[Okta] Add event categories and types #15860
Conversation
moxarth-rathod
added
Integration:okta
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
andrewkroh
added
the
documentation
|
@moxarth-rathod, looks good, majority of the pipeline was autogenerated so looks fine, please fix the PR no. and i'll approve. |
🚀 Benchmarks reportTo see the full report comment with |
|
@terrancedejesus @ShourieG @efd6 fyi, I had to adjust some of the suggested mappings because certain event categories contained invalid event types. For example, the |
|
Can you confirm that you have used the generator shown in #15235 (comment) with the definitions in #15235 (comment)? |
Yes, but I made a few changes during testing, including adding null handling. Also, some event types were invalid for their respective categories, so I've updated those definitions accordingly. |
| @@ -0,0 +1,6527 @@ | |||
| --- | |||
| description: |- | |||
| Code generated by dispear; DO NOT EDIT. | |||
There was a problem hiding this comment.
Can you please share the exact code used to produce this in a gist for me to replicate and validate .
There was a problem hiding this comment.
My preferred approach would be to have something like (until we can commit this kind of data) (exact text depends on how the definition data is ingested by the generator and will require some additions to handle dep modules):
informative commit message title
[git-generate]
MAPPINGS=<link to git or other stable location for the JSON definitions>
curl -o okta_event_categories_with_ecs.json $MAPPINGS
cat >main.go <<END
package main
…
END
go run main.go > packages/okta/…
rm -i main.go okta_event_categories_with_ecs.json
There was a problem hiding this comment.
@andrewkroh i've prepared a gist for the script to generate a pipeline. I'll also update the commit message with gist and proper steps to run it.
There was a problem hiding this comment.
Thanks. And how is the Okta JSON file created? It looks like it is a conversion of the CSV given at the link below to JSON, and then some categories were assigned?
It would be good to be able to easily identify when our pipeline is no longer in sync with the Okta event types (i.e. there are new event types that need to be added and manually categorized). So it might be better if the inputs to the Go script were the raw CSV from okta.com plus a table of event types to ECS categories. And the script fails when there are uncategorized event types.
For an example, we already need to update that Okta JSON content because there are new events types in the 2025.10 okta release.
https://developer.okta.com/docs/reference/api/event-types/
https://developer.okta.com/docs/okta-event-types.csv
There was a problem hiding this comment.
Thanks @andrewkroh for the suggestion! I've made the changes in pipeline. I've also updated the script in gist for your reference (please refer PR description for steps to run script).
There was a problem hiding this comment.
The CSV is not currently used. That will need to be fixed.
I've revised the commit message to confirm that it works; this required some work.
okta: add missing event categories
[git-generate]
MAPPINGS=https://gist.githubusercontent.com/moxarth-rathod/a0f59f128a207deb162ab31b64eb19d4/raw/d709c826a19b5f857ad29e0bc414815bfc90e709/okta_event_categories_with_ecs.json
SCRIPT=https://gist.githubusercontent.com/moxarth-rathod/a0f59f128a207deb162ab31b64eb19d4/raw/d709c826a19b5f857ad29e0bc414815bfc90e709/main.go
cd packages/okta
mkdir gen
(
cd gen
curl -O $MAPPINGS
curl -O $SCRIPT
curl -O https://developer.okta.com/docs/okta-event-types.csv
go mod init gen
go get github.com/efd6/dispear@v0.0.0-20251110014810-dfeb192cf303
go mod tidy
go run . > ../data_stream/system/elasticsearch/ingest_pipeline/ecs_category_type.yml
)
rm -rf gen
When using git-generate it's best to keep a linear history (no merging of main back into the change) and if you can, keeping all the changes in control of the script. This is harder when squashes are used, but it can be done if you add
elastic-package test pipeline -g
elastic-package test system -g
elastic-package build
elastic-package changelog add --description "Sets the ECS event categorization fields for system data stream." --type enhancement --next minor --link 15860
to the end of the script (along with a sed edit to inject the pipeline processor which is left as an exercise for the reader).
This all should be in the commit message of the commit that made the changes, not for a collection of commits that get squashed.
I'm a little uncomfortable with reaching out to a gist for the code, but I could not get local Go code from the commit message.
There was a problem hiding this comment.
@efd6 I've made the changes as you suggested.
Thank you for doing so and sharing why. I reviewed the docs briefly this morning. I am surprised
Especially when we consider IAM covering behavior such as token issuance. Are these boundaries set within the elasticsearch codebase or at an integration level? Understandably it is out-of-scope for this PR but I can carry the conversation forward to the appropriate team. |
[git-generate] MAPPINGS=https://gist.githubusercontent.com/moxarth-rathod/a0f59f128a207deb162ab31b64eb19d4/raw/40e2739b84912ea46b48d67b2639267ff8817d28/okta_event_categories_with_ecs.json SCRIPT=https://gist.githubusercontent.com/moxarth-rathod/a0f59f128a207deb162ab31b64eb19d4/raw/40e2739b84912ea46b48d67b2639267ff8817d28/main.go cd packages/okta mkdir gen ( cd gen curl -O $MAPPINGS curl -O $SCRIPT curl -O https://developer.okta.com/docs/okta-event-types.csv go mod init gen go get github.com/efd6/dispear@v0.0.0-20251110014810-dfeb192cf303 go mod tidy go run . > ../data_stream/system/elasticsearch/ingest_pipeline/ecs_category_type.yml ) sed -i '/if: '"'"'\["policy.evaluate_sign_on"].contains(ctx.okta?.event_type)/ { n a\ - pipeline:\ tag: pipeline_ecs_category_type\ name: '\''{{ IngestPipeline "ecs_category_type" }}'\'' }' data_stream/system/elasticsearch/ingest_pipeline/default.yml rm -rf gen elastic-package test pipeline -g elastic-package changelog add --description "Sets the ECS event categorization fields for system data stream." --type enhancement --next minor --link elastic#15860
moxarth-rathod
force-pushed
the
okta-add-event-category-and-type
branch
from
7af08ac to
793acf2
Compare
|
It looks like there are duplicate tags in the definitions. For example, We can make the generator remove these, or we can ask that the input be sanitised. I'm thinking a more robust generator is a safer options. diff --git a/main.go b/main.go
index 2cc3b44..c3a1e7b 100644
--- a/main.go
+++ b/main.go
@@ -7,6 +7,7 @@ import (
"log"
"os"
"path/filepath"
+ "sort"
"strings"
// For okta_event_categories_with_ecs.json.
@@ -79,13 +80,13 @@ func main() {
for _, m := range mapping {
d := make(map[string]any)
if len(m.Type) != 0 {
- d["type"] = m.Type
+ d["type"] = unique(m.Type)
}
if len(m.Category) != 0 {
d["category"] = []string{m.Category}
}
if len(m.Tags) != 0 {
- d["tags"] = m.Tags
+ d["tags"] = unique(m.Tags)
}
if len(d) == 0 {
continue
@@ -127,3 +128,21 @@ Okta event type mapping to ECS event type and category.`, filepath.Base(os.Args[
}
const errorFormat = "Processor '{{{ _ingest.on_failure_processor_type }}}' {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'"
+
+func unique(ss []string) []string {
+ if len(ss) < 2 {
+ return ss
+ }
+ sort.Strings(ss)
+ curr := 0
+ for i, s := range ss {
+ if s == ss[curr] {
+ continue
+ }
+ curr++
+ if curr < i {
+ ss[curr], ss[i] = ss[i], ""
+ }
+ }
+ return ss[:curr+1]
+} |
|
There is also this "event-hook-eligibleinline-hook" looks suspicious. @terrancedejesus Can you go over the JSON definitions and check that they are not corrupted? |
Yes my initial parsing of the tags was incorrect. I've fixed this and attached the updated file. The original CSV file for these from Okta is here --> https://developer.okta.com/docs/reference/api/event-types/ |
|
@moxarth-rathod Please update the generator and input JSON. |
[git-generate] MAPPINGS=https://gist.githubusercontent.com/moxarth-rathod/a0f59f128a207deb162ab31b64eb19d4/raw/91c0935490b409fb50f2e3065617cc01cf8f25cc/okta_event_categories_with_ecs.json SCRIPT=https://gist.githubusercontent.com/moxarth-rathod/a0f59f128a207deb162ab31b64eb19d4/raw/a70f0cfce18d05d12c0d9d579c87e456f81fa00d/main.go cd packages/okta mkdir gen ( cd gen curl -O $MAPPINGS curl -O $SCRIPT curl -O https://developer.okta.com/docs/okta-event-types.csv go mod init gen go get github.com/efd6/dispear@v0.0.0-20251110014810-dfeb192cf303 go mod tidy go run . > ../data_stream/system/elasticsearch/ingest_pipeline/ecs_category_type.yml ) sed -i '/if: '"'"'\["policy.evaluate_sign_on"].contains(ctx.okta?.event_type)/ { n a\ - pipeline:\ tag: pipeline_ecs_category_type\ name: '\''{{ IngestPipeline "ecs_category_type" }}'\'' }' data_stream/system/elasticsearch/ingest_pipeline/default.yml rm -rf gen elastic-package test pipeline -g elastic-package changelog add --description "Sets the ECS event categorization fields for system data stream." --type enhancement --next minor --link elastic#15860
moxarth-rathod
force-pushed
the
okta-add-event-category-and-type
branch
from
793acf2 to
fa53789
Compare
💚 Build Succeeded
History
|
@efd6 done, i've made the changes. |
efd6
left a comment
efd6
left a comment
There was a problem hiding this comment.
This LGTM, but I'll wait for @terrancedejesus to go over the behaviour before approving.
Is there a way to test the changes? Is there a data example we can generate to review? |
|
@terrancedejesus I would suggest just taking a look at the behaviour that is shown in the pipeline tests. |
@efd6 Apologies for the late response as I've been OOO. I reviewed the buildkite jobs / tasks. LGTM! |
|
Package okta - 3.12.0 containing this change is available at https://epr.elastic.co/package/okta/3.12.0/ |
6 participants
Proposed commit message
Checklist
changelog.ymlfile.How to test this PR locally
Related issues