elastic · efd6 · Jun 11, 2025 · May 1, 2025 · May 11, 2025 · May 27, 2025
@@ -54,6 +54,57 @@ rules:
               }
           ]
           `}}
+  - path: /api/v1/users/00ub0oNGTSWTBKOLGLNR/roles
+    methods: ["GET"]
+    responses:
+      - status_code: 200
+        body: |
+          {{ minify_json `
+          [
+              {
+                  "id": "IFIFAX2BIRGUSTQ",
+                  "label": "Application administrator",
+                  "type": "APP_ADMIN",
+                  "status": "ACTIVE",
+                  "created": "2019-02-06T16:17:40.000Z",
+                  "lastUpdated": "2019-02-06T16:17:40.000Z",
+                  "assignmentType": "USER",
+                  "_links": {
+                      "assignee": {
+                          "href": "https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR"
+                      }
+                  }
+              },
+              {
+                  "id": "JBCUYUC7IRCVGS27IFCE2SKO",
+                  "label": "Help Desk administrator",
+                  "type": "HELP_DESK_ADMIN",
+                  "status": "ACTIVE",
+                  "created": "2019-02-06T16:17:40.000Z",
+                  "lastUpdated": "2019-02-06T16:17:40.000Z",
+                  "assignmentType": "USER",
+                  "_links": {
+                      "assignee": {
+                          "href": "https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR"
+                      }
+                  }
+              },
+              {
+                  "id": "ra125eqBFpETrMwu80g4",
+                  "label": "Organization administrator",
+                  "type": "ORG_ADMIN",
+                  "status": "ACTIVE",
+                  "created": "2019-02-06T16:17:40.000Z",
+                  "lastUpdated": "2019-02-06T16:17:40.000Z",
+                  "assignmentType": "USER",
+                  "_links": {
+                      "assignee": {
+                          "href": "https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR"
+                      }
+                  }
+              }
+          ]
+          `}}
   - path: /api/v1/devices
     methods: ["GET"]
     responses:

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.5.0"
+  changes:
+    - description: Add user roles collection feature.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13750
 - version: "2.4.0"
   changes:
     - description: Remove redundant installation instructions.

@@ -0,0 +1,47 @@
+input: entity-analytics
+service: entityanalytics_okta
+data_stream:
+  vars:
+    okta_domain: trial-xxxxxxx-admin.okta.com
+    okta_token: xxxx
+    dataset: all
+    enrich_user_roles: true
+    preserve_duplicate_custom_fields: true
+    preserve_original_event: true
+    enable_request_tracer: true
+    ssl: |
+      certificate_authorities:
+        - |
+          -----BEGIN CERTIFICATE-----
+          MIIFszCCA5ugAwIBAgIUdyvMXQ1pOUhZnhb77AODd1TsD/AwDQYJKoZIhvcNAQEL
+          BQAwaTELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE
+          CgwTRGVmYXVsdCBDb21wYW55IEx0ZDElMCMGA1UEAwwcdHJpYWwteHh4eHh4eC1h
+          ZG1pbi5va3RhLmNvbTAeFw0yNDA3MTcxMjE0MThaFw0zNDA3MTUxMjE0MThaMGkx
+          CzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0Rl
+          ZmF1bHQgQ29tcGFueSBMdGQxJTAjBgNVBAMMHHRyaWFsLXh4eHh4eHgtYWRtaW4u
+          b2t0YS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCiDiTT7COr
+          0m/pXxLKm6KmUlZJHhHep8Yo5wwoWuYnKCv07pwMQRY/Kk3ymk9cFGVu7sILZDP+
+          rq2TJAi7nhuDabdbRyccdaZY8N8MAEvPkyC6KfIWw0Ge9vruoTqp0IUHw/9ZP19O
+          sogSLfTova3jHWhEiH335dUVcvnhgId9isx5ieB2RY9DiqTmsujGi37MadAKqm4q
+          /UJpn3Gd8uvs7/w4tb9HoknN8sVwaZSyO1y/7lUZk86ynHfdH1i0EUvwF7i9di3T
+          JPvHFp1dEWxtkQBBYBIU+l1bjD8nZ6uDqE7FSzxsbI3hn1aCvxrM1BrXhxIDdz/v
+          /IIXsQKh+wNmDlDOBrtZAmjP/PpWHJOOcwNycMyvO7Y2dO0AkvqXTHqDmmGd7hGK
+          yOi1tITeA+P9w4rJSIfkwOMvaYjpcnJ+fYaWG5QBf5xwkjChyjj/qyIVelR2QZxr
+          jzz+DL+0BxAAiotAvWEJDDwNHb1o/SnXj/s9kW4FEk/1N0MPgdzCQUvc4M1LXGwc
+          SOrbJ4HuNf7xRrSK+Wf+XO8Hskc9u8hoYXZztgRfJb4FIdYjC+CNj/t9o24YrUfk
+          H0zt6BKAFbvZAIkY/9iKHjp7OtEIwDeK7Zi66js1Gh5jSk1yyJFZCvQ1VW4MAuEX
+          /gaZt0g0n3maQxbS3kdSsRIxO7xwlgdanwIDAQABo1MwUTAdBgNVHQ4EFgQUitOr
+          3aZ/qvZftQ7EWwfdXIQm8qYwHwYDVR0jBBgwFoAUitOr3aZ/qvZftQ7EWwfdXIQm
+          8qYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEACkX+A593k7o8
+          5het6FY8Tc5fXVyOVII9NByxwdvpuOoqkMTlM+5Z0hFlmHz59qFeKxcpzXPMDztl
+          tTeaQFzfwBulXzLfBDgADDFPN71emjKc6v9QKhY+6LNddoMqymy5ow76NEsey2IN
+          a8cVXFms1Zp/6VPPOeJGbmuD8aI0WTsJKmCDdhGt2oso+lMDM4pfwAO7WKYdoLpq
+          8RygiRRydiArOtwNNry2h+NTC/iHI00j5Ox+godZVf2/KZDLr273ma0/MOdjUTzV
+          V5qj1QzBQqSFiUcxaGCaeZ++BJrp6YP3QGz6NXnywmwtyDwpOeI6HQoJA3mBG6Da
+          AsEPqQEedSE2ZflQTrl6Kd+2xPKkz3zMpG+VumDrwPuVi5MdFfZ8KScaq9cIL+Lk
+          mHqNUeCHJyR9wbpvl9yuuTLYfL6zRqR7L/0gYHBnX1KEB9ESsaKFq5FtSNjZSUrs
+          V+X6vFzc5kHbucBix1bI2PgO7yx2XqfSPLf2GGch8k44VTLgn81yQfVCorWKXWcZ
+          fZnXgbQ+s8iVZaOXDU6PLljdhJK4JoxdLSCMnjufQZBRCNpHmQ8mx3uiv+LDg7sx
+          JE3WRcwNIONSRY/9seTyK6y9ed61m40Bx92kO2H0Ld+vKkYnFWAoZNYEM0WZ0zWz
+          9EkWoxHOkvz1Pnp41Llpc7OPdbOQrx4=
+          -----END CERTIFICATE-----
@@ -11,6 +11,13 @@ update_interval: {{update_interval}}
 okta_domain: {{okta_domain}}
 okta_token: {{okta_token}}
 dataset: {{dataset}}
+{{#if enrich_user_roles}}
+{{! We include groups in the list when enriching roles, since the default input is to enrich with groups. }}
+{{! There is currently no way to disable groups enrichment, so we respect that behaviour. }}
+enrich_with:
+  - groups
+  - roles
+{{/if}}
 {{#if proxy_url}}
 request.proxy_url: {{proxy_url}}
 {{/if}}

@@ -241,6 +241,11 @@ processors:
           field: user.group.name
           value: '{{{_ingest._value.profile.name}}}'
           allow_duplicates: false
+  - rename:
+      field: roles
+      target_field: entityanalytics_okta.roles
+      tag: rename_user_roles
+      ignore_missing: true
   - rename:
       field: okta.transitioningToStatus
       target_field: entityanalytics_okta.user.transitioning_to_status

@@ -33,6 +33,9 @@ streams:
           The dataset to collect from the API. Selecting all or devices requires that the devices
           API has been activated in Okta. Rate limit information for the user and devices endpoints
           is available [here](https://developer.okta.com/docs/reference/rl-global-mgmt/).
+          The user data set will be enriched with the users' group memberships via the API's /api/v1/users
+          endpoints, contributing to rate limit budget cost. One request will be made for each user to
+          obtain this enrichment data.
         options:
           - value: all
             text: all
@@ -41,6 +44,18 @@ streams:
           - value: devices
             text: devices
         default: users
+      - name: enrich_user_roles
+        type: bool
+        title: Enrich User Roles
+        multi: false
+        required: false
+        show_user: true
+        default: false
+        description: >-
+          Enrich user entities with their Okta role data. This allows monitoring of privileged
+          users' actions. Enabling this setting increases the number of requests to the
+          /api/v1/users endpoint, with one request per user, which counts toward your Okta rate
+          limits.
       - name: sync_interval
         type: text
         title: Sync Interval

@@ -1,14 +1,14 @@
 format_version: "3.0.2"
 name: entityanalytics_okta
 title: Okta Entity Analytics
-version: "2.4.0"
+version: "2.5.0"
 description: "Collect Identities from Okta with Elastic Agent."
 type: integration
 categories:
   - security
 conditions:
   kibana:
-    version: "^8.15.0 || ^9.0.0"
+    version: "^8.17.0 || ^9.0.0"
   elastic:
     subscription: "basic"
 screenshots: