elastic · efd6 · May 23, 2022 · May 19, 2022
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -61,6 +61,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
 - Fix handling of code_sign data in ThreatIntel Malwarebazaar. {issue}29972[29972] {pull}31552[31552]
 - Remove invalid term from event.outcome in the cisco asa and ftd modules. {pull}31628[31628]
 - Remove invalid "network_traffic" term from event.category. {pull}31674[31674]
+- Fix type mapping of client.as.number in okta module. {pull}31676[31676]
 
 *Heartbeat*
 - Fix unintentional use of no-op logger. {pull}31543[31543]
@@ -119,6 +120,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
 - Default value of `filebeat.registry.flush` increased from 0s to 1s. CPU and disk I/O usage are reduced because the registry is not written to disk for each ingested log line. {issue}30279[30279]
 - Cisco ASA/FTD: Add support for messages 434001 and 434003. {pull}31533[31533]
 - Change threatintel module from beta to GA. {pull}31693[31693]
+- Add extended okta.debug_context.debug_data handling. {pull}31676[31676]
 
 *Auditbeat*
 

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -112011,6 +112011,16 @@ type: keyword
 Threat suspected.
 
 
+type: keyword
+
+--
+
+*`okta.debug_context.debug_data.risk_level`*::
++
+--
+The risk level assigned to the sign in attempt.
+
+
 type: keyword
 
 --
@@ -112025,6 +112035,16 @@ type: keyword
 
 --
 
+*`okta.debug_context.debug_data.flattened`*::
++
+--
+The complete debug_data object.
+
+
+type: flattened
+
+--
+
 [float]
 === suspicious_activity
 

@@ -208,11 +208,21 @@
       description: >
         Threat suspected.
 
+    - name: risk_level
+      type: keyword
+      description: >
+        The risk level assigned to the sign in attempt.
+
     - name: url
       type: keyword
       description: >
         The URL.
 
+    - name: flattened
+      type: flattened
+      description: >
+        The complete debug_data object.
+
     - name: suspicious_activity
       description: >
         The suspicious activity fields from the debug data.

@@ -223,6 +223,51 @@ processors:
       target_field: okta.transaction.type
       ignore_missing: true
       ignore_failure: true
+  - set:
+      field: okta.debug_context.debug_data.flattened
+      copy_from: json.debugContext.debugData
+      ignore_failure: true
+  - json:
+      field: okta.debug_context.debug_data.flattened.logOnlySecurityData
+      ignore_failure: true
+  - dissect:
+      field: okta.debug_context.debug_data.flattened.behaviors
+      pattern: "{%{okta.debug_context.debug_data.flattened.behaviors}}"
+      ignore_missing: true
+      ignore_failure: true
+  - kv:
+      field: okta.debug_context.debug_data.flattened.behaviors
+      field_split: ", "
+      value_split: "="
+      target_field: _behaviors_object
+      if: ctx.okta?.debug_context?.debug_data?.flattened?.behaviors != null
+  - remove:
+      field: okta.debug_context.debug_data.flattened.behaviors
+      if: ctx._behaviors_object != null
+  - rename:
+      field: _behaviors_object
+      target_field: okta.debug_context.debug_data.flattened.behaviors
+      ignore_missing: true
+      ignore_failure: true
+  - dissect:
+      field: okta.debug_context.debug_data.flattened.risk
+      pattern: "{%{okta.debug_context.debug_data.flattened.risk}}"
+      ignore_missing: true
+      ignore_failure: true
+  - kv:
+      field: okta.debug_context.debug_data.flattened.risk
+      field_split: ", "
+      value_split: "="
+      target_field: _risk_object
+      if: ctx.okta?.debug_context?.debug_data?.flattened?.risk != null
+  - remove:
+      field: okta.debug_context.debug_data.flattened.risk
+      if: ctx._risk_object != null
+  - rename:
+      field: _risk_object
+      target_field: okta.debug_context.debug_data.flattened.risk
+      ignore_missing: true
+      ignore_failure: true
   - rename:
       field: json.debugContext.debugData.deviceFingerprint
       target_field: okta.debug_context.debug_data.device_fingerprint
@@ -314,6 +359,14 @@ processors:
       formats:
         - ISO8601
       if: ctx?.json?.debugContext?.debugData?.suspiciousActivityTimestamp != null
+  - set:
+      field: okta.debug_context.debug_data.risk_level
+      value: "{{{okta.debug_context.debug_data.flattened.logOnlySecurityData.risk.level}}}"
+      if: 'ctx.okta?.debug_context?.debug_data?.flattened?.logOnlySecurityData?.risk?.level != null && ctx.okta?.debug_context?.debug_data?.flattened?.logOnlySecurityData?.risk?.level != ""'
+  - set:
+      field: okta.debug_context.debug_data.risk_level
+      value: "{{{okta.debug_context.debug_data.flattened.risk.level}}}"
+      if: 'ctx.okta?.debug_context?.debug_data?.risk_level == null && ctx.okta?.debug_context?.debug_data?.flattened?.risk != null && ctx.okta?.debug_context?.debug_data?.flattened?.risk != ""'
   - rename:
       field: json.authenticationContext.authenticationProvider
       target_field: okta.authentication_context.authentication_provider
@@ -394,10 +447,9 @@ processors:
       target_field: event.action
       type: string
       ignore_failure: true
-  - convert:
-      field: okta.security_context.as.number
-      target_field: client.as.number
-      type: string
+  - set:
+      field: client.as.number
+      copy_from: okta.security_context.as.number
       ignore_failure: true
   - convert:
       field: okta.security_context.as.organization.name