okta: make okta.target use dynamic objects instead of flattened (elas…

…tic#11501)

ref: https://developer.okta.com/docs/api/openapi/okta-management/management/tag/SystemLog/#tag/SystemLog/operation/listLogEvents!c=200&path=target&t=response

packages/okta/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.0.0"
+  changes:
+    - description: Make `okta.target` use dynamic objects instead of flattened.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/11501
 - version: "2.13.0"
   changes:
     - description: Include `grantedScopes`, `grantType`, `clientSecret` and `requestedScopes` fields from debug data.

packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml

@@ -448,6 +448,27 @@ processors:
                 arr[i].remove("detailEntry");
               }
             }
+
+            // Ensure that all entries in changeDetails.{from,to}.* are strings.
+            def cd = arr[i].get("changeDetails");
+            if (cd != null) {
+              if (cd.from instanceof Map) {
+                for (def f: cd.from.entrySet()) {
+                  def v = f.getValue();
+                  if (v != null && (v instanceof String)) {
+                    cd.from[f.getKey()] = v.toString()
+                  }
+                }
+              }
+              if (cd.to instanceof Map) {
+                for (def t: cd.to.entrySet()) {
+                  def v = t.getValue();
+                  if (v != null && (v instanceof String)) {
+                    cd.to[t.getKey()] = v.toString()
+                  }
+                }
+              }
+            }      
           }
 
           for (def i = 0; i < arr.length; i++) {

packages/okta/data_stream/system/fields/fields.yml

@@ -126,9 +126,33 @@
       description: |
         The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
 - name: okta.target
-  type: flattened
-  description: |
-    The list of targets.
+  description: The list of targets.
+  type: group
+  fields:
+    - name: alternate_id
+      type: keyword
+      description: The alternate ID of the target.
+    - name: changeDetails.from.*
+      type: object
+      object_type: keyword
+      object_type_mapping_type: "*"
+    - name: changeDetails.to.*
+      type: object
+      object_type: keyword
+      object_type_mapping_type: "*"
+    - name: detailEntry.*
+      type: object
+      object_type: keyword
+      object_type_mapping_type: "*"
+    - name: display_name
+      type: keyword
+      description: The display name of the target.
+    - name: id
+      type: keyword
+      description: The ID of the target.
+    - name: type
+      type: keyword
+      description: The type of target.
 - name: okta.transaction
   type: group
   fields:

packages/okta/docs/README.md

@@ -323,7 +323,13 @@ An example event for `system` looks as following:
 | okta.security_context.is_proxy | Whether it is a proxy or not. | boolean |
 | okta.security_context.isp | The Internet Service Provider. | keyword |
 | okta.severity | The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. | keyword |
-| okta.target | The list of targets. | flattened |
+| okta.target.alternate_id | The alternate ID of the target. | keyword |
+| okta.target.changeDetails.from.\* |  | object |
+| okta.target.changeDetails.to.\* |  | object |
+| okta.target.detailEntry.\* |  | object |
+| okta.target.display_name | The display name of the target. | keyword |
+| okta.target.id | The ID of the target. | keyword |
+| okta.target.type | The type of target. | keyword |
 | okta.transaction.detail.request_api_token_id | ID of the API token used in a request. | keyword |
 | okta.transaction.id | Identifier of the transaction. | keyword |
 | okta.transaction.type | The type of transaction. Must be one of "WEB", "JOB". | keyword |

packages/okta/manifest.yml

@@ -1,6 +1,6 @@
 name: okta
 title: Okta
-version: "2.13.0"
+version: "3.0.0"
 description: Collect and parse event logs from Okta API with Elastic Agent.
 type: integration
 format_version: "3.1.0"