From e2e9af17b93c66436797e92a3cc141b035fa1b79 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Thu, 31 Oct 2024 18:52:33 +1030 Subject: [PATCH] okta: make okta.target use dynamic objects instead of flattened (#11501) ref: https://developer.okta.com/docs/api/openapi/okta-management/management/tag/SystemLog/#tag/SystemLog/operation/listLogEvents!c=200&path=target&t=response --- packages/okta/changelog.yml | 5 ++++ .../elasticsearch/ingest_pipeline/default.yml | 21 +++++++++++++ .../okta/data_stream/system/fields/fields.yml | 30 +++++++++++++++++-- packages/okta/docs/README.md | 8 ++++- packages/okta/manifest.yml | 2 +- 5 files changed, 61 insertions(+), 5 deletions(-) diff --git a/packages/okta/changelog.yml b/packages/okta/changelog.yml index 22cd2cd44a7..daf0920c71b 100644 --- a/packages/okta/changelog.yml +++ b/packages/okta/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.0.0" + changes: + - description: Make `okta.target` use dynamic objects instead of flattened. + type: enhancement + link: https://github.com/elastic/integrations/pull/11501 - version: "2.13.0" changes: - description: Include `grantedScopes`, `grantType`, `clientSecret` and `requestedScopes` fields from debug data. diff --git a/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml index 67409187773..8df30d1fcc4 100644 --- a/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml +++ b/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml @@ -448,6 +448,27 @@ processors: arr[i].remove("detailEntry"); } } + + // Ensure that all entries in changeDetails.{from,to}.* are strings. + def cd = arr[i].get("changeDetails"); + if (cd != null) { + if (cd.from instanceof Map) { + for (def f: cd.from.entrySet()) { + def v = f.getValue(); + if (v != null && (v instanceof String)) { + cd.from[f.getKey()] = v.toString() + } + } + } + if (cd.to instanceof Map) { + for (def t: cd.to.entrySet()) { + def v = t.getValue(); + if (v != null && (v instanceof String)) { + cd.to[t.getKey()] = v.toString() + } + } + } + } } for (def i = 0; i < arr.length; i++) { diff --git a/packages/okta/data_stream/system/fields/fields.yml b/packages/okta/data_stream/system/fields/fields.yml index 6757acb56e3..92527374d13 100644 --- a/packages/okta/data_stream/system/fields/fields.yml +++ b/packages/okta/data_stream/system/fields/fields.yml @@ -126,9 +126,33 @@ description: | The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. - name: okta.target - type: flattened - description: | - The list of targets. + description: The list of targets. + type: group + fields: + - name: alternate_id + type: keyword + description: The alternate ID of the target. + - name: changeDetails.from.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: changeDetails.to.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: detailEntry.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: display_name + type: keyword + description: The display name of the target. + - name: id + type: keyword + description: The ID of the target. + - name: type + type: keyword + description: The type of target. - name: okta.transaction type: group fields: diff --git a/packages/okta/docs/README.md b/packages/okta/docs/README.md index 35f61eed7a2..39ebb6a184d 100644 --- a/packages/okta/docs/README.md +++ b/packages/okta/docs/README.md @@ -323,7 +323,13 @@ An example event for `system` looks as following: | okta.security_context.is_proxy | Whether it is a proxy or not. | boolean | | okta.security_context.isp | The Internet Service Provider. | keyword | | okta.severity | The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. | keyword | -| okta.target | The list of targets. | flattened | +| okta.target.alternate_id | The alternate ID of the target. | keyword | +| okta.target.changeDetails.from.\* | | object | +| okta.target.changeDetails.to.\* | | object | +| okta.target.detailEntry.\* | | object | +| okta.target.display_name | The display name of the target. | keyword | +| okta.target.id | The ID of the target. | keyword | +| okta.target.type | The type of target. | keyword | | okta.transaction.detail.request_api_token_id | ID of the API token used in a request. | keyword | | okta.transaction.id | Identifier of the transaction. | keyword | | okta.transaction.type | The type of transaction. Must be one of "WEB", "JOB". | keyword | diff --git a/packages/okta/manifest.yml b/packages/okta/manifest.yml index b7758835ced..3ccd6e64335 100644 --- a/packages/okta/manifest.yml +++ b/packages/okta/manifest.yml @@ -1,6 +1,6 @@ name: okta title: Okta -version: "2.13.0" +version: "3.0.0" description: Collect and parse event logs from Okta API with Elastic Agent. type: integration format_version: "3.1.0"