Skip to content

Commit

Permalink
x-pack/filebeat/module/okta: fill okta.request.ip_chain.* as a flatte…
Browse files Browse the repository at this point in the history 
…ned object (#34621)

Added to reflect addition in okta integration: elastic/integrations#3326
  • Loading branch information
@efd6
efd6 committed Feb 22, 2023
1 parent 3de0d50 commit 1f1868d
Show file tree
Hide file tree
Showing 6 changed files with 189 additions and 85 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Expand Up @@ -212,6 +212,7 @@ automatic splitting at root level, if root level element is an array. {pull}3415
- Allow user configuration of timezone offset in Cisco ASA and FTD modules. {pull}34436[34436]
- Allow user configuration of timezone offset in Checkpoint module. {pull}34472[34472]
- Add support for Okta debug attributes, `risk_reasons`, `risk_behaviors` and `factor`. {issue}33677[33677] {pull}34508[34508]
- Fill okta.request.ip_chain.* as a flattened object in Okta module. {pull}34621[34621]

*Auditbeat*

Expand Down
86 changes: 3 additions & 83 deletions filebeat/docs/fields.asciidoc
View file
Expand Up @@ -112445,93 +112445,13 @@ Fields that let you store information about the request, in the form of list of



[float]
=== ip_chain

List of ip_chain objects.



*`okta.request.ip_chain.ip`*::
+
--
IP address.


type: ip

--

*`okta.request.ip_chain.version`*::
+
--
IP version. Must be one of V4, V6.


type: keyword

--

*`okta.request.ip_chain.source`*::
+
--
Source information.


type: keyword

--

[float]
=== geographical_context

Geographical information.



*`okta.request.ip_chain.geographical_context.city`*::
+
--
The city.

type: keyword

--

*`okta.request.ip_chain.geographical_context.state`*::
*`okta.request.ip_chain`*::
+
--
The state.

type: keyword

--

*`okta.request.ip_chain.geographical_context.postal_code`*::
+
--
The postal code.

type: keyword

--

*`okta.request.ip_chain.geographical_context.country`*::
+
--
The country.

type: keyword

--

*`okta.request.ip_chain.geographical_context.geolocation`*::
+
--
Geolocation information.
List of ip_chain objects.


type: geo_point
type: flattened

--

Expand Down
2 changes: 1 addition & 1 deletion x-pack/filebeat/module/okta/fields.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion x-pack/filebeat/module/okta/system/_meta/fields.yml
View file
Expand Up @@ -414,7 +414,7 @@
- name: ip_chain
description: >
List of ip_chain objects.
type: group
type: flattened
fields:

- name: ip
Expand Down
23 changes: 23 additions & 0 deletions x-pack/filebeat/module/okta/system/ingest/pipeline.yml
View file
Expand Up @@ -485,6 +485,29 @@ processors:
target_field: okta.security_context.isp
ignore_missing: true
ignore_failure: true
- rename:
field: json.request.ipChain
target_field: okta.request.ip_chain
ignore_missing: true
ignore_failure: true
- foreach:
field: okta.request.ip_chain
processor:
rename:
field: _ingest._value.geographicalContext
target_field: _ingest._value.geographical_context
ignore_missing: true
ignore_failure: true
ignore_missing: true
- foreach:
field: okta.request.ip_chain
processor:
rename:
field: _ingest._value.geographical_context.postalCode
target_field: _ingest._value.geographical_context.postal_code
ignore_missing: true
ignore_failure: true
ignore_missing: true
- convert:
field: okta.client.user_agent.raw_user_agent
target_field: user_agent.original
Expand Down
160 changes: 160 additions & 0 deletions x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json
View file
Expand Up @@ -51,6 +51,22 @@
"okta.display_message": "User logout from Okta",
"okta.event_type": "user.session.end",
"okta.outcome.result": "SUCCESS",
"okta.request.ip_chain": [
{
"geographical_context": {
"city": "Dublin",
"country": "United States",
"geolocation": {
"lat": 37.7201,
"lon": -121.919
},
"postal_code": "94568",
"state": "California"
},
"ip": "67.43.156.12",
"version": "V4"
}
],
"okta.transaction.id": "XkccyyMli2Uay2I93ZgRzQAAB0c",
"okta.transaction.type": "WEB",
"okta.uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd",
Expand Down Expand Up @@ -138,6 +154,22 @@
"okta.display_message": "User login to Okta",
"okta.event_type": "user.session.start",
"okta.outcome.result": "SUCCESS",
"okta.request.ip_chain": [
{
"geographical_context": {
"city": "Dublin",
"country": "United States",
"geolocation": {
"lat": 37.7201,
"lon": -121.919
},
"postal_code": "94568",
"state": "California"
},
"ip": "67.43.156.12",
"version": "V4"
}
],
"okta.transaction.id": "XkcAsWb8WjwDP76xh@1v8wAABp0",
"okta.transaction.type": "WEB",
"okta.uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546",
Expand Down Expand Up @@ -223,6 +255,22 @@
"okta.event_type": "policy.evaluate_sign_on",
"okta.outcome.reason": "Sign-on policy evaluation resulted in ALLOW",
"okta.outcome.result": "ALLOW",
"okta.request.ip_chain": [
{
"geographical_context": {
"city": "Dublin",
"country": "United States",
"geolocation": {
"lat": 37.7201,
"lon": -121.919
},
"postal_code": "94568",
"state": "California"
},
"ip": "67.43.156.12",
"version": "V4"
}
],
"okta.target": [
{
"alternate_id": "unknown",
Expand Down Expand Up @@ -346,6 +394,22 @@
"okta.event_type": "policy.evaluate_sign_on",
"okta.outcome.reason": "Sign-on policy evaluation resulted in ALLOW",
"okta.outcome.result": "ALLOW",
"okta.request.ip_chain": [
{
"geographical_context": {
"city": "Dublin",
"country": "United States",
"geolocation": {
"lat": 37.7201,
"lon": -121.919
},
"postal_code": "94568",
"state": "California"
},
"ip": "67.43.156.12",
"version": "V4"
}
],
"okta.target": [
{
"alternate_id": "unknown",
Expand Down Expand Up @@ -459,6 +523,22 @@
"okta.display_message": "User report suspicious activity",
"okta.event_type": "user.account.report_suspicious_activity_by_enduser",
"okta.outcome.result": "SUCCESS",
"okta.request.ip_chain": [
{
"geographical_context": {
"city": "Dublin",
"country": "United States",
"geolocation": {
"lat": 37.7201,
"lon": -121.919
},
"postal_code": "94568",
"state": "California"
},
"ip": "67.43.156.12",
"version": "V4"
}
],
"okta.security_context.as.number": 7018,
"okta.security_context.as.organization.name": "AT&T Services, Inc.",
"okta.security_context.domain": "att.com",
Expand Down Expand Up @@ -576,6 +656,22 @@
"okta.display_message": "User login to Okta",
"okta.event_type": "user.session.start",
"okta.outcome.result": "SUCCESS",
"okta.request.ip_chain": [
{
"geographical_context": {
"city": "Ashburn",
"country": "United States",
"geolocation": {
"lat": 39.1469,
"lon": -77.5903
},
"postal_code": "20149",
"state": "Virginia"
},
"ip": "81.2.69.144",
"version": "V4"
}
],
"okta.security_context.as.number": 14618,
"okta.security_context.as.organization.name": "amazon data services nova",
"okta.security_context.domain": "amazonaws.com",
Expand Down Expand Up @@ -670,6 +766,22 @@
"okta.display_message": "Verify user identity",
"okta.event_type": "user.authentication.verify",
"okta.outcome.result": "SUCCESS",
"okta.request.ip_chain": [
{
"geographical_context": {
"city": "Purcellville",
"country": "United States",
"geolocation": {
"lat": 39.64,
"lon": -77.8346
},
"postal_code": "20132",
"state": "Virginia"
},
"ip": "67.43.156.14",
"version": "V4"
}
],
"okta.security_context.as.number": 7922,
"okta.security_context.as.organization.name": "comcast",
"okta.security_context.domain": "comcast.net",
Expand Down Expand Up @@ -776,6 +888,22 @@
"okta.display_message": "Verify user identity",
"okta.event_type": "user.authentication.verify",
"okta.outcome.result": "SUCCESS",
"okta.request.ip_chain": [
{
"geographical_context": {
"city": "City",
"country": "Country",
"geolocation": {
"lat": 0,
"lon": 0
},
"postal_code": "00000",
"state": "State"
},
"ip": "81.2.69.144",
"version": "V4"
}
],
"okta.security_context.as.number": 1828,
"okta.security_context.as.organization.name": "org",
"okta.security_context.domain": "domain.com",
Expand Down Expand Up @@ -873,6 +1001,22 @@
"okta.display_message": "Authentication of user via MFA",
"okta.event_type": "user.authentication.auth_via_mfa",
"okta.outcome.result": "SUCCESS",
"okta.request.ip_chain": [
{
"geographical_context": {
"city": "Lucerne",
"country": "Switzerland",
"geolocation": {
"lat": 47.0511,
"lon": 8.3056
},
"postal_code": "6007",
"state": "Lucerne"
},
"ip": "127.0.0.1",
"version": "V4"
}
],
"okta.security_context.as.number": 3303,
"okta.security_context.as.organization.name": "bluewin is an lir and isp in switzerland.",
"okta.security_context.domain": "swisscom.ch",
Expand Down Expand Up @@ -981,6 +1125,22 @@
"okta.display_message": "Authentication of user via MFA",
"okta.event_type": "user.authentication.auth_via_mfa",
"okta.outcome.result": "SUCCESS",
"okta.request.ip_chain": [
{
"geographical_context": {
"city": "Bredstedt",
"country": "Germany",
"geolocation": {
"lat": 54.6208,
"lon": 8.9631
},
"postal_code": "25821",
"state": "Schleswig-Holstein"
},
"ip": "127.0.0.1",
"version": "V4"
}
],
"okta.security_context.as.number": 62336,
"okta.security_context.as.organization.name": "customer access",
"okta.security_context.domain": "german-local.net",
Expand Down

0 comments on commit 1f1868d

Please sign in to comment.