elastic#25689: Parse additonal debug data fields for Okta module

x-pack/filebeat/module/okta/system/_meta/fields.yml

@@ -213,6 +213,73 @@
       description: >
         The URL.
 
+
+    - name: suspicious_activity
+      description: >
+        The suspicious activity fields from the debug data.
+      type: group
+      fields:
+
+        - name: browser
+          type: keyword
+          description: >
+            The URL.
+
+        - name: event_city
+          type: keyword
+          description: >
+            The URL.
+
+        - name: event_country
+          type: keyword
+          description: >
+            The URL.
+
+        - name: event_id
+          type: keyword
+          description: >
+            The URL.
+
+        - name: event_ip
+          type: ip
+          description: >
+            The URL.
+
+        - name: event_latitude
+          type: float
+          description: >
+            The URL.
+
+        - name: event_longitude
+          type: float
+          description: >
+            The URL.
+
+        - name: event_state
+          type: keyword
+          description: >
+            The URL.
+
+        - name: event_transaction_id
+          type: keyword
+          description: >
+            The URL.
+
+        - name: event_type
+          type: keyword
+          description: >
+            The URL.
+
+        - name: os
+          type: keyword
+          description: >
+            The URL.
+
+        - name: timestamp
+          type: date
+          description: >
+            The URL.
+
 - name: authentication_context
   title: Authentication Context
   short: Fields that let you store information about authentication context.

x-pack/filebeat/module/okta/system/ingest/pipeline.yml

@@ -265,6 +265,68 @@ processors:
       target_field: okta.debug_context.debug_data.url
       ignore_missing: true
       ignore_failure: true
+  - rename:
+      field: json.debugContext.debugData.suspiciousActivityBrowser
+      target_field: okta.debug_context.debug_data.suspicious_activity.browser
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      ignore_failure: true
+      field: json.debugContext.debugData.suspiciousActivityEventCity
+      target_field: okta.debug_context.debug_data.suspicious_activity.event_city
+      ignore_missing: true
+  - rename:
+      field: json.debugContext.debugData.suspiciousActivityEventCountry
+      target_field: okta.debug_context.debug_data.suspicious_activity.event_country
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.debugContext.debugData.suspiciousActivityEventId
+      target_field: okta.debug_context.debug_data.suspicious_activity.event_id
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.debugContext.debugData.suspiciousActivityEventIp
+      target_field: okta.debug_context.debug_data.suspicious_activity.event_ip
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.debugContext.debugData.suspiciousActivityEventLatitude
+      target_field: okta.debug_context.debug_data.suspicious_activity.event_latitude
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.debugContext.debugData.suspiciousActivityEventLongitude
+      target_field: okta.debug_context.debug_data.suspicious_activity.event_longitude
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.debugContext.debugData.suspiciousActivityEventState
+      target_field: okta.debug_context.debug_data.suspicious_activity.event_state
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.debugContext.debugData.suspiciousActivityEventTransactionId
+      target_field: okta.debug_context.debug_data.suspicious_activity.event_transaction_id
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.debugContext.debugData.suspiciousActivityEventType
+      target_field: okta.debug_context.debug_data.suspicious_activity.event_type
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.debugContext.debugData.suspiciousActivityOs
+      target_field: okta.debug_context.debug_data.suspicious_activity.os
+      ignore_missing: true
+      ignore_failure: true
+  - date:
+      field: json.debugContext.debugData.suspiciousActivityTimestamp
+      target_field: okta.debug_context.debug_data.suspicious_activity.timestamp
+      ignore_failure: true
+      formats:
+        - ISO8601
+      if: ctx?.json?.debugContext?.debugData?.suspiciousActivityTimestamp != null
   - rename:
       field: json.authenticationContext.authenticationProvider
       target_field: okta.authentication_context.authentication_provider
@@ -452,6 +514,7 @@ processors:
       field:
         - okta_target_user
         - okta_target_group
+        - json
       ignore_missing: true
   - set:
       field: client.user.id
@@ -498,9 +561,6 @@ processors:
       value: "{{destination.ip}}"
       allow_duplicates: false
       if: ctx?.destination?.ip != null
-  - remove:
-      field: json
-      ignore_missing: true
   - user_agent:
       field: user_agent.original
       ignore_missing: true

x-pack/filebeat/module/okta/system/test/okta-system-test.json.log

@@ -1,3 +1,4 @@
 {"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102nZHzd6OHSfGG51vsoc22gw","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"108.255.197.247","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/login/signout","threatSuspected":"false","url":"/login/signout?message=login_page_messages.session_has_expired"}},"displayMessage":"User logout from Okta","eventType":"user.session.end","legacyEventType":"core.user_auth.logout_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T22:18:51.843Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"108.255.197.247","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkccyyMli2Uay2I93ZgRzQAAB0c","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"}
 {"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"108.255.197.247","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T20:18:57.718Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"108.255.197.247","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3aeede38-4f67-11ea-abd3-1f5d113f2546","version":"0"}
 {"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"108.255.197.247","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","legacyEventType":null,"outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"published":"2020-02-14T20:18:57.762Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"108.255.197.247","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":[{"alternateId":"unknown","detailEntry":{"policyType":"OktaSignOn"},"displayName":"Default Policy","id":"00p1abvweGGDW10Ur4x6","type":"PolicyEntity"},{"alternateId":"00p1abvweGGDW10Ur4x6","detailEntry":null,"displayName":"Default Rule","id":"0pr1abvwfqGFI4n064x6","type":"PolicyRule"}],"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3af594f9-4f67-11ea-abd3-1f5d113f2546","version":"0"}
+{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"108.255.197.247","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"<random_id_string>","requestUri":"<uri_endpoint>","threatSuspected":"false","url":"<url>","suspiciousActivityBrowser":"browser","suspiciousActivityEventCity":"New York City","suspiciousActivityEventCountry":"United Sates","suspiciousActivityEventId":"1234567","suspiciousActivityEventIp":"10.50.14.5","suspiciousActivityEventLatitude":"40.744960","suspiciousActivityEventLongitude":"-73.988590","suspiciousActivityEventState":"New York","suspiciousActivityEventTransactionId":"12345678900","suspiciousActivityEventType":"system.email.new_device_notification.sent_message","suspiciousActivityOs":"Windows 10","suspiciousActivityTimestamp":"2021-05-08T21:50:16.594Z"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","legacyEventType":null,"outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"published":"2020-02-14T20:18:57.762Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"108.255.197.247","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":[{"alternateId":"unknown","detailEntry":{"policyType":"OktaSignOn"},"displayName":"Default Policy","id":"00p1abvweGGDW10Ur4x6","type":"PolicyEntity"},{"alternateId":"00p1abvweGGDW10Ur4x6","detailEntry":null,"displayName":"Default Rule","id":"0pr1abvwfqGFI4n064x6","type":"PolicyRule"}],"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3af594f9-4f67-11ea-abd3-1f5d113f2546","version":"0"}