Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Okta processing pipeline #49

Merged
merged 3 commits into from
Apr 21, 2023
Merged

Okta processing pipeline #49

merged 3 commits into from
Apr 21, 2023

Conversation

kelnage
Copy link
Collaborator

@kelnage kelnage commented Apr 20, 2023

When Okta System Log data is ingested into Loki, it is generally ingested as raw JSON data, and appearing within a top-level "event" object. In addition, the Sigma rules that target this log data use field names that are entirely lower-case, whilst Loki preserves the camelCase of them.

To resolve these discrepancies, this PR adds a new pipeline to the backend which sets the parser for the generated query appropriately, maps the affected field names into camelCase, and appends event_ to all field names.

@kelnage
Add pipeline for Okta data source
3715c7b 
Adds a new pipeline to handle the following details about the Okta
System Log events when imported into Loki:
- Use the `json` parser
- Convert lower-cased field names into camelCase
- Append `event_` to all fieldnames

Includes a short test to validate expected behaviour.
@kelnage
Extend test to include additional field
39127a5 
Added an additional check for displayMessage, which is used in some
rules.
@kelnage kelnage self-assigned this Apr 20, 2023
@kelnage kelnage requested a review from a team as a code owner April 20, 2023 16:07
@github-actions
Copy link

github-actions bot commented Apr 20, 2023
edited

Pull Request Test Coverage Report for Build 4762698865

  • 2 of 2 (100.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.001%) to 99.773%
Totals Coverage Status
Change from base Build 4731464036: 0.001%
Covered Lines: 439
Relevant Lines: 440
💛 - Coveralls

@romain-gaillard
Copy link
Contributor

LGTM!

I just wonder if authenticationContext_authenticationStep should be added anyway just to be "future proof", but it's a detail.

@kelnage kelnage merged commit 155bc4c into main Apr 21, 2023
8 checks passed
@kelnage kelnage deleted the okta-processing-pipeline branch April 21, 2023 08:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@romain-gaillard romain-gaillard romain-gaillard approved these changes

Assignees

@kelnage kelnage

Labels
querying
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@kelnage @romain-gaillard