[Filebeat][Okta] Ingest Pipeline for Okta Module drops debug_context fields #25689
Comments
botelastic
bot
added
the
needs_team
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
botelastic
bot
removed
the
needs_team
|
Thanks for taking the time to adjust the pipeline @BenB196. Could you submit a PR and we can work through your additions there? |
|
@jamiehynds I can do this. @BenB196 can you provide some sample logs from Okta that contain these "new" fields. The sample data that is currently there doesn't have those fields to test. |
|
@legoguy1000 sorry just getting around to this now. Thanks for opening this PR. Do you still need an example, of the event? |
No problem. I created 1 event by just using the fields u provided so if u have some real ones that would be good just to make sure I didn't mess up. |
|
@legoguy1000 here is an example event, I obfuscated the data with the same info that was in the example you had where applicable to keep things consistent: {
"actor": {
"alternateId": "xxxxxx@elastic.co",
"detailEntry": null,
"displayName": "xxxxxx",
"id": "00u1abvz4pYqdM8ms4x6",
"type": "User"
},
"authenticationContext": {
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "102bZDNFfWaQSyEZQuDgWt-uQ",
"interface": null,
"issuer": null
},
"client": {
"device": "Computer",
"geographicalContext": {
"city": "Dublin",
"country": "United States",
"geolocation": {
"lat": 37.7201,
"lon": -121.919
},
"postalCode": "94568",
"state": "California"
},
"id": null,
"ipAddress": "108.255.197.247",
"userAgent": {
"browser": "FIREFOX",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"zone": "null"
},
"debugContext": {
"debugData": {
"requestId": "<random_id_string>",
"requestUri": "<uri_endpoint>",
"suspiciousActivityBrowser": "browser",
"suspiciousActivityEventCity": "New York City",
"suspiciousActivityEventCountry": "United States",
"suspiciousActivityEventId": "1234567",
"suspiciousActivityEventIp": "10.50.14.5",
"suspiciousActivityEventLatitude": "40.744960",
"suspiciousActivityEventLongitude": "-73.988590",
"suspiciousActivityEventState": "New York",
"suspiciousActivityEventTransactionId": "12345678900",
"suspiciousActivityEventType": "system.email.new_device_notification.sent_message",
"suspiciousActivityOs": "Windows 10",
"suspiciousActivityTimestamp": "2021-05-08T21:50:16.594Z",
"url": "<url>"
}
},
"device": null,
"displayMessage": "User report suspicious activity",
"eventType": "user.account.report_suspicious_activity_by_enduser",
"legacyEventType": "core.user.account.report_suspicious_activity_by_enduser",
"outcome": {
"reason": null,
"result": "SUCCESS"
},
"published": "2020-02-14T20:18:57.762Z",
"request": {
"ipChain": [{
"geographicalContext": {
"city": "Dublin",
"country": "United States",
"geolocation": {
"lat": 37.7201,
"lon": -121.919
},
"postalCode": "94568",
"state": "California"
},
"ip": "108.255.197.247",
"source": null,
"version": "V4"
}
]
},
"securityContext": {
"asNumber": 7018,
"asOrg": "AT&T Services, Inc.",
"domain": "att.com",
"isProxy": false,
"isp": "AT&T Corp."
},
"severity": "WARN",
"target": [{
"alternateId": "xxxxxx@elastic.co",
"detailEntry": null,
"displayName": "xxxxxx",
"id": "00u1abvz4pYqdM8ms4x6",
"type": "User"
}
],
"transaction": {
"detail": {},
"id": "XkcAsWb8WjwDP76xh@1v8wAABp0",
"type": "WEB"
},
"uuid": "36a3b6b3-fcc0-47a0-96bd-95330cfdb658",
"version": "0"
}
|
|
I updated the sample data and all good. I also added a |
* #25689: Parse additonal debug data fields for Okta module * update generated data * update changelog * added additional test data & `uri_parts` processor * update fields * fix changelog * update fields Co-authored-by: Marius Iversen <marius.iversen@elastic.co>
…#26487) * #25689: Parse additonal debug data fields for Okta module * update generated data * update changelog * added additional test data & `uri_parts` processor * update fields * fix changelog * update fields Co-authored-by: Marius Iversen <marius.iversen@elastic.co> (cherry picked from commit 4aff295) Co-authored-by: Alex Resnick <adr8292@gmail.com>
The following needs to be added to the Filebeat mapping:
The following processors need to be added to the ingest pipeline prior to json being dropped:
For confirmed bugs, please report:
The text was updated successfully, but these errors were encountered: