout?message=login_page_messages.session_has_expired" + } + }, + "event_type": "user.session.end", + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102nZHzd6OHSfGG51vsoc22gw" + }, + "display_message": "User logout from Okta", + "client": { + "zone": "null", + "device": "Computer", + "user_agent": { + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "browser": "FIREFOX" + }, + "ip": "108.255.197.247" + }, + "uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "outcome": { + "result": "SUCCESS" + }, + "transaction": { + "type": "WEB", + "id": "XkccyyMli2Uay2I93ZgRzQAAB0c" + } + }, + "user": { + "full_name": "xxxxxx" + }, + "user_agent": { + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "name": "Mac OS X", + "version": "10.15", + "full": "Mac OS X 10.15" + }, + "device": { + "name": "Mac" + }, + "version": "72.0." + } + } + ] +} \ No newline at end of file diff --git a/packages/okta/data_stream/system/_dev/test/system/test-default-config.yml b/packages/okta/data_stream/system/_dev/test/system/test-default-config.yml index a788c2511a4..0491fa88223 100644 --- a/packages/okta/data_stream/system/_dev/test/system/test-default-config.yml +++ b/packages/okta/data_stream/system/_dev/test/system/test-default-config.yml @@ -1,4 +1,5 @@ input: logfile vars: + keep_original_message: true paths: - "{{SERVICE_LOGS_DIR}}/*system*.log" diff --git a/packages/okta/data_stream/system/agent/stream/httpjson.yml.hbs b/packages/okta/data_stream/system/agent/stream/httpjson.yml.hbs index c99841e1c4d..47610fccd57 100644 --- a/packages/okta/data_stream/system/agent/stream/httpjson.yml.hbs +++ b/packages/okta/data_stream/system/agent/stream/httpjson.yml.hbs @@ -1,32 +1,38 @@ -{{#if api_key}} -api_key: {{api_key}} -{{/if}} -authentication_scheme: {{authentication_scheme}} -{{#if http_client_timeout}} -http_client_timeout: {{http_client_timeout}} -{{/if}} -{{#if http_method}} -http_method: {{http_method}} -{{/if}} -{{#if http_headers}} -http_headers: {{http_headers}} -{{/if}} -{{#if http_request_body}} -http_request_body: {{http_request_body}} -{{/if}} +config_version: "2" interval: {{interval}} -{{#if json_objects_array}} -json_objects_array: {{json_objects_array}} +request.method: "GET" + +{{#if url}} +request.url: {{url}} {{/if}} -no_http_body: {{no_http_body}} -pagination: {{pagination}} -rate_limit: {{rate_limit}} {{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if url}} -url: {{url}} +request.ssl: {{ssl}} {{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} + +request.rate_limit: + limit: '[[.last_response.header.Get "X-Rate-Limit-Limit"]]' + remaining: '[[.last_response.header.Get "X-Rate-Limit-Remaining"]]' + reset: '[[.last_response.header.Get "X-Rate-Limit-Reset"]]' +request.transforms: + - set: + target: header.Authorization + value: "SSWS {{api_key}}" + - set: + target: url.params.since + value: "[[.cursor.published]]" + default: '[[formatDate (now (parseDuration "-{{initial_interval}}")) "RFC3339"]]' +response.pagination: + - set: + target: url.value + value: '[[ getRFC5988Link "next" .last_response.header.Link ]]' + +cursor: + published: + value: "[[.last_event.published]]" + tags: {{#each tags as |tag i|}} - {{tag}} @@ -35,228 +41,13 @@ tags: publisher_pipeline.disable_host: true {{/contains}} processors: - - script: - lang: javascript - id: okta_system_script - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - function OktaSystem(keep_original_message) { - var processor = require("processor"); - - var decodeJson = new processor.DecodeJSONFields({ - fields: ["message"], - target: "json", - }); - - var setId = function(evt) { - var oktaUuid = evt.Get("json.uuid"); - if (oktaUuid) { - evt.Put("@metadata._id", oktaUuid); - } - }; - - var parseTimestamp = new processor.Timestamp({ - field: "json.published", - timezone: "UTC", - layouts: ["2006-01-02T15:04:05.999Z"], - tests: ["2020-02-05T18:19:23.599Z"], - ignore_missing: true, - }); - - var saveOriginalMessage = function(evt) {}; - if (keep_original_message) { - saveOriginalMessage = new processor.Convert({ - fields: [ - {from: "message", to: "event.original"} - ], - mode: "rename" - }); - } - - var dropOriginalMessage = function(evt) { - evt.Delete("message"); - }; - - var categorizeEvent = new processor.AddFields({ - target: "event", - fields: { - category: ["authentication"], - kind: "event", - type: ["access"], - - }, - }); - - var convertFields = new processor.Convert({ - fields: [ - { from: "json.displayMessage", to: "okta.display_message" }, - { from: "json.eventType", to: "okta.event_type" }, - { from: "json.uuid", to: "okta.uuid" }, - { from: "json.actor.alternateId", to: "okta.actor.alternate_id" }, - { from: "json.actor.displayName", to: "okta.actor.display_name" }, - { from: "json.actor.id", to: "okta.actor.id" }, - { from: "json.actor.type", to: "okta.actor.type" }, - { from: "json.client.device", to: "okta.client.device" }, - { from: "json.client.geographicalContext.geolocation", to: "client.geo.location" }, - { from: "json.client.geographicalContext.city", to: "client.geo.city_name" }, - { from: "json.client.geographicalContext.state", to: "client.geo.region_name" }, - { from: "json.client.geographicalContext.country", to: "client.geo.country_name" }, - { from: "json.client.id", to: "okta.client.id" }, - { from: "json.client.ipAddress", to: "okta.client.ip" }, - { from: "json.client.userAgent.browser", to: "okta.client.user_agent.browser" }, - { from: "json.client.userAgent.os", to: "okta.client.user_agent.os" }, - { from: "json.client.userAgent.rawUserAgent", to: "okta.client.user_agent.raw_user_agent" }, - { from: "json.client.zone", to: "okta.client.zone" }, - { from: "json.outcome.reason", to: "okta.outcome.reason" }, - { from: "json.outcome.result", to: "okta.outcome.result" }, - { from: "json.target", to: "okta.target" }, - { from: "json.transaction.id", to: "okta.transaction.id" }, - { from: "json.transaction.type", to: "okta.transaction.type" }, - { from: "json.debugContext.debugData.deviceFingerprint", to: "okta.debug_context.debug_data.device_fingerprint" }, - { from: "json.debugContext.debugData.requestId", to: "okta.debug_context.debug_data.request_id" }, - { from: "json.debugContext.debugData.requestUri", to: "okta.debug_context.debug_data.request_uri" }, - { from: "json.debugContext.debugData.threatSuspected", to: "okta.debug_context.debug_data.threat_suspected" }, - { from: "json.debugContext.debugData.url", to: "okta.debug_context.debug_data.url" }, - { from: "json.authenticationContext.authenticationProvider", to: "okta.authentication_context.authentication_provider" }, - { from: "json.authenticationContext.authenticationStep", to: "okta.authentication_context.authentication_step" }, - { from: "json.authenticationContext.credentialProvider", to: "okta.authentication_context.credential_provider" }, - { from: "json.authenticationContext.credentialType", to: "okta.authentication_context.credential_type" }, - { from: "json.authenticationContext.externalSessionId", to: "okta.authentication_context.external_session_id" }, - { from: "json.authenticationContext.interface", to: "okta.authentication_context.authentication_provider" }, - { from: "json.authenticationContext.issuer", to: "okta.authentication_context.issuer" }, - { from: "json.securityContext.asNumber", to: "okta.security_context.as.number" }, - { from: "json.securityContext.asOrg", to: "okta.security_context.as.organization.name" }, - { from: "json.securityContext.domain", to: "okta.security_context.domain" }, - { from: "json.securityContext.isProxy", to: "okta.security_context.is_proxy" }, - { from: "json.securityContext.isp", to: "okta.security_context.isp" }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }); - - var copyFields = new processor.Convert({ - fields: [ - { from: "okta.client.user_agent.raw_user_agent", to: "user_agent.original" }, - { from: "okta.client.ip", to: "client.ip" }, - { from: "okta.client.ip", to: "source.ip" }, - { from: "okta.event_type", to: "event.action" }, - { from: "okta.security_context.as.number", to: "client.as.number" }, - { from: "okta.security_context.as.organization.name", to: "client.as.organization.name" }, - { from: "okta.security_context.domain", to: "client.domain" }, - { from: "okta.security_context.domain", to: "source.domain" }, - { from: "okta.uuid", to: "event.id" }, - ], - ignore_missing: true, - fail_on_error: false, - }); - - var setEventOutcome = function(evt) { - var outcome = evt.Get("okta.outcome.result"); - if (outcome) { - outcome = outcome.toLowerCase(); - if (outcome === "success" || outcome === "allow") { - evt.Put("event.outcome", "success"); - } else if (outcome === "failure" || outcome === "deny") { - evt.Put("event.outcome", "failure"); - } else { - evt.Put("event.outcome", "unknown"); - } - } - }; - - // Update nested fields - var renameNestedFields = function(evt) { - var arr = evt.Get("okta.target"); - if (arr) { - for (var i = 0; i < arr.length; i++) { - arr[i].alternate_id = arr[i].alternateId; - arr[i].display_name = arr[i].displayName; - delete arr[i].alternateId; - delete arr[i].displayName; - delete arr[i].detailEntry; - } - } - }; - - // Set user info if actor type is User - var setUserInfo = function(evt) { - if (evt.Get("okta.actor.type") === "User") { - evt.Put("client.user.full_name", evt.Get("okta.actor.display_name")); - evt.Put("source.user.full_name", evt.Get("okta.actor.display_name")); - evt.Put("related.user", evt.Get("okta.actor.display_name")); - evt.Put("client.user.id", evt.Get("okta.actor.id")); - evt.Put("source.user.id", evt.Get("okta.actor.id")); - } - }; - - // Set related.ip field - var setRelatedIP = function(event) { - var ip = event.Get("source.ip"); - if (ip) { - event.AppendTo("related.ip", ip); - } - ip = event.Get("destination.ip"); - if (ip) { - event.AppendTo("related.ip", ip); - } - }; - - // Drop extra fields - var dropExtraFields = function(evt) { - evt.Delete("json"); - }; - - // Remove null fields - var dropNullFields = function(evt) { - function dropNull(obj) { - Object.keys(obj).forEach(function(key) { - (obj[key] && typeof obj[key] === 'object') && dropNull(obj[key]) || - (obj[key] === null) && delete obj[key]; - }); - return obj; - } - dropNull(evt); - }; - - var pipeline = new processor.Chain() - .Add(decodeJson) - .Add(setId) - .Add(parseTimestamp) - .Add(saveOriginalMessage) - .Add(dropOriginalMessage) - .Add(categorizeEvent) - .Add(convertFields) - .Add(copyFields) - .Add(setEventOutcome) - .Add(renameNestedFields) - .Add(setUserInfo) - .Add(setRelatedIP) - .Add(dropExtraFields) - .Add(dropNullFields) - .Build(); - - return { - process: pipeline.Run, - }; - } - - var oktaSystem; - - // Register params from configuration. - function register(params) { - oktaSystem = new OktaSystem(params.keep_original_message); - } - - function process(evt) { - return oktaSystem.process(evt); - } - params: - keep_original_message: {{keep_original_message}} +{{#if keep_original_message}} + - copy_fields: + fields: + - from: message + to: event.original +{{/if}} - add_fields: target: '' fields: - ecs.version: 1.6.0 + ecs.version: 1.8.0 diff --git a/packages/okta/data_stream/system/agent/stream/log.yml.hbs b/packages/okta/data_stream/system/agent/stream/log.yml.hbs index 06467c3ff27..7aac5722d94 100644 --- a/packages/okta/data_stream/system/agent/stream/log.yml.hbs +++ b/packages/okta/data_stream/system/agent/stream/log.yml.hbs @@ -11,228 +11,9 @@ tags: publisher_pipeline.disable_host: true {{/contains}} processors: - - script: - lang: javascript - id: okta_system_script - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - function OktaSystem(keep_original_message) { - var processor = require("processor"); - - var decodeJson = new processor.DecodeJSONFields({ - fields: ["message"], - target: "json", - }); - - var setId = function(evt) { - var oktaUuid = evt.Get("json.uuid"); - if (oktaUuid) { - evt.Put("@metadata._id", oktaUuid); - } - }; - - var parseTimestamp = new processor.Timestamp({ - field: "json.published", - timezone: "UTC", - layouts: ["2006-01-02T15:04:05.999Z"], - tests: ["2020-02-05T18:19:23.599Z"], - ignore_missing: true, - }); - - var saveOriginalMessage = function(evt) {}; - if (keep_original_message) { - saveOriginalMessage = new processor.Convert({ - fields: [ - {from: "message", to: "event.original"} - ], - mode: "rename" - }); - } - - var dropOriginalMessage = function(evt) { - evt.Delete("message"); - }; - - var categorizeEvent = new processor.AddFields({ - target: "event", - fields: { - category: ["authentication"], - kind: "event", - type: ["access"], - - }, - }); - - var convertFields = new processor.Convert({ - fields: [ - { from: "json.displayMessage", to: "okta.display_message" }, - { from: "json.eventType", to: "okta.event_type" }, - { from: "json.uuid", to: "okta.uuid" }, - { from: "json.actor.alternateId", to: "okta.actor.alternate_id" }, - { from: "json.actor.displayName", to: "okta.actor.display_name" }, - { from: "json.actor.id", to: "okta.actor.id" }, - { from: "json.actor.type", to: "okta.actor.type" }, - { from: "json.client.device", to: "okta.client.device" }, - { from: "json.client.geographicalContext.geolocation", to: "client.geo.location" }, - { from: "json.client.geographicalContext.city", to: "client.geo.city_name" }, - { from: "json.client.geographicalContext.state", to: "client.geo.region_name" }, - { from: "json.client.geographicalContext.country", to: "client.geo.country_name" }, - { from: "json.client.id", to: "okta.client.id" }, - { from: "json.client.ipAddress", to: "okta.client.ip" }, - { from: "json.client.userAgent.browser", to: "okta.client.user_agent.browser" }, - { from: "json.client.userAgent.os", to: "okta.client.user_agent.os" }, - { from: "json.client.userAgent.rawUserAgent", to: "okta.client.user_agent.raw_user_agent" }, - { from: "json.client.zone", to: "okta.client.zone" }, - { from: "json.outcome.reason", to: "okta.outcome.reason" }, - { from: "json.outcome.result", to: "okta.outcome.result" }, - { from: "json.target", to: "okta.target" }, - { from: "json.transaction.id", to: "okta.transaction.id" }, - { from: "json.transaction.type", to: "okta.transaction.type" }, - { from: "json.debugContext.debugData.deviceFingerprint", to: "okta.debug_context.debug_data.device_fingerprint" }, - { from: "json.debugContext.debugData.requestId", to: "okta.debug_context.debug_data.request_id" }, - { from: "json.debugContext.debugData.requestUri", to: "okta.debug_context.debug_data.request_uri" }, - { from: "json.debugContext.debugData.threatSuspected", to: "okta.debug_context.debug_data.threat_suspected" }, - { from: "json.debugContext.debugData.url", to: "okta.debug_context.debug_data.url" }, - { from: "json.authenticationContext.authenticationProvider", to: "okta.authentication_context.authentication_provider" }, - { from: "json.authenticationContext.authenticationStep", to: "okta.authentication_context.authentication_step" }, - { from: "json.authenticationContext.credentialProvider", to: "okta.authentication_context.credential_provider" }, - { from: "json.authenticationContext.credentialType", to: "okta.authentication_context.credential_type" }, - { from: "json.authenticationContext.externalSessionId", to: "okta.authentication_context.external_session_id" }, - { from: "json.authenticationContext.interface", to: "okta.authentication_context.authentication_provider" }, - { from: "json.authenticationContext.issuer", to: "okta.authentication_context.issuer" }, - { from: "json.securityContext.asNumber", to: "okta.security_context.as.number" }, - { from: "json.securityContext.asOrg", to: "okta.security_context.as.organization.name" }, - { from: "json.securityContext.domain", to: "okta.security_context.domain" }, - { from: "json.securityContext.isProxy", to: "okta.security_context.is_proxy" }, - { from: "json.securityContext.isp", to: "okta.security_context.isp" }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }); - - var copyFields = new processor.Convert({ - fields: [ - { from: "okta.client.user_agent.raw_user_agent", to: "user_agent.original" }, - { from: "okta.client.ip", to: "client.ip" }, - { from: "okta.client.ip", to: "source.ip" }, - { from: "okta.event_type", to: "event.action" }, - { from: "okta.security_context.as.number", to: "client.as.number" }, - { from: "okta.security_context.as.organization.name", to: "client.as.organization.name" }, - { from: "okta.security_context.domain", to: "client.domain" }, - { from: "okta.security_context.domain", to: "source.domain" }, - { from: "okta.uuid", to: "event.id" }, - ], - ignore_missing: true, - fail_on_error: false, - }); - - var setEventOutcome = function(evt) { - var outcome = evt.Get("okta.outcome.result"); - if (outcome) { - outcome = outcome.toLowerCase(); - if (outcome === "success" || outcome === "allow") { - evt.Put("event.outcome", "success"); - } else if (outcome === "failure" || outcome === "deny") { - evt.Put("event.outcome", "failure"); - } else { - evt.Put("event.outcome", "unknown"); - } - } - }; - - // Update nested fields - var renameNestedFields = function(evt) { - var arr = evt.Get("okta.target"); - if (arr) { - for (var i = 0; i < arr.length; i++) { - arr[i].alternate_id = arr[i].alternateId; - arr[i].display_name = arr[i].displayName; - delete arr[i].alternateId; - delete arr[i].displayName; - delete arr[i].detailEntry; - } - } - }; - - // Set user info if actor type is User - var setUserInfo = function(evt) { - if (evt.Get("okta.actor.type") === "User") { - evt.Put("client.user.full_name", evt.Get("okta.actor.display_name")); - evt.Put("source.user.full_name", evt.Get("okta.actor.display_name")); - evt.Put("related.user", evt.Get("okta.actor.display_name")); - evt.Put("client.user.id", evt.Get("okta.actor.id")); - evt.Put("source.user.id", evt.Get("okta.actor.id")); - } - }; - - // Set related.ip field - var setRelatedIP = function(event) { - var ip = event.Get("source.ip"); - if (ip) { - event.AppendTo("related.ip", ip); - } - ip = event.Get("destination.ip"); - if (ip) { - event.AppendTo("related.ip", ip); - } - }; - - // Drop extra fields - var dropExtraFields = function(evt) { - evt.Delete("json"); - }; - - // Remove null fields - var dropNullFields = function(evt) { - function dropNull(obj) { - Object.keys(obj).forEach(function(key) { - (obj[key] && typeof obj[key] === 'object') && dropNull(obj[key]) || - (obj[key] === null) && delete obj[key]; - }); - return obj; - } - dropNull(evt); - }; - - var pipeline = new processor.Chain() - .Add(decodeJson) - .Add(setId) - .Add(parseTimestamp) - .Add(saveOriginalMessage) - .Add(dropOriginalMessage) - .Add(categorizeEvent) - .Add(convertFields) - .Add(copyFields) - .Add(setEventOutcome) - .Add(renameNestedFields) - .Add(setUserInfo) - .Add(setRelatedIP) - .Add(dropExtraFields) - .Add(dropNullFields) - .Build(); - - return { - process: pipeline.Run, - }; - } - - var oktaSystem; - - // Register params from configuration. - function register(params) { - oktaSystem = new OktaSystem(params.keep_original_message); - } - - function process(evt) { - return oktaSystem.process(evt); - } - params: - keep_original_message: {{keep_original_message}} - - add_fields: - target: '' +{{#if keep_original_message}} + - copy_fields: fields: - ecs.version: 1.6.0 + - from: message + to: event.original +{{/if}} diff --git a/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml index 7fd39ba62dc..bfd1b1d131a 100644 --- a/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml +++ b/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml @@ -1,55 +1,554 @@ --- description: Pipeline for Okta system logs. - processors: - - set: - field: event.ingested - value: "{{_ingest.timestamp}}" - - user_agent: - field: user_agent.original - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - json: + field: message + target_field: json + - script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean drop(Object o) { + if (o == null || o == "") { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); + - remove: + field: message + ignore_missing: true + - convert: + field: json.uuid + target_field: _id + type: string + ignore_failure: true + if: ctx?.json?.uuid != null && ctx?.json?.uuid != "" + - date: + field: json.published + formats: + - ISO8601 + ignore_failure: true + - set: + field: event.kind + value: event + - rename: + field: json.displayMessage + target_field: okta.display_message + ignore_missing: true + ignore_failure: true + - rename: + field: json.eventType + target_field: okta.event_type + ignore_missing: true + ignore_failure: true + - append: + field: event.category + value: iam + if: | + ["group.user_membership.add","group.user_membership.remove", + "user.lifecycle.activate","user.lifecycle.create", + "user.lifecycle.deactivate","user.lifecycle.suspend", + "user.lifecycle.unsuspend"].contains(ctx?.okta?.event_type) + - append: + field: event.category + value: configuration + if: | + ["policy.lifecycle.activate","policy.lifecycle.create", + "policy.lifecycle.deactivate","policy.lifecycle.delete", + "policy.lifecycle.update","policy.rule.activate","policy.rule.add", + "policy.rule.deactivate","policy.rule.delete", + "application.lifecycle.create","application.lifecycle.delete", + "policy.rule.update","application.lifecycle.activate", + "application.lifecycle.deactivate","application.lifecycle.update"].contains(ctx?.okta?.event_type) + - append: + field: event.category + value: authentication + if: '["user.session.start","user.session.end","user.authentication.sso","policy.evaluate_sign_on"].contains(ctx?.okta?.event_type)' + - append: + field: event.category + value: session + if: '["user.session.start","user.session.end"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: info + if: | + ["system.org.rate_limit.warning","system.org.rate_limit.violation", + "core.concurrency.org.limit.violation"].contains(ctx?.okta?.event_type) + - append: + field: event.type + value: network + if: '["security.request.blocked"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: network + if: | + ["system.org.rate_limit.warning","system.org.rate_limit.violation", + "core.concurrency.org.limit.violation","security.request.blocked"].contains(ctx?.okta?.event_type) + - append: + field: event.type + value: start + if: '["user.session.start"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: end + if: '["user.session.end"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: group + if: '["group.user_membership.add","group.user_membership.remove"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: user + if: | + ["user.lifecycle.activate","user.lifecycle.create", + "user.lifecycle.deactivate","user.lifecycle.suspend", + "user.lifecycle.unsuspend","user.authentication.sso", + "user.session.start","user.session.end","application.user_membership.add", + "application.user_membership.remove","application.user_membership.change_username"].contains(ctx?.okta?.event_type) + - append: + field: event.type + value: change + if: | + ["user.lifecycle.activate","user.lifecycle.deactivate", + "user.lifecycle.suspend","user.lifecycle.unsuspend", + "group.user_membership.add","group.user_membership.remove", + "policy.lifecycle.activate","policy.lifecycle.deactivate", + "policy.lifecycle.update","policy.rule.activate","policy.rule.add", + "policy.rule.deactivate","policy.rule.update","application.user_membership.add", + "application.user_membership.remove","application.user_membership.change_username"].contains(ctx?.okta?.event_type) + - append: + field: event.type + value: creation + if: '["user.lifecycle.create","policy.lifecycle.create","application.lifecycle.create"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: deletion + if: '["policy.lifecycle.delete","application.lifecycle.delete"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: info + if: '["policy.evaluate_sign_on"].contains(ctx?.okta?.event_type)' + - rename: + field: json.uuid + target_field: okta.uuid + ignore_missing: true + ignore_failure: true + - rename: + field: json.actor.alternateId + target_field: okta.actor.alternate_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.actor.displayName + target_field: okta.actor.display_name + ignore_missing: true + ignore_failure: true + - rename: + field: json.actor.id + target_field: okta.actor.id + ignore_missing: true + ignore_failure: true + - rename: + field: json.actor.type + target_field: okta.actor.type + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.device + target_field: okta.client.device + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.geographicalContext.geolocation + target_field: client.geo.location + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.geographicalContext.city + target_field: client.geo.city_name + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.geographicalContext.state + target_field: client.geo.region_name + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.geographicalContext.country + target_field: client.geo.country_name + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.id + target_field: okta.client.id + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.ipAddress + target_field: okta.client.ip + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.userAgent.browser + target_field: okta.client.user_agent.browser + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.userAgent.os + target_field: okta.client.user_agent.os + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.userAgent.rawUserAgent + target_field: okta.client.user_agent.raw_user_agent + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.zone + target_field: okta.client.zone + ignore_missing: true + ignore_failure: true + - rename: + field: json.outcome.reason + target_field: okta.outcome.reason + ignore_missing: true + ignore_failure: true + - rename: + field: json.outcome.result + target_field: okta.outcome.result + ignore_missing: true + ignore_failure: true + - rename: + field: json.target + target_field: okta.target + ignore_missing: true + ignore_failure: true + - rename: + field: json.transaction.id + target_field: okta.transaction.id + ignore_missing: true + ignore_failure: true + - rename: + field: json.transaction.type + target_field: okta.transaction.type + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.deviceFingerprint + target_field: okta.debug_context.debug_data.device_fingerprint + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.requestId + target_field: okta.debug_context.debug_data.request_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.requestUri + target_field: okta.debug_context.debug_data.request_uri + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.threatSuspected + target_field: okta.debug_context.debug_data.threat_suspected + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.url + target_field: okta.debug_context.debug_data.url + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.authenticationProvider + target_field: okta.authentication_context.authentication_provider + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.authenticationStep + target_field: okta.authentication_context.authentication_step + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.credentialProvider + target_field: okta.authentication_context.credential_provider + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.credentialType + target_field: okta.authentication_context.credential_type + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.externalSessionId + target_field: okta.authentication_context.external_session_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.interface + target_field: okta.authentication_context.authentication_provider + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.issuer + target_field: okta.authentication_context.issuer + ignore_missing: true + ignore_failure: true + - rename: + field: json.securityContext.asNumber + target_field: okta.security_context.as.number + ignore_missing: true + ignore_failure: true + - rename: + field: json.securityContext.asOrg + target_field: okta.security_context.as.organization.name + ignore_missing: true + ignore_failure: true + - rename: + field: json.securityContext.domain + target_field: okta.security_context.domain + ignore_missing: true + ignore_failure: true + - rename: + field: json.securityContext.isProxy + target_field: okta.security_context.is_proxy + ignore_missing: true + ignore_failure: true + - rename: + field: json.securityContext.isp + target_field: okta.security_context.isp + ignore_missing: true + ignore_failure: true + - convert: + field: okta.client.user_agent.raw_user_agent + target_field: user_agent.original + type: string + ignore_failure: true + - convert: + field: okta.client.ip + target_field: client.ip + type: string + ignore_failure: true + - convert: + field: okta.client.ip + target_field: source.ip + type: string + ignore_failure: true + - convert: + field: okta.event_type + target_field: event.action + type: string + ignore_failure: true + - convert: + field: okta.security_context.as.number + target_field: client.as.number + type: string + ignore_failure: true + - convert: + field: okta.security_context.as.organization.name + target_field: client.as.organization.name + type: string + ignore_failure: true + - convert: + field: okta.security_context.domain + target_field: client.domain + type: string + ignore_failure: true + - convert: + field: okta.security_context.domain + target_field: source.domain + type: string + ignore_failure: true + - convert: + field: okta.uuid + target_field: event.id + type: string + ignore_failure: true + - lowercase: + field: okta.outcome.result + target_field: okta.outcome.result_lower + ignore_missing: true + - set: + field: event.outcome + value: success + if: ctx?.okta?.outcome?.result_lower != null && (ctx?.okta?.outcome?.result_lower == "success" || ctx?.okta?.outcome?.result_lower == "allow") + - set: + field: event.outcome + value: failure + if: ctx?.okta?.outcome?.result_lower != null && (ctx?.okta?.outcome?.result_lower == "failure" || ctx?.okta?.outcome?.result_lower == "deny") + - set: + field: event.outcome + value: unknown + if: ctx?.event?.outcome == null + - remove: + field: okta.outcome.result_lower + ignore_missing: true + - script: + lang: painless + source: | + def arr = ctx?.okta?.target; + if (arr != null) { + for (def i = 0; i < arr.length; i++) { + arr[i]["alternate_id"] = arr[i]["alternateId"]; + arr[i].remove("alternateId"); + arr[i]["display_name"] = arr[i]["displayName"]; + arr[i].remove("displayName"); + arr[i].remove("detailEntry"); + } + } + - script: + lang: painless + source: | + def arr = ctx?.okta?.target; + if (arr != null) { + for (def i = 0; i < arr.length; i++) { + if (arr[i]["type"].toLowerCase().contains("user")) { + ctx["okta_target_user"] = arr[i]; + break; + } + } + } + if: ctx?.okta?.event_type != null && ctx?.okta?.event_type.contains("user.") + - script: + lang: painless + source: | + def arr = ctx?.okta?.target; + if (arr != null) { + for (def i = 0; i < arr.length; i++) { + if (arr[i]["type"].toLowerCase().contains("group")) { + ctx["okta_target_group"] = arr[i]; + break; + } + } + } + if: ctx?.okta?.event_type != null && ctx?.okta?.event_type.contains("group.") + - rename: + field: okta_target_user.display_name + target_field: user.target.full_name + ignore_missing: true + - rename: + field: okta_target_user.id + target_field: user.target.id + ignore_missing: true + - rename: + field: okta_target_user.login + target_field: user.target.email + ignore_missing: true + - rename: + field: okta_target_group.display_name + target_field: user.target.group.name + ignore_missing: true + - rename: + field: okta_target_group.id + target_field: user.target.group.id + ignore_missing: true + - remove: + field: + - okta_target_user + - okta_target_group + ignore_missing: true + - set: + field: client.user.id + value: "{{okta.actor.id}}" + ignore_empty_value: true + if: ctx?.okta?.actor?.id != null + - set: + field: source.user.id + value: "{{okta.actor.id}}" + ignore_empty_value: true + if: ctx?.okta?.actor?.id != null + - set: + field: client.user.full_name + value: "{{okta.actor.display_name}}" + ignore_empty_value: true + if: ctx?.okta?.actor?.display_name != null + - set: + field: source.user.full_name + value: "{{okta.actor.display_name}}" + ignore_empty_value: true + if: ctx?.okta?.actor?.display_name != null + - set: + field: user.full_name + value: "{{okta.actor.display_name}}" + ignore_empty_value: true + if: ctx?.okta?.actor?.display_name != null + - append: + field: related.user + value: "{{okta.actor.display_name}}" + allow_duplicates: false + if: ctx?.okta?.actor?.display_name != null + - append: + field: related.user + value: "{{user.target.full_name}}" + allow_duplicates: false + if: ctx?.user?.target?.full_name != null + - append: + field: related.ip + value: "{{source.ip}}" + allow_duplicates: false + if: ctx?.source?.ip != null + - append: + field: related.ip + value: "{{destination.ip}}" + allow_duplicates: false + if: ctx?.destination?.ip != null + - remove: + field: json + ignore_missing: true + - user_agent: + field: user_agent.original + ignore_missing: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/okta/data_stream/system/fields/ecs.yml b/packages/okta/data_stream/system/fields/ecs.yml index 695b8d874aa..94852d9c2a7 100644 --- a/packages/okta/data_stream/system/fields/ecs.yml +++ b/packages/okta/data_stream/system/fields/ecs.yml @@ -169,3 +169,85 @@ - name: tags type: keyword description: List of keywords used to tag each event. +- name: user + title: User + type: group + fields: + - name: domain + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of.' + - name: email + type: keyword + ignore_above: 1024 + description: User email address. + - name: id + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + - name: name + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Short name or login of the user. + - name: full_name + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: User's full name, if available. + default_field: false + - name: target.domain + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of.' + default_field: false + - name: target.email + type: keyword + ignore_above: 1024 + description: User email address. + default_field: false + - name: target.full_name + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: User's full name, if available. + default_field: false + - name: target.group.domain + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of.' + default_field: false + - name: target.group.id + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: target.group.name + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: target.id + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + default_field: false + - name: target.name + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Short name or login of the user. + default_field: false diff --git a/packages/okta/docs/README.md b/packages/okta/docs/README.md index 62a06417f4f..42f32aef904 100644 --- a/packages/okta/docs/README.md +++ b/packages/okta/docs/README.md @@ -148,6 +148,19 @@ The Okta System Log records system events related to your organization in order | source.user.full_name | User’s full name, if available. | keyword | | source.user.id | Unique identifiers of the user. | keyword | | tags | List of keywords used to tag each event. | keyword | +| user.domain | Name of the directory the user is a member of. | keyword | +| user.email | User email address. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.target.domain | Name of the directory the user is a member of. | keyword | +| user.target.email | User email address. | keyword | +| user.target.full_name | User's full name, if available. | keyword | +| user.target.group.domain | Name of the directory the group is a member of. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | | user_agent.device.name | Name of the device. | keyword | | user_agent.name | Name of the user agent. | keyword | | user_agent.original | Unparsed user_agent string. | keyword | diff --git a/packages/okta/manifest.yml b/packages/okta/manifest.yml index b18bd97873b..8a212874710 100644 --- a/packages/okta/manifest.yml +++ b/packages/okta/manifest.yml @@ -1,6 +1,6 @@ name: okta title: Okta -version: 0.2.5 +version: 0.3.0 release: experimental description: Okta Integration type: integration @@ -32,37 +32,12 @@ policy_templates: multi: false required: false show_user: true - - name: authentication_scheme - type: text - title: Authentication Scheme - multi: false - required: true - show_user: false - default: SSWS - name: http_client_timeout type: text title: HTTP Client Timeout multi: false required: false show_user: true - - name: http_method - type: text - title: HTTP Method - multi: false - required: false - show_user: false - - name: http_headers - type: yaml - title: HTTP Headers - multi: false - required: false - show_user: false - - name: http_request_body - type: yaml - title: HTTP Request Body - multi: false - required: false - show_user: false - name: interval type: text title: Interval @@ -70,39 +45,6 @@ policy_templates: required: true show_user: true default: 60s - - name: json_objects_array - type: text - title: JSON Objects Array - multi: false - required: false - show_user: false - - name: no_http_body - type: bool - title: No HTTP Body - multi: false - required: true - show_user: false - default: true - - name: pagination - type: yaml - title: Pagination - multi: false - required: true - show_user: false - default: | - header: - field_name: Link - regex_pattern: <([^>]+)>; *rel="next"(?:,|$) - - name: rate_limit - type: yaml - title: Rate Limit - multi: false - required: true - show_user: false - default: | - limit: X-Rate-Limit-Limit - remaining: X-Rate-Limit-Remaining - reset: X-Rate-Limit-Reset - name: ssl type: yaml title: SSL