-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Filebeat][Okta] Ingest Pipeline for Okta Module drops debug_context fields #25689
Comments
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
Thanks for taking the time to adjust the pipeline @BenB196. Could you submit a PR and we can work through your additions there? |
@jamiehynds I can do this. @BenB196 can you provide some sample logs from Okta that contain these "new" fields. The sample data that is currently there doesn't have those fields to test. |
@legoguy1000 sorry just getting around to this now. Thanks for opening this PR. Do you still need an example, of the event? |
No problem. I created 1 event by just using the fields u provided so if u have some real ones that would be good just to make sure I didn't mess up. |
@legoguy1000 here is an example event, I obfuscated the data with the same info that was in the example you had where applicable to keep things consistent: {
"actor": {
"alternateId": "[email protected]",
"detailEntry": null,
"displayName": "xxxxxx",
"id": "00u1abvz4pYqdM8ms4x6",
"type": "User"
},
"authenticationContext": {
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "102bZDNFfWaQSyEZQuDgWt-uQ",
"interface": null,
"issuer": null
},
"client": {
"device": "Computer",
"geographicalContext": {
"city": "Dublin",
"country": "United States",
"geolocation": {
"lat": 37.7201,
"lon": -121.919
},
"postalCode": "94568",
"state": "California"
},
"id": null,
"ipAddress": "108.255.197.247",
"userAgent": {
"browser": "FIREFOX",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"
},
"zone": "null"
},
"debugContext": {
"debugData": {
"requestId": "<random_id_string>",
"requestUri": "<uri_endpoint>",
"suspiciousActivityBrowser": "browser",
"suspiciousActivityEventCity": "New York City",
"suspiciousActivityEventCountry": "United States",
"suspiciousActivityEventId": "1234567",
"suspiciousActivityEventIp": "10.50.14.5",
"suspiciousActivityEventLatitude": "40.744960",
"suspiciousActivityEventLongitude": "-73.988590",
"suspiciousActivityEventState": "New York",
"suspiciousActivityEventTransactionId": "12345678900",
"suspiciousActivityEventType": "system.email.new_device_notification.sent_message",
"suspiciousActivityOs": "Windows 10",
"suspiciousActivityTimestamp": "2021-05-08T21:50:16.594Z",
"url": "<url>"
}
},
"device": null,
"displayMessage": "User report suspicious activity",
"eventType": "user.account.report_suspicious_activity_by_enduser",
"legacyEventType": "core.user.account.report_suspicious_activity_by_enduser",
"outcome": {
"reason": null,
"result": "SUCCESS"
},
"published": "2020-02-14T20:18:57.762Z",
"request": {
"ipChain": [{
"geographicalContext": {
"city": "Dublin",
"country": "United States",
"geolocation": {
"lat": 37.7201,
"lon": -121.919
},
"postalCode": "94568",
"state": "California"
},
"ip": "108.255.197.247",
"source": null,
"version": "V4"
}
]
},
"securityContext": {
"asNumber": 7018,
"asOrg": "AT&T Services, Inc.",
"domain": "att.com",
"isProxy": false,
"isp": "AT&T Corp."
},
"severity": "WARN",
"target": [{
"alternateId": "[email protected]",
"detailEntry": null,
"displayName": "xxxxxx",
"id": "00u1abvz4pYqdM8ms4x6",
"type": "User"
}
],
"transaction": {
"detail": {},
"id": "XkcAsWb8WjwDP76xh@1v8wAABp0",
"type": "WEB"
},
"uuid": "36a3b6b3-fcc0-47a0-96bd-95330cfdb658",
"version": "0"
}
|
I updated the sample data and all good. I also added a |
* #25689: Parse additonal debug data fields for Okta module * update generated data * update changelog * added additional test data & `uri_parts` processor * update fields * fix changelog * update fields Co-authored-by: Marius Iversen <[email protected]>
* #25689: Parse additonal debug data fields for Okta module * update generated data * update changelog * added additional test data & `uri_parts` processor * update fields * fix changelog * update fields Co-authored-by: Marius Iversen <[email protected]> (cherry picked from commit 4aff295)
…#26487) * #25689: Parse additonal debug data fields for Okta module * update generated data * update changelog * added additional test data & `uri_parts` processor * update fields * fix changelog * update fields Co-authored-by: Marius Iversen <[email protected]> (cherry picked from commit 4aff295) Co-authored-by: Alex Resnick <[email protected]>
The following needs to be added to the Filebeat mapping:
The following processors need to be added to the ingest pipeline prior to json being dropped:
For confirmed bugs, please report:
The text was updated successfully, but these errors were encountered: