With the addition of the entity fieldset to ECS, the following fields need to be mapped for the Entity Analytics Okta integration:
Populate from profile.osVersion.
user.entity.lifecycle.last_activity
Populate from entityanalytics_okta.user.last_login. Only applies to users. No device activity timestamp exists.
user.entity.relationships.administered_by
Populate from entityanalytics_okta.user.profile.manager.*. For Okta, there is no API field on a user record identifying who their account administrator is beyond the manager relationships.
user.entity.attributes.mfa_enabled
Requires a new integration config option (Enrich User Factors) in the integration that makes the input to make a new call per user, it should be disabled by default as it currently does Enrich User Roles.
host.entity.attributes.managed
The field is already returned by the API but currently ignored by the integration (DeviceProfile.managed). Requires changes in the integration to parse this field.
user.entity.attributes.permissions
Added a new input option called enrich_with: perms at elastic/beats#49805.
The integration needs to implement this new option and parse the new roles[].permissions field.
It also requires adding a new scope: okta.roles.read.
As this new feature was introduced in 9.4, changes cannot be published until 9.4 is released and should be a constraint for the new integration's version.
user.entity.relationships.owns
Added a new input option called enrich_with: devices at elastic/beats#49813.
The integration needs to implement this new option and parse the new devices[] field.
As this new feature was introduced in 9.4, changes cannot be published until 9.4 is released and should be a constraint for the new integration's version.
user.entity.relationships.supervises
Added a new input option called enrich_with: supervises at elastic/beats#49825.
The integration needs to implement this new option and parse the new supervises[] field. Each supervises field is an object with the next three fields: id, email and username.
As this new feature was introduced in 9.4, changes cannot be published until 9.4 is released and should be a constraint for the new integration's version.
With the addition of the entity fieldset to ECS, the following fields need to be mapped for the Entity Analytics Okta integration:
host.os.versionPopulate from
profile.osVersion.user.entity.lifecycle.last_activityPopulate from
entityanalytics_okta.user.last_login. Only applies to users. No device activity timestamp exists.user.entity.relationships.administered_byPopulate from
entityanalytics_okta.user.profile.manager.*. For Okta, there is no API field on a user record identifying who their account administrator is beyond the manager relationships.user.entity.attributes.mfa_enabledRequires a new integration config option (Enrich User Factors) in the integration that makes the input to make a new call per user, it should be disabled by default as it currently does Enrich User Roles.
host.entity.attributes.managedThe field is already returned by the API but currently ignored by the integration (DeviceProfile.managed). Requires changes in the integration to parse this field.
user.entity.attributes.permissionsAdded a new input option called
enrich_with: permsat elastic/beats#49805.The integration needs to implement this new option and parse the new
roles[].permissionsfield.It also requires adding a new scope:
okta.roles.read.As this new feature was introduced in 9.4, changes cannot be published until 9.4 is released and should be a constraint for the new integration's version.
user.entity.relationships.ownsAdded a new input option called
enrich_with: devicesat elastic/beats#49813.The integration needs to implement this new option and parse the new
devices[]field.As this new feature was introduced in 9.4, changes cannot be published until 9.4 is released and should be a constraint for the new integration's version.
user.entity.relationships.supervisesAdded a new input option called
enrich_with: supervisesat elastic/beats#49825.The integration needs to implement this new option and parse the new
supervises[]field. Each supervises field is an object with the next three fields:id,emailandusername.As this new feature was introduced in 9.4, changes cannot be published until 9.4 is released and should be a constraint for the new integration's version.