diff --git a/packages/entityanalytics_okta/_dev/deploy/docker/files/config.yml b/packages/entityanalytics_okta/_dev/deploy/docker/files/config.yml index d7655f4b32d..b25ffa2f0ad 100644 --- a/packages/entityanalytics_okta/_dev/deploy/docker/files/config.yml +++ b/packages/entityanalytics_okta/_dev/deploy/docker/files/config.yml @@ -102,6 +102,96 @@ rules: "href": "https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR" } } + }, + { + "id": "cr0Yq6IJxGIr0ouum0g3", + "role": "cr0Yq6IJxGIr0ouum0g3", + "label": "Custom role", + "type": "CUSTOM", + "status": "ACTIVE", + "created": "2024-01-15T10:00:00.000Z", + "lastUpdated": "2024-01-15T10:00:00.000Z", + "assignmentType": "USER", + "_links": { + "assignee": { + "href": "https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR" + } + } + } + ] + `}} + - path: /api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions + methods: ["GET"] + responses: + - status_code: 200 + body: | + {{ minify_json ` + { + "permissions": [ + { + "label": "okta.users.read", + "created": "2024-01-15T10:00:00.000Z", + "lastUpdated": "2024-01-15T10:00:00.000Z" + }, + { + "label": "okta.apps.read", + "created": "2024-01-15T10:00:00.000Z", + "lastUpdated": "2024-01-15T10:00:00.000Z" + } + ] + } + `}} + - path: /api/v1/users/00ub0oNGTSWTBKOLGLNR/factors + methods: ["GET"] + responses: + - status_code: 200 + body: | + {{ minify_json ` + [ + { + "id": "ufs2bysphxKODSZKWVCT", + "factorType": "question", + "provider": "OKTA", + "vendorName": "OKTA", + "status": "ACTIVE", + "created": "2014-04-15T18:10:06.000Z", + "lastUpdated": "2014-04-15T18:10:06.000Z", + "profile": { + "question": "favorite_art_piece", + "questionText": "What is your favorite piece of art?" + } + }, + { + "id": "sms2gt8gzgEBPUWBIFHN", + "factorType": "sms", + "provider": "OKTA", + "status": "ACTIVE", + "created": "2014-06-27T20:27:26.000Z", + "lastUpdated": "2014-06-27T20:27:26.000Z", + "profile": { + "phoneNumber": "+1-555-415-1337" + } + } + ] + `}} + - path: /api/v1/users/00ub0oNGTSWTBKOLGLNR/devices + methods: ["GET"] + responses: + - status_code: 200 + body: | + {{ minify_json ` + [ + { + "id": "guo4a5uyerdpvAiJT0h7", + "status": "ACTIVE", + "created": "2024-01-01T00:00:00.000Z", + "lastUpdated": "2024-01-01T00:00:00.000Z", + "profile": { + "displayName": "Dave's MacBook Pro", + "platform": "MACOS", + "osVersion": "14.2.1", + "serialNumber": "C02ZW1XKMD6T" + } } ] `}} diff --git a/packages/entityanalytics_okta/changelog.yml b/packages/entityanalytics_okta/changelog.yml index c06b90215a7..42e4e29c651 100644 --- a/packages/entityanalytics_okta/changelog.yml +++ b/packages/entityanalytics_okta/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.1.0" + changes: + - description: Add support for ECS entity fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/18525 - version: "3.0.0" changes: - description: | diff --git a/packages/entityanalytics_okta/data_stream/device/fields/ecs.yml b/packages/entityanalytics_okta/data_stream/device/fields/ecs.yml index 61b1130c100..04bd64be933 100644 --- a/packages/entityanalytics_okta/data_stream/device/fields/ecs.yml +++ b/packages/entityanalytics_okta/data_stream/device/fields/ecs.yml @@ -102,6 +102,17 @@ type: keyword - name: type type: keyword +- name: host + type: group + fields: + - name: entity + type: group + fields: + - name: attributes + type: group + fields: + - name: managed + type: boolean - name: device.serial_number type: keyword description: The unique serial number serves as a distinct identifier for each device, aiding in inventory management and device authentication. diff --git a/packages/entityanalytics_okta/data_stream/entity/_dev/test/pipeline/test-device.json b/packages/entityanalytics_okta/data_stream/entity/_dev/test/pipeline/test-device.json index 60a33b22f8e..47e13a5f8ee 100644 --- a/packages/entityanalytics_okta/data_stream/entity/_dev/test/pipeline/test-device.json +++ b/packages/entityanalytics_okta/data_stream/entity/_dev/test/pipeline/test-device.json @@ -109,6 +109,35 @@ "ecs": { "version": "8.0.0" } + }, + { + "@timestamp": "2022-05-14T13:37:20.000Z", + "okta": { + "id": "guo4a5uyerdpvAiJT0h7", + "status": "ACTIVE", + "profile": { + "displayName": "DESKTOP-XXXX", + "platform": "WINDOWS", + "manufacturer": "LENOVO", + "model": "20BH002DUS", + "osVersion": "10.0.19043", + "serialNumber": "1XXXX0X0X", + "registered": true, + "secureHardwarePresent": false, + "diskEncryptionType": "ALL_INTERNAL_VOLUMES", + "managed": true + } + }, + "okta_domain": "trial-xxxxxxx-admin.okta.com", + "device": { + "id": "guo4a5uyerdpvAiJT0h7" + }, + "input": { + "type": "entity-analytics" + }, + "ecs": { + "version": "8.0.0" + } } ] } \ No newline at end of file diff --git a/packages/entityanalytics_okta/data_stream/entity/_dev/test/pipeline/test-device.json-expected.json b/packages/entityanalytics_okta/data_stream/entity/_dev/test/pipeline/test-device.json-expected.json index b005137784b..2270e19aec9 100644 --- a/packages/entityanalytics_okta/data_stream/entity/_dev/test/pipeline/test-device.json-expected.json +++ b/packages/entityanalytics_okta/data_stream/entity/_dev/test/pipeline/test-device.json-expected.json @@ -97,6 +97,71 @@ "preserve_original_event", "preserve_duplicate_custom_fields" ] + }, + { + "@timestamp": "2022-05-14T13:37:20.000Z", + "asset": { + "category": "entity", + "id": "guo4a5uyerdpvAiJT0h7", + "name": "DESKTOP-XXXX", + "status": "ACTIVE", + "type": "okta_device" + }, + "data_stream": { + "dataset": "entityanalytics_okta.device", + "namespace": "default", + "type": "logs" + }, + "device": { + "id": "guo4a5uyerdpvAiJT0h7", + "serial_number": "1XXXX0X0X" + }, + "ecs": { + "version": "8.11.0" + }, + "entityanalytics_okta": { + "device": { + "id": "guo4a5uyerdpvAiJT0h7", + "profile": { + "disk_encryption_type": "ALL_INTERNAL_VOLUMES", + "display_name": "DESKTOP-XXXX", + "registered": true, + "secure_hardware_present": false + }, + "status": "ACTIVE" + } + }, + "event": { + "category": [ + "host" + ], + "kind": "asset", + "original": "{\"input\":{\"type\":\"entity-analytics\"},\"@timestamp\":\"2022-05-14T13:37:20.000Z\",\"ecs\":{\"version\":\"8.11.0\"},\"okta_domain\":\"trial-xxxxxxx-admin.okta.com\",\"event\":{\"kind\":\"asset\"},\"device\":{\"id\":\"guo4a5uyerdpvAiJT0h7\"},\"okta\":{\"profile\":{\"serialNumber\":\"1XXXX0X0X\",\"osVersion\":\"10.0.19043\",\"displayName\":\"DESKTOP-XXXX\",\"managed\":true,\"registered\":true,\"diskEncryptionType\":\"ALL_INTERNAL_VOLUMES\",\"model\":\"20BH002DUS\",\"secureHardwarePresent\":false,\"platform\":\"WINDOWS\",\"manufacturer\":\"LENOVO\"},\"id\":\"guo4a5uyerdpvAiJT0h7\",\"status\":\"ACTIVE\"},\"tags\":[\"preserve_original_event\",\"preserve_duplicate_custom_fields\"],\"_index\":\"logs-entityanalytics_okta.entity-default\",\"_id\":\"_id\",\"_version\":-3}", + "type": [ + "info" + ] + }, + "host": { + "entity": { + "attributes": { + "managed": true + } + }, + "name": "trial-xxxxxxx-admin.okta.com", + "os": { + "version": "10.0.19043" + } + }, + "input": { + "type": "entity-analytics" + }, + "os": { + "platform": "windows" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] } ] } diff --git a/packages/entityanalytics_okta/data_stream/entity/_dev/test/pipeline/test-user.json b/packages/entityanalytics_okta/data_stream/entity/_dev/test/pipeline/test-user.json index 46b0fa3d116..1c8825ba4cc 100644 --- a/packages/entityanalytics_okta/data_stream/entity/_dev/test/pipeline/test-user.json +++ b/packages/entityanalytics_okta/data_stream/entity/_dev/test/pipeline/test-user.json @@ -24,7 +24,7 @@ "userType": "Employee", "organization": "Okta", "title": "Director", - "division": "R\u0026D", + "division": "R&D", "department": "Engineering", "costCenter": "10", "employeeNumber": "187", @@ -92,7 +92,7 @@ "userType": "Employee", "organization": "Okta", "title": "Director", - "division": "R\u0026D", + "division": "R&D", "department": "Engineering", "costCenter": "10", "employeeNumber": "187", @@ -177,6 +177,206 @@ "ecs": { "version": "8.0.0" } + }, + { + "@timestamp": "2023-06-13T07:12:17.341Z", + "okta": { + "id": "00ub0oNGTSWTBKOLGLNA", + "status": "ACTIVE", + "created": "2021-01-01T00:00:00.000Z", + "activated": "2021-01-01T00:00:01.000Z", + "statusChanged": "2021-01-01T00:00:01.000Z", + "lastLogin": "2023-06-01T10:00:00.000Z", + "lastUpdated": "2023-06-01T10:00:00.000Z", + "profile": { + "login": "bob.jones@example.com", + "firstName": "Bob", + "lastName": "Jones", + "email": "bob.jones@example.com" + }, + "credentials": { + "provider": { + "type": "OKTA", + "name": "OKTA" + }, + "recovery_question": {} + } + }, + "factors": [ + { + "id": "ufs2bysphxKODSZKWVCT", + "factorType": "token:software:totp", + "provider": "OKTA", + "vendorName": "OKTA", + "status": "ACTIVE", + "created": "2021-01-05T10:00:00.000Z", + "lastUpdated": "2021-01-05T10:00:00.000Z" + } + ], + "okta_domain": "trial-xxxxxxx-admin.okta.com", + "user": { + "id": "00ub0oNGTSWTBKOLGLNA" + }, + "input": { + "type": "entity-analytics" + }, + "ecs": { + "version": "8.0.0" + } + }, + { + "@timestamp": "2023-06-13T07:12:17.341Z", + "okta": { + "id": "00ub0oNGTSWTBKOLGLNZ", + "status": "ACTIVE", + "created": "2020-01-10T12:00:00.000Z", + "activated": "2020-01-10T12:00:01.000Z", + "statusChanged": "2020-01-10T12:00:01.000Z", + "lastLogin": "2023-06-10T09:00:00.000Z", + "lastUpdated": "2023-06-10T09:00:00.000Z", + "profile": { + "login": "alice.smith@example.com", + "firstName": "Alice", + "lastName": "Smith", + "email": "alice.smith@example.com", + "managerId": "00ub0oNGTSWTBKOLGLNR", + "manager": "Isaac Brock" + }, + "credentials": { + "provider": { + "type": "OKTA", + "name": "OKTA" + }, + "recovery_question": {} + } + }, + "okta_domain": "trial-xxxxxxx-admin.okta.com", + "user": { + "id": "00ub0oNGTSWTBKOLGLNZ" + }, + "input": { + "type": "entity-analytics" + }, + "ecs": { + "version": "8.0.0" + } + }, + { + "@timestamp": "2023-06-13T07:12:17.341Z", + "okta": { + "id": "00ub0oNGTSWTBKOLGLNB", + "status": "ACTIVE", + "created": "2021-03-01T00:00:00.000Z", + "activated": "2021-03-01T00:00:01.000Z", + "statusChanged": "2021-03-01T00:00:01.000Z", + "lastLogin": "2023-06-01T08:00:00.000Z", + "lastUpdated": "2023-06-01T08:00:00.000Z", + "profile": { + "login": "carol.admin@example.com", + "firstName": "Carol", + "lastName": "Admin", + "email": "carol.admin@example.com" + }, + "credentials": { + "provider": { + "type": "OKTA", + "name": "OKTA" + }, + "recovery_question": {} + } + }, + "roles": [ + { + "id": "cr0Yq6IJxGIr0ouum0g3", + "role": "cr0Yq6IJxGIr0ouum0g3", + "label": "Custom role", + "type": "CUSTOM", + "status": "ACTIVE", + "created": "2024-01-15T10:00:00.000Z", + "lastUpdated": "2024-01-15T10:00:00.000Z", + "assignmentType": "USER", + "permissions": [ + { + "label": "okta.users.read", + "created": "2024-01-15T10:00:00.000Z", + "lastUpdated": "2024-01-15T10:00:00.000Z" + }, + { + "label": "okta.apps.read", + "created": "2024-01-15T10:00:00.000Z", + "lastUpdated": "2024-01-15T10:00:00.000Z" + } + ] + } + ], + "okta_domain": "trial-xxxxxxx-admin.okta.com", + "user": { + "id": "00ub0oNGTSWTBKOLGLNB" + }, + "input": { + "type": "entity-analytics" + }, + "ecs": { + "version": "8.0.0" + } + }, + { + "@timestamp": "2024-01-01T00:00:00.000Z", + "event": { + "action": "user-discovered" + }, + "supervises": [ + { + "user_id": "00ub0oNGTSWTBKOLGLNA", + "email": "employee.one@example.com", + "username": "employee.one@example.com" + }, + { + "user_id": "00ub0oNGTSWTBKOLGLNB", + "email": "employee.two@example.com", + "username": "employee.two@example.com" + } + ], + "okta_domain": "trial-xxxxxxx-admin.okta.com", + "user": { + "id": "00ub0oNGTSWTBKOLGLNE" + }, + "input": { + "type": "entity-analytics" + }, + "ecs": { + "version": "8.0.0" + } + }, + { + "@timestamp": "2024-01-01T00:00:00.000Z", + "event": { + "action": "user-discovered" + }, + "devices": [ + { + "id": "guo4a5uyerdpvAiJT0h7", + "status": "ACTIVE", + "created": "2024-01-01T00:00:00.000Z", + "lastUpdated": "2024-01-01T00:00:00.000Z", + "profile": { + "displayName": "Dave's MacBook Pro", + "platform": "MACOS", + "osVersion": "14.2.1", + "serialNumber": "C02ZW1XKMD6T" + } + } + ], + "okta_domain": "trial-xxxxxxx-admin.okta.com", + "user": { + "id": "00ub0oNGTSWTBKOLGLND" + }, + "input": { + "type": "entity-analytics" + }, + "ecs": { + "version": "8.0.0" + } } ] } \ No newline at end of file diff --git a/packages/entityanalytics_okta/data_stream/entity/_dev/test/pipeline/test-user.json-expected.json b/packages/entityanalytics_okta/data_stream/entity/_dev/test/pipeline/test-user.json-expected.json index ff6d8c09164..5b49adafdeb 100644 --- a/packages/entityanalytics_okta/data_stream/entity/_dev/test/pipeline/test-user.json-expected.json +++ b/packages/entityanalytics_okta/data_stream/entity/_dev/test/pipeline/test-user.json-expected.json @@ -127,6 +127,11 @@ } }, "email": "isaac.brock@example.com", + "entity": { + "lifecycle": { + "last_activity": "2013-06-24T17:39:19.000Z" + } + }, "full_name": "Isaac Brock", "geo": { "city_name": "San Francisco", @@ -327,6 +332,11 @@ } }, "email": "isaac.brock@example.com", + "entity": { + "lifecycle": { + "last_activity": "2013-06-24T17:39:19.000Z" + } + }, "full_name": "Isaac Brock", "geo": { "city_name": "San Francisco", @@ -372,6 +382,527 @@ "API Access Management administrator" ] } + }, + { + "@timestamp": "2023-06-13T07:12:17.341Z", + "asset": { + "category": "entity", + "create_date": "2021-01-01T00:00:00.000Z", + "id": "00ub0oNGTSWTBKOLGLNA", + "last_seen": "2023-06-01T10:00:00.000Z", + "last_status_change_date": "2021-01-01T00:00:01.000Z", + "last_updated": "2023-06-01T10:00:00.000Z", + "status": "ACTIVE", + "type": "okta_user", + "vendor": "OKTA" + }, + "data_stream": { + "dataset": "entityanalytics_okta.user", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "entityanalytics_okta": { + "user": { + "activated": "2021-01-01T00:00:01.000Z", + "created": "2021-01-01T00:00:00.000Z", + "credentials": { + "provider": { + "name": "OKTA", + "type": "OKTA" + }, + "recovery_question": { + "is_set": true + } + }, + "factors": [ + { + "created": "2021-01-05T10:00:00.000Z", + "factorType": "token:software:totp", + "id": "ufs2bysphxKODSZKWVCT", + "lastUpdated": "2021-01-05T10:00:00.000Z", + "provider": "OKTA", + "status": "ACTIVE", + "vendorName": "OKTA" + } + ], + "id": "00ub0oNGTSWTBKOLGLNA", + "last_login": "2023-06-01T10:00:00.000Z", + "last_updated": "2023-06-01T10:00:00.000Z", + "profile": { + "email": "bob.jones@example.com", + "first_name": "Bob", + "last_name": "Jones", + "login": "bob.jones@example.com" + }, + "status": "ACTIVE", + "status_changed": "2021-01-01T00:00:01.000Z" + } + }, + "event": { + "category": [ + "iam" + ], + "kind": "asset", + "original": "{\"input\":{\"type\":\"entity-analytics\"},\"@timestamp\":\"2023-06-13T07:12:17.341Z\",\"ecs\":{\"version\":\"8.11.0\"},\"okta_domain\":\"trial-xxxxxxx-admin.okta.com\",\"event\":{\"kind\":\"asset\"},\"okta\":{\"lastLogin\":\"2023-06-01T10:00:00.000Z\",\"lastUpdated\":\"2023-06-01T10:00:00.000Z\",\"credentials\":{\"provider\":{\"name\":\"OKTA\",\"type\":\"OKTA\"},\"recovery_question\":{}},\"created\":\"2021-01-01T00:00:00.000Z\",\"profile\":{\"firstName\":\"Bob\",\"lastName\":\"Jones\",\"login\":\"bob.jones@example.com\",\"email\":\"bob.jones@example.com\"},\"statusChanged\":\"2021-01-01T00:00:01.000Z\",\"id\":\"00ub0oNGTSWTBKOLGLNA\",\"activated\":\"2021-01-01T00:00:01.000Z\",\"status\":\"ACTIVE\"},\"user\":{\"id\":\"00ub0oNGTSWTBKOLGLNA\"},\"factors\":[{\"lastUpdated\":\"2021-01-05T10:00:00.000Z\",\"provider\":\"OKTA\",\"created\":\"2021-01-05T10:00:00.000Z\",\"factorType\":\"token:software:totp\",\"id\":\"ufs2bysphxKODSZKWVCT\",\"vendorName\":\"OKTA\",\"status\":\"ACTIVE\"}],\"tags\":[\"preserve_original_event\",\"preserve_duplicate_custom_fields\"],\"_index\":\"logs-entityanalytics_okta.entity-default\",\"_id\":\"_id\",\"_version\":-3}", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "trial-xxxxxxx-admin.okta.com" + }, + "input": { + "type": "entity-analytics" + }, + "related": { + "user": [ + "00ub0oNGTSWTBKOLGLNA", + "bob.jones@example.com", + "Bob", + "Jones" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "account": { + "activated_date": "2021-01-01T00:00:01.000Z", + "change_date": "2021-01-01T00:00:01.000Z", + "create_date": "2021-01-01T00:00:00.000Z", + "status": { + "deprovisioned": false, + "locked_out": false, + "password_expired": false, + "recovery": false, + "suspended": false + } + }, + "email": "bob.jones@example.com", + "entity": { + "attributes": { + "mfa_enabled": true + }, + "lifecycle": { + "last_activity": "2023-06-01T10:00:00.000Z" + } + }, + "id": "00ub0oNGTSWTBKOLGLNA", + "name": "bob.jones@example.com", + "profile": { + "first_name": "Bob", + "last_name": "Jones", + "status": "ACTIVE" + } + } + }, + { + "@timestamp": "2023-06-13T07:12:17.341Z", + "asset": { + "category": "entity", + "create_date": "2020-01-10T12:00:00.000Z", + "id": "00ub0oNGTSWTBKOLGLNZ", + "last_seen": "2023-06-10T09:00:00.000Z", + "last_status_change_date": "2020-01-10T12:00:01.000Z", + "last_updated": "2023-06-10T09:00:00.000Z", + "status": "ACTIVE", + "type": "okta_user", + "vendor": "OKTA" + }, + "data_stream": { + "dataset": "entityanalytics_okta.user", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "entityanalytics_okta": { + "user": { + "activated": "2020-01-10T12:00:01.000Z", + "created": "2020-01-10T12:00:00.000Z", + "credentials": { + "provider": { + "name": "OKTA", + "type": "OKTA" + }, + "recovery_question": { + "is_set": true + } + }, + "id": "00ub0oNGTSWTBKOLGLNZ", + "last_login": "2023-06-10T09:00:00.000Z", + "last_updated": "2023-06-10T09:00:00.000Z", + "profile": { + "email": "alice.smith@example.com", + "first_name": "Alice", + "last_name": "Smith", + "login": "alice.smith@example.com", + "manager": { + "id": "00ub0oNGTSWTBKOLGLNR", + "name": "Isaac Brock" + } + }, + "status": "ACTIVE", + "status_changed": "2020-01-10T12:00:01.000Z" + } + }, + "event": { + "category": [ + "iam" + ], + "kind": "asset", + "original": "{\"input\":{\"type\":\"entity-analytics\"},\"@timestamp\":\"2023-06-13T07:12:17.341Z\",\"ecs\":{\"version\":\"8.11.0\"},\"okta_domain\":\"trial-xxxxxxx-admin.okta.com\",\"event\":{\"kind\":\"asset\"},\"okta\":{\"lastLogin\":\"2023-06-10T09:00:00.000Z\",\"lastUpdated\":\"2023-06-10T09:00:00.000Z\",\"credentials\":{\"provider\":{\"name\":\"OKTA\",\"type\":\"OKTA\"},\"recovery_question\":{}},\"created\":\"2020-01-10T12:00:00.000Z\",\"profile\":{\"firstName\":\"Alice\",\"lastName\":\"Smith\",\"manager\":\"Isaac Brock\",\"managerId\":\"00ub0oNGTSWTBKOLGLNR\",\"login\":\"alice.smith@example.com\",\"email\":\"alice.smith@example.com\"},\"statusChanged\":\"2020-01-10T12:00:01.000Z\",\"id\":\"00ub0oNGTSWTBKOLGLNZ\",\"activated\":\"2020-01-10T12:00:01.000Z\",\"status\":\"ACTIVE\"},\"user\":{\"id\":\"00ub0oNGTSWTBKOLGLNZ\"},\"tags\":[\"preserve_original_event\",\"preserve_duplicate_custom_fields\"],\"_index\":\"logs-entityanalytics_okta.entity-default\",\"_id\":\"_id\",\"_version\":-3}", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "trial-xxxxxxx-admin.okta.com" + }, + "input": { + "type": "entity-analytics" + }, + "related": { + "user": [ + "00ub0oNGTSWTBKOLGLNZ", + "alice.smith@example.com", + "Alice", + "Smith", + "00ub0oNGTSWTBKOLGLNR", + "Isaac Brock" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "account": { + "activated_date": "2020-01-10T12:00:01.000Z", + "change_date": "2020-01-10T12:00:01.000Z", + "create_date": "2020-01-10T12:00:00.000Z", + "status": { + "deprovisioned": false, + "locked_out": false, + "password_expired": false, + "recovery": false, + "suspended": false + } + }, + "email": "alice.smith@example.com", + "entity": { + "lifecycle": { + "last_activity": "2023-06-10T09:00:00.000Z" + }, + "relationships": { + "administered_by": { + "user_id": "00ub0oNGTSWTBKOLGLNR", + "username": "Isaac Brock" + } + } + }, + "id": "00ub0oNGTSWTBKOLGLNZ", + "name": "alice.smith@example.com", + "profile": { + "first_name": "Alice", + "last_name": "Smith", + "manager": "00ub0oNGTSWTBKOLGLNR", + "status": "ACTIVE" + } + } + }, + { + "@timestamp": "2023-06-13T07:12:17.341Z", + "asset": { + "category": "entity", + "create_date": "2021-03-01T00:00:00.000Z", + "id": "00ub0oNGTSWTBKOLGLNB", + "last_seen": "2023-06-01T08:00:00.000Z", + "last_status_change_date": "2021-03-01T00:00:01.000Z", + "last_updated": "2023-06-01T08:00:00.000Z", + "status": "ACTIVE", + "type": "okta_user", + "vendor": "OKTA" + }, + "data_stream": { + "dataset": "entityanalytics_okta.user", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "entityanalytics_okta": { + "roles": [ + { + "assignment_type": "USER", + "created": "2024-01-15T10:00:00.000Z", + "id": "cr0Yq6IJxGIr0ouum0g3", + "label": "Custom role", + "last_updated": "2024-01-15T10:00:00.000Z", + "permissions": [ + { + "created": "2024-01-15T10:00:00.000Z", + "label": "okta.users.read", + "last_updated": "2024-01-15T10:00:00.000Z" + }, + { + "created": "2024-01-15T10:00:00.000Z", + "label": "okta.apps.read", + "last_updated": "2024-01-15T10:00:00.000Z" + } + ], + "role": "cr0Yq6IJxGIr0ouum0g3", + "status": "ACTIVE", + "type": "CUSTOM" + } + ], + "user": { + "activated": "2021-03-01T00:00:01.000Z", + "created": "2021-03-01T00:00:00.000Z", + "credentials": { + "provider": { + "name": "OKTA", + "type": "OKTA" + }, + "recovery_question": { + "is_set": true + } + }, + "id": "00ub0oNGTSWTBKOLGLNB", + "last_login": "2023-06-01T08:00:00.000Z", + "last_updated": "2023-06-01T08:00:00.000Z", + "profile": { + "email": "carol.admin@example.com", + "first_name": "Carol", + "last_name": "Admin", + "login": "carol.admin@example.com" + }, + "status": "ACTIVE", + "status_changed": "2021-03-01T00:00:01.000Z" + } + }, + "event": { + "category": [ + "iam" + ], + "kind": "asset", + "original": "{\"input\":{\"type\":\"entity-analytics\"},\"@timestamp\":\"2023-06-13T07:12:17.341Z\",\"ecs\":{\"version\":\"8.11.0\"},\"roles\":[{\"lastUpdated\":\"2024-01-15T10:00:00.000Z\",\"role\":\"cr0Yq6IJxGIr0ouum0g3\",\"created\":\"2024-01-15T10:00:00.000Z\",\"permissions\":[{\"lastUpdated\":\"2024-01-15T10:00:00.000Z\",\"created\":\"2024-01-15T10:00:00.000Z\",\"label\":\"okta.users.read\"},{\"lastUpdated\":\"2024-01-15T10:00:00.000Z\",\"created\":\"2024-01-15T10:00:00.000Z\",\"label\":\"okta.apps.read\"}],\"id\":\"cr0Yq6IJxGIr0ouum0g3\",\"label\":\"Custom role\",\"type\":\"CUSTOM\",\"assignmentType\":\"USER\",\"status\":\"ACTIVE\"}],\"okta_domain\":\"trial-xxxxxxx-admin.okta.com\",\"event\":{\"kind\":\"asset\"},\"okta\":{\"lastLogin\":\"2023-06-01T08:00:00.000Z\",\"lastUpdated\":\"2023-06-01T08:00:00.000Z\",\"credentials\":{\"provider\":{\"name\":\"OKTA\",\"type\":\"OKTA\"},\"recovery_question\":{}},\"created\":\"2021-03-01T00:00:00.000Z\",\"profile\":{\"firstName\":\"Carol\",\"lastName\":\"Admin\",\"login\":\"carol.admin@example.com\",\"email\":\"carol.admin@example.com\"},\"statusChanged\":\"2021-03-01T00:00:01.000Z\",\"id\":\"00ub0oNGTSWTBKOLGLNB\",\"activated\":\"2021-03-01T00:00:01.000Z\",\"status\":\"ACTIVE\"},\"user\":{\"id\":\"00ub0oNGTSWTBKOLGLNB\"},\"tags\":[\"preserve_original_event\",\"preserve_duplicate_custom_fields\"],\"_index\":\"logs-entityanalytics_okta.entity-default\",\"_id\":\"_id\",\"_version\":-3}", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "trial-xxxxxxx-admin.okta.com" + }, + "input": { + "type": "entity-analytics" + }, + "related": { + "user": [ + "00ub0oNGTSWTBKOLGLNB", + "carol.admin@example.com", + "Carol", + "Admin" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "account": { + "activated_date": "2021-03-01T00:00:01.000Z", + "change_date": "2021-03-01T00:00:01.000Z", + "create_date": "2021-03-01T00:00:00.000Z", + "status": { + "deprovisioned": false, + "locked_out": false, + "password_expired": false, + "recovery": false, + "suspended": false + } + }, + "email": "carol.admin@example.com", + "entity": { + "attributes": { + "permissions": [ + "okta.users.read", + "okta.apps.read" + ] + }, + "lifecycle": { + "last_activity": "2023-06-01T08:00:00.000Z" + } + }, + "id": "00ub0oNGTSWTBKOLGLNB", + "name": "carol.admin@example.com", + "profile": { + "first_name": "Carol", + "last_name": "Admin", + "status": "ACTIVE" + }, + "roles": [ + "cr0Yq6IJxGIr0ouum0g3", + "Custom role" + ] + } + }, + { + "@timestamp": "2024-01-01T00:00:00.000Z", + "asset": { + "category": "entity", + "type": "okta_user" + }, + "data_stream": { + "dataset": "entityanalytics_okta.user", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "entityanalytics_okta": { + "user": { + "credentials": { + "recovery_question": { + "is_set": false + } + }, + "supervises": [ + { + "email": "employee.one@example.com", + "user_id": "00ub0oNGTSWTBKOLGLNA", + "username": "employee.one@example.com" + }, + { + "email": "employee.two@example.com", + "user_id": "00ub0oNGTSWTBKOLGLNB", + "username": "employee.two@example.com" + } + ] + } + }, + "event": { + "category": [ + "iam" + ], + "kind": "asset", + "original": "{\"input\":{\"type\":\"entity-analytics\"},\"@timestamp\":\"2024-01-01T00:00:00.000Z\",\"ecs\":{\"version\":\"8.11.0\"},\"supervises\":[{\"user_id\":\"00ub0oNGTSWTBKOLGLNA\",\"email\":\"employee.one@example.com\",\"username\":\"employee.one@example.com\"},{\"user_id\":\"00ub0oNGTSWTBKOLGLNB\",\"email\":\"employee.two@example.com\",\"username\":\"employee.two@example.com\"}],\"okta_domain\":\"trial-xxxxxxx-admin.okta.com\",\"event\":{\"kind\":\"asset\"},\"user\":{\"id\":\"00ub0oNGTSWTBKOLGLNE\"},\"tags\":[\"preserve_original_event\",\"preserve_duplicate_custom_fields\"],\"_index\":\"logs-entityanalytics_okta.entity-default\",\"_id\":\"_id\",\"_version\":-3}", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "trial-xxxxxxx-admin.okta.com" + }, + "input": { + "type": "entity-analytics" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "entity": { + "relationships": { + "supervises": [ + { + "email": "employee.one@example.com", + "user_id": "00ub0oNGTSWTBKOLGLNA", + "username": "employee.one@example.com" + }, + { + "email": "employee.two@example.com", + "user_id": "00ub0oNGTSWTBKOLGLNB", + "username": "employee.two@example.com" + } + ] + } + }, + "id": "00ub0oNGTSWTBKOLGLNE" + } + }, + { + "@timestamp": "2024-01-01T00:00:00.000Z", + "asset": { + "category": "entity", + "type": "okta_user" + }, + "data_stream": { + "dataset": "entityanalytics_okta.user", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "entityanalytics_okta": { + "user": { + "credentials": { + "recovery_question": { + "is_set": false + } + }, + "devices": [ + { + "created": "2024-01-01T00:00:00.000Z", + "id": "guo4a5uyerdpvAiJT0h7", + "lastUpdated": "2024-01-01T00:00:00.000Z", + "profile": { + "displayName": "Dave's MacBook Pro", + "osVersion": "14.2.1", + "platform": "MACOS", + "serialNumber": "C02ZW1XKMD6T" + }, + "status": "ACTIVE" + } + ] + } + }, + "event": { + "category": [ + "iam" + ], + "kind": "asset", + "original": "{\"input\":{\"type\":\"entity-analytics\"},\"@timestamp\":\"2024-01-01T00:00:00.000Z\",\"ecs\":{\"version\":\"8.11.0\"},\"devices\":[{\"lastUpdated\":\"2024-01-01T00:00:00.000Z\",\"created\":\"2024-01-01T00:00:00.000Z\",\"profile\":{\"serialNumber\":\"C02ZW1XKMD6T\",\"osVersion\":\"14.2.1\",\"displayName\":\"Dave's MacBook Pro\",\"platform\":\"MACOS\"},\"id\":\"guo4a5uyerdpvAiJT0h7\",\"status\":\"ACTIVE\"}],\"okta_domain\":\"trial-xxxxxxx-admin.okta.com\",\"event\":{\"kind\":\"asset\"},\"user\":{\"id\":\"00ub0oNGTSWTBKOLGLND\"},\"tags\":[\"preserve_original_event\",\"preserve_duplicate_custom_fields\"],\"_index\":\"logs-entityanalytics_okta.entity-default\",\"_id\":\"_id\",\"_version\":-3}", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "trial-xxxxxxx-admin.okta.com" + }, + "input": { + "type": "entity-analytics" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "entity": { + "relationships": { + "owns": [ + { + "host_id": "guo4a5uyerdpvAiJT0h7", + "hostname": "Dave's MacBook Pro" + } + ] + } + }, + "id": "00ub0oNGTSWTBKOLGLND" + } } ] } diff --git a/packages/entityanalytics_okta/data_stream/entity/_dev/test/system/test-enrich-devices-config.yml b/packages/entityanalytics_okta/data_stream/entity/_dev/test/system/test-enrich-devices-config.yml new file mode 100644 index 00000000000..8848709924a --- /dev/null +++ b/packages/entityanalytics_okta/data_stream/entity/_dev/test/system/test-enrich-devices-config.yml @@ -0,0 +1,47 @@ +input: entity-analytics +service: entityanalytics_okta +data_stream: + vars: + okta_domain: trial-xxxxxxx-admin.okta.com + okta_token: xxxx + dataset: users + enrich_user_devices: true + preserve_duplicate_custom_fields: true + preserve_original_event: true + enable_request_tracer: true + ssl: | + certificate_authorities: + - | + -----BEGIN CERTIFICATE----- + MIIFszCCA5ugAwIBAgIUdyvMXQ1pOUhZnhb77AODd1TsD/AwDQYJKoZIhvcNAQEL + BQAwaTELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE + CgwTRGVmYXVsdCBDb21wYW55IEx0ZDElMCMGA1UEAwwcdHJpYWwteHh4eHh4eC1h + ZG1pbi5va3RhLmNvbTAeFw0yNDA3MTcxMjE0MThaFw0zNDA3MTUxMjE0MThaMGkx + CzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0Rl + ZmF1bHQgQ29tcGFueSBMdGQxJTAjBgNVBAMMHHRyaWFsLXh4eHh4eHgtYWRtaW4u + b2t0YS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCiDiTT7COr + 0m/pXxLKm6KmUlZJHhHep8Yo5wwoWuYnKCv07pwMQRY/Kk3ymk9cFGVu7sILZDP+ + rq2TJAi7nhuDabdbRyccdaZY8N8MAEvPkyC6KfIWw0Ge9vruoTqp0IUHw/9ZP19O + sogSLfTova3jHWhEiH335dUVcvnhgId9isx5ieB2RY9DiqTmsujGi37MadAKqm4q + /UJpn3Gd8uvs7/w4tb9HoknN8sVwaZSyO1y/7lUZk86ynHfdH1i0EUvwF7i9di3T + JPvHFp1dEWxtkQBBYBIU+l1bjD8nZ6uDqE7FSzxsbI3hn1aCvxrM1BrXhxIDdz/v + /IIXsQKh+wNmDlDOBrtZAmjP/PpWHJOOcwNycMyvO7Y2dO0AkvqXTHqDmmGd7hGK + yOi1tITeA+P9w4rJSIfkwOMvaYjpcnJ+fYaWG5QBf5xwkjChyjj/qyIVelR2QZxr + jzz+DL+0BxAAiotAvWEJDDwNHb1o/SnXj/s9kW4FEk/1N0MPgdzCQUvc4M1LXGwc + SOrbJ4HuNf7xRrSK+Wf+XO8Hskc9u8hoYXZztgRfJb4FIdYjC+CNj/t9o24YrUfk + H0zt6BKAFbvZAIkY/9iKHjp7OtEIwDeK7Zi66js1Gh5jSk1yyJFZCvQ1VW4MAuEX + /gaZt0g0n3maQxbS3kdSsRIxO7xwlgdanwIDAQABo1MwUTAdBgNVHQ4EFgQUitOr + 3aZ/qvZftQ7EWwfdXIQm8qYwHwYDVR0jBBgwFoAUitOr3aZ/qvZftQ7EWwfdXIQm + 8qYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEACkX+A593k7o8 + 5het6FY8Tc5fXVyOVII9NByxwdvpuOoqkMTlM+5Z0hFlmHz59qFeKxcpzXPMDztl + tTeaQFzfwBulXzLfBDgADDFPN71emjKc6v9QKhY+6LNddoMqymy5ow76NEsey2IN + a8cVXFms1Zp/6VPPOeJGbmuD8aI0WTsJKmCDdhGt2oso+lMDM4pfwAO7WKYdoLpq + 8RygiRRydiArOtwNNry2h+NTC/iHI00j5Ox+godZVf2/KZDLr273ma0/MOdjUTzV + V5qj1QzBQqSFiUcxaGCaeZ++BJrp6YP3QGz6NXnywmwtyDwpOeI6HQoJA3mBG6Da + AsEPqQEedSE2ZflQTrl6Kd+2xPKkz3zMpG+VumDrwPuVi5MdFfZ8KScaq9cIL+Lk + mHqNUeCHJyR9wbpvl9yuuTLYfL6zRqR7L/0gYHBnX1KEB9ESsaKFq5FtSNjZSUrs + V+X6vFzc5kHbucBix1bI2PgO7yx2XqfSPLf2GGch8k44VTLgn81yQfVCorWKXWcZ + fZnXgbQ+s8iVZaOXDU6PLljdhJK4JoxdLSCMnjufQZBRCNpHmQ8mx3uiv+LDg7sx + JE3WRcwNIONSRY/9seTyK6y9ed61m40Bx92kO2H0Ld+vKkYnFWAoZNYEM0WZ0zWz + 9EkWoxHOkvz1Pnp41Llpc7OPdbOQrx4= + -----END CERTIFICATE----- diff --git a/packages/entityanalytics_okta/data_stream/entity/_dev/test/system/test-enrich-factors-config.yml b/packages/entityanalytics_okta/data_stream/entity/_dev/test/system/test-enrich-factors-config.yml new file mode 100644 index 00000000000..4138210ecd6 --- /dev/null +++ b/packages/entityanalytics_okta/data_stream/entity/_dev/test/system/test-enrich-factors-config.yml @@ -0,0 +1,47 @@ +input: entity-analytics +service: entityanalytics_okta +data_stream: + vars: + okta_domain: trial-xxxxxxx-admin.okta.com + okta_token: xxxx + dataset: users + enrich_user_factors: true + preserve_duplicate_custom_fields: true + preserve_original_event: true + enable_request_tracer: true + ssl: | + certificate_authorities: + - | + -----BEGIN CERTIFICATE----- + MIIFszCCA5ugAwIBAgIUdyvMXQ1pOUhZnhb77AODd1TsD/AwDQYJKoZIhvcNAQEL + BQAwaTELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE + CgwTRGVmYXVsdCBDb21wYW55IEx0ZDElMCMGA1UEAwwcdHJpYWwteHh4eHh4eC1h + ZG1pbi5va3RhLmNvbTAeFw0yNDA3MTcxMjE0MThaFw0zNDA3MTUxMjE0MThaMGkx + CzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0Rl + ZmF1bHQgQ29tcGFueSBMdGQxJTAjBgNVBAMMHHRyaWFsLXh4eHh4eHgtYWRtaW4u + b2t0YS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCiDiTT7COr + 0m/pXxLKm6KmUlZJHhHep8Yo5wwoWuYnKCv07pwMQRY/Kk3ymk9cFGVu7sILZDP+ + rq2TJAi7nhuDabdbRyccdaZY8N8MAEvPkyC6KfIWw0Ge9vruoTqp0IUHw/9ZP19O + sogSLfTova3jHWhEiH335dUVcvnhgId9isx5ieB2RY9DiqTmsujGi37MadAKqm4q + /UJpn3Gd8uvs7/w4tb9HoknN8sVwaZSyO1y/7lUZk86ynHfdH1i0EUvwF7i9di3T + JPvHFp1dEWxtkQBBYBIU+l1bjD8nZ6uDqE7FSzxsbI3hn1aCvxrM1BrXhxIDdz/v + /IIXsQKh+wNmDlDOBrtZAmjP/PpWHJOOcwNycMyvO7Y2dO0AkvqXTHqDmmGd7hGK + yOi1tITeA+P9w4rJSIfkwOMvaYjpcnJ+fYaWG5QBf5xwkjChyjj/qyIVelR2QZxr + jzz+DL+0BxAAiotAvWEJDDwNHb1o/SnXj/s9kW4FEk/1N0MPgdzCQUvc4M1LXGwc + SOrbJ4HuNf7xRrSK+Wf+XO8Hskc9u8hoYXZztgRfJb4FIdYjC+CNj/t9o24YrUfk + H0zt6BKAFbvZAIkY/9iKHjp7OtEIwDeK7Zi66js1Gh5jSk1yyJFZCvQ1VW4MAuEX + /gaZt0g0n3maQxbS3kdSsRIxO7xwlgdanwIDAQABo1MwUTAdBgNVHQ4EFgQUitOr + 3aZ/qvZftQ7EWwfdXIQm8qYwHwYDVR0jBBgwFoAUitOr3aZ/qvZftQ7EWwfdXIQm + 8qYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEACkX+A593k7o8 + 5het6FY8Tc5fXVyOVII9NByxwdvpuOoqkMTlM+5Z0hFlmHz59qFeKxcpzXPMDztl + tTeaQFzfwBulXzLfBDgADDFPN71emjKc6v9QKhY+6LNddoMqymy5ow76NEsey2IN + a8cVXFms1Zp/6VPPOeJGbmuD8aI0WTsJKmCDdhGt2oso+lMDM4pfwAO7WKYdoLpq + 8RygiRRydiArOtwNNry2h+NTC/iHI00j5Ox+godZVf2/KZDLr273ma0/MOdjUTzV + V5qj1QzBQqSFiUcxaGCaeZ++BJrp6YP3QGz6NXnywmwtyDwpOeI6HQoJA3mBG6Da + AsEPqQEedSE2ZflQTrl6Kd+2xPKkz3zMpG+VumDrwPuVi5MdFfZ8KScaq9cIL+Lk + mHqNUeCHJyR9wbpvl9yuuTLYfL6zRqR7L/0gYHBnX1KEB9ESsaKFq5FtSNjZSUrs + V+X6vFzc5kHbucBix1bI2PgO7yx2XqfSPLf2GGch8k44VTLgn81yQfVCorWKXWcZ + fZnXgbQ+s8iVZaOXDU6PLljdhJK4JoxdLSCMnjufQZBRCNpHmQ8mx3uiv+LDg7sx + JE3WRcwNIONSRY/9seTyK6y9ed61m40Bx92kO2H0Ld+vKkYnFWAoZNYEM0WZ0zWz + 9EkWoxHOkvz1Pnp41Llpc7OPdbOQrx4= + -----END CERTIFICATE----- diff --git a/packages/entityanalytics_okta/data_stream/entity/_dev/test/system/test-enrich-perms-config.yml b/packages/entityanalytics_okta/data_stream/entity/_dev/test/system/test-enrich-perms-config.yml new file mode 100644 index 00000000000..25dd55ce7b6 --- /dev/null +++ b/packages/entityanalytics_okta/data_stream/entity/_dev/test/system/test-enrich-perms-config.yml @@ -0,0 +1,47 @@ +input: entity-analytics +service: entityanalytics_okta +data_stream: + vars: + okta_domain: trial-xxxxxxx-admin.okta.com + okta_token: xxxx + dataset: users + enrich_user_perms: true + preserve_duplicate_custom_fields: true + preserve_original_event: true + enable_request_tracer: true + ssl: | + certificate_authorities: + - | + -----BEGIN CERTIFICATE----- + MIIFszCCA5ugAwIBAgIUdyvMXQ1pOUhZnhb77AODd1TsD/AwDQYJKoZIhvcNAQEL + BQAwaTELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE + CgwTRGVmYXVsdCBDb21wYW55IEx0ZDElMCMGA1UEAwwcdHJpYWwteHh4eHh4eC1h + ZG1pbi5va3RhLmNvbTAeFw0yNDA3MTcxMjE0MThaFw0zNDA3MTUxMjE0MThaMGkx + CzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0Rl + ZmF1bHQgQ29tcGFueSBMdGQxJTAjBgNVBAMMHHRyaWFsLXh4eHh4eHgtYWRtaW4u + b2t0YS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCiDiTT7COr + 0m/pXxLKm6KmUlZJHhHep8Yo5wwoWuYnKCv07pwMQRY/Kk3ymk9cFGVu7sILZDP+ + rq2TJAi7nhuDabdbRyccdaZY8N8MAEvPkyC6KfIWw0Ge9vruoTqp0IUHw/9ZP19O + sogSLfTova3jHWhEiH335dUVcvnhgId9isx5ieB2RY9DiqTmsujGi37MadAKqm4q + /UJpn3Gd8uvs7/w4tb9HoknN8sVwaZSyO1y/7lUZk86ynHfdH1i0EUvwF7i9di3T + JPvHFp1dEWxtkQBBYBIU+l1bjD8nZ6uDqE7FSzxsbI3hn1aCvxrM1BrXhxIDdz/v + /IIXsQKh+wNmDlDOBrtZAmjP/PpWHJOOcwNycMyvO7Y2dO0AkvqXTHqDmmGd7hGK + yOi1tITeA+P9w4rJSIfkwOMvaYjpcnJ+fYaWG5QBf5xwkjChyjj/qyIVelR2QZxr + jzz+DL+0BxAAiotAvWEJDDwNHb1o/SnXj/s9kW4FEk/1N0MPgdzCQUvc4M1LXGwc + SOrbJ4HuNf7xRrSK+Wf+XO8Hskc9u8hoYXZztgRfJb4FIdYjC+CNj/t9o24YrUfk + H0zt6BKAFbvZAIkY/9iKHjp7OtEIwDeK7Zi66js1Gh5jSk1yyJFZCvQ1VW4MAuEX + /gaZt0g0n3maQxbS3kdSsRIxO7xwlgdanwIDAQABo1MwUTAdBgNVHQ4EFgQUitOr + 3aZ/qvZftQ7EWwfdXIQm8qYwHwYDVR0jBBgwFoAUitOr3aZ/qvZftQ7EWwfdXIQm + 8qYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEACkX+A593k7o8 + 5het6FY8Tc5fXVyOVII9NByxwdvpuOoqkMTlM+5Z0hFlmHz59qFeKxcpzXPMDztl + tTeaQFzfwBulXzLfBDgADDFPN71emjKc6v9QKhY+6LNddoMqymy5ow76NEsey2IN + a8cVXFms1Zp/6VPPOeJGbmuD8aI0WTsJKmCDdhGt2oso+lMDM4pfwAO7WKYdoLpq + 8RygiRRydiArOtwNNry2h+NTC/iHI00j5Ox+godZVf2/KZDLr273ma0/MOdjUTzV + V5qj1QzBQqSFiUcxaGCaeZ++BJrp6YP3QGz6NXnywmwtyDwpOeI6HQoJA3mBG6Da + AsEPqQEedSE2ZflQTrl6Kd+2xPKkz3zMpG+VumDrwPuVi5MdFfZ8KScaq9cIL+Lk + mHqNUeCHJyR9wbpvl9yuuTLYfL6zRqR7L/0gYHBnX1KEB9ESsaKFq5FtSNjZSUrs + V+X6vFzc5kHbucBix1bI2PgO7yx2XqfSPLf2GGch8k44VTLgn81yQfVCorWKXWcZ + fZnXgbQ+s8iVZaOXDU6PLljdhJK4JoxdLSCMnjufQZBRCNpHmQ8mx3uiv+LDg7sx + JE3WRcwNIONSRY/9seTyK6y9ed61m40Bx92kO2H0Ld+vKkYnFWAoZNYEM0WZ0zWz + 9EkWoxHOkvz1Pnp41Llpc7OPdbOQrx4= + -----END CERTIFICATE----- diff --git a/packages/entityanalytics_okta/data_stream/entity/_dev/test/system/test-enrich-supervises-config.yml b/packages/entityanalytics_okta/data_stream/entity/_dev/test/system/test-enrich-supervises-config.yml new file mode 100644 index 00000000000..a9f426187de --- /dev/null +++ b/packages/entityanalytics_okta/data_stream/entity/_dev/test/system/test-enrich-supervises-config.yml @@ -0,0 +1,47 @@ +input: entity-analytics +service: entityanalytics_okta +data_stream: + vars: + okta_domain: trial-xxxxxxx-admin.okta.com + okta_token: xxxx + dataset: users + enrich_user_supervises: true + preserve_duplicate_custom_fields: true + preserve_original_event: true + enable_request_tracer: true + ssl: | + certificate_authorities: + - | + -----BEGIN CERTIFICATE----- + MIIFszCCA5ugAwIBAgIUdyvMXQ1pOUhZnhb77AODd1TsD/AwDQYJKoZIhvcNAQEL + BQAwaTELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE + CgwTRGVmYXVsdCBDb21wYW55IEx0ZDElMCMGA1UEAwwcdHJpYWwteHh4eHh4eC1h + ZG1pbi5va3RhLmNvbTAeFw0yNDA3MTcxMjE0MThaFw0zNDA3MTUxMjE0MThaMGkx + CzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0Rl + ZmF1bHQgQ29tcGFueSBMdGQxJTAjBgNVBAMMHHRyaWFsLXh4eHh4eHgtYWRtaW4u + b2t0YS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCiDiTT7COr + 0m/pXxLKm6KmUlZJHhHep8Yo5wwoWuYnKCv07pwMQRY/Kk3ymk9cFGVu7sILZDP+ + rq2TJAi7nhuDabdbRyccdaZY8N8MAEvPkyC6KfIWw0Ge9vruoTqp0IUHw/9ZP19O + sogSLfTova3jHWhEiH335dUVcvnhgId9isx5ieB2RY9DiqTmsujGi37MadAKqm4q + /UJpn3Gd8uvs7/w4tb9HoknN8sVwaZSyO1y/7lUZk86ynHfdH1i0EUvwF7i9di3T + JPvHFp1dEWxtkQBBYBIU+l1bjD8nZ6uDqE7FSzxsbI3hn1aCvxrM1BrXhxIDdz/v + /IIXsQKh+wNmDlDOBrtZAmjP/PpWHJOOcwNycMyvO7Y2dO0AkvqXTHqDmmGd7hGK + yOi1tITeA+P9w4rJSIfkwOMvaYjpcnJ+fYaWG5QBf5xwkjChyjj/qyIVelR2QZxr + jzz+DL+0BxAAiotAvWEJDDwNHb1o/SnXj/s9kW4FEk/1N0MPgdzCQUvc4M1LXGwc + SOrbJ4HuNf7xRrSK+Wf+XO8Hskc9u8hoYXZztgRfJb4FIdYjC+CNj/t9o24YrUfk + H0zt6BKAFbvZAIkY/9iKHjp7OtEIwDeK7Zi66js1Gh5jSk1yyJFZCvQ1VW4MAuEX + /gaZt0g0n3maQxbS3kdSsRIxO7xwlgdanwIDAQABo1MwUTAdBgNVHQ4EFgQUitOr + 3aZ/qvZftQ7EWwfdXIQm8qYwHwYDVR0jBBgwFoAUitOr3aZ/qvZftQ7EWwfdXIQm + 8qYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEACkX+A593k7o8 + 5het6FY8Tc5fXVyOVII9NByxwdvpuOoqkMTlM+5Z0hFlmHz59qFeKxcpzXPMDztl + tTeaQFzfwBulXzLfBDgADDFPN71emjKc6v9QKhY+6LNddoMqymy5ow76NEsey2IN + a8cVXFms1Zp/6VPPOeJGbmuD8aI0WTsJKmCDdhGt2oso+lMDM4pfwAO7WKYdoLpq + 8RygiRRydiArOtwNNry2h+NTC/iHI00j5Ox+godZVf2/KZDLr273ma0/MOdjUTzV + V5qj1QzBQqSFiUcxaGCaeZ++BJrp6YP3QGz6NXnywmwtyDwpOeI6HQoJA3mBG6Da + AsEPqQEedSE2ZflQTrl6Kd+2xPKkz3zMpG+VumDrwPuVi5MdFfZ8KScaq9cIL+Lk + mHqNUeCHJyR9wbpvl9yuuTLYfL6zRqR7L/0gYHBnX1KEB9ESsaKFq5FtSNjZSUrs + V+X6vFzc5kHbucBix1bI2PgO7yx2XqfSPLf2GGch8k44VTLgn81yQfVCorWKXWcZ + fZnXgbQ+s8iVZaOXDU6PLljdhJK4JoxdLSCMnjufQZBRCNpHmQ8mx3uiv+LDg7sx + JE3WRcwNIONSRY/9seTyK6y9ed61m40Bx92kO2H0Ld+vKkYnFWAoZNYEM0WZ0zWz + 9EkWoxHOkvz1Pnp41Llpc7OPdbOQrx4= + -----END CERTIFICATE----- diff --git a/packages/entityanalytics_okta/data_stream/entity/agent/stream/entity-analytics.yml.hbs b/packages/entityanalytics_okta/data_stream/entity/agent/stream/entity-analytics.yml.hbs index 32e71f8dd64..eb9b2f26b9a 100644 --- a/packages/entityanalytics_okta/data_stream/entity/agent/stream/entity-analytics.yml.hbs +++ b/packages/entityanalytics_okta/data_stream/entity/agent/stream/entity-analytics.yml.hbs @@ -36,13 +36,23 @@ oauth2.jwk_pem: {{escape_string key_pem}} okta_token: {{okta_token}} {{/if}} dataset: {{dataset}} -{{#if enrich_user_roles}} -{{! We include groups in the list when enriching roles, since the default input is to enrich with groups. }} -{{! There is currently no way to disable groups enrichment, so we respect that behaviour. }} enrich_with: - groups +{{#if enrich_user_roles}} - roles {{/if}} +{{#if enrich_user_factors}} + - factors +{{/if}} +{{#if enrich_user_perms}} + - perms +{{/if}} +{{#if enrich_user_devices}} + - devices +{{/if}} +{{#if enrich_user_supervises}} + - supervises +{{/if}} {{#if proxy_url}} request.proxy_url: {{proxy_url}} {{/if}} diff --git a/packages/entityanalytics_okta/data_stream/entity/elasticsearch/ingest_pipeline/device.yml b/packages/entityanalytics_okta/data_stream/entity/elasticsearch/ingest_pipeline/device.yml index 71225cbbe44..942035da7f6 100644 --- a/packages/entityanalytics_okta/data_stream/entity/elasticsearch/ingest_pipeline/device.yml +++ b/packages/entityanalytics_okta/data_stream/entity/elasticsearch/ingest_pipeline/device.yml @@ -184,6 +184,11 @@ processors: target_field: entityanalytics_okta.device.profile.display_name tag: rename_device_profile_display_name ignore_missing: true + - rename: + field: okta.profile.osVersion + target_field: host.os.version + tag: rename_device_profile_os_version + ignore_missing: true - rename: field: okta.profile.sid target_field: entityanalytics_okta.device.profile.sid @@ -223,6 +228,18 @@ processors: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: okta.profile.managed + target_field: host.entity.attributes.managed + type: boolean + tag: convert_device_profile_managed + ignore_missing: true + on_failure: + - remove: + field: okta.profile.managed + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: asset.name copy_from: entityanalytics_okta.device.profile.display_name diff --git a/packages/entityanalytics_okta/data_stream/entity/elasticsearch/ingest_pipeline/user.yml b/packages/entityanalytics_okta/data_stream/entity/elasticsearch/ingest_pipeline/user.yml index 944a70b2bec..672cc99f907 100644 --- a/packages/entityanalytics_okta/data_stream/entity/elasticsearch/ingest_pipeline/user.yml +++ b/packages/entityanalytics_okta/data_stream/entity/elasticsearch/ingest_pipeline/user.yml @@ -179,6 +179,11 @@ processors: copy_from: entityanalytics_okta.user.last_login tag: set_asset_last_seen ignore_empty_value: true + - set: + field: user.entity.lifecycle.last_activity + copy_from: entityanalytics_okta.user.last_login + tag: set_user_entity_lifecycle_last_activity + ignore_empty_value: true - date: field: okta.lastUpdated target_field: entityanalytics_okta.user.last_updated @@ -295,6 +300,105 @@ processors: field: _ingest._value.last_updated target_field: _ingest._value.lastUpdated ignore_failure: true + - foreach: + field: entityanalytics_okta.roles + if: ctx.entityanalytics_okta?.roles instanceof List + processor: + foreach: + field: _ingest._value.permissions + ignore_missing: true + processor: + rename: + field: _ingest._value.lastUpdated + target_field: _ingest._value.last_updated + tag: rename_user_roles_permissions.lastUpdated + ignore_missing: true + - script: + lang: painless + tag: painless_extract_role_permissions + description: Extract permission labels from custom role permissions into user.entity.attributes.permissions. + if: ctx.entityanalytics_okta?.roles instanceof List + source: | + for (def role : ctx.entityanalytics_okta.roles) { + if (!(role?.permissions instanceof List)) continue; + for (def perm : role.permissions) { + def label = perm?.label; + if (label == null || label == '') continue; + if (ctx.user == null) ctx.user = new HashMap(); + if (ctx.user.entity == null) ctx.user.entity = new HashMap(); + if (ctx.user.entity.attributes == null) ctx.user.entity.attributes = new HashMap(); + if (ctx.user.entity.attributes.permissions == null) ctx.user.entity.attributes.permissions = new ArrayList(); + if (!ctx.user.entity.attributes.permissions.contains(label)) { + ctx.user.entity.attributes.permissions.add(label); + } + } + } + - rename: + field: factors + target_field: entityanalytics_okta.user.factors + tag: rename_user_factors + ignore_missing: true + - script: + lang: painless + tag: painless_set_mfa_enabled + description: Set user.entity.attributes.mfa_enabled based on active MFA factors. + if: ctx.entityanalytics_okta?.user?.factors instanceof List + source: | + for (def f : ctx.entityanalytics_okta.user.factors) { + if ("ACTIVE".equals(f?.status)) { + if (ctx.user == null) ctx.user = new HashMap(); + if (ctx.user.entity == null) ctx.user.entity = new HashMap(); + if (ctx.user.entity.attributes == null) ctx.user.entity.attributes = new HashMap(); + ctx.user.entity.attributes.put("mfa_enabled", true); + return; + } + } + - rename: + field: devices + target_field: entityanalytics_okta.user.devices + tag: rename_user_devices + ignore_missing: true + - script: + lang: painless + tag: painless_set_user_entity_relationships_owns + description: Build user.entity.relationships.owns from enrolled device list. + if: ctx.entityanalytics_okta?.user?.devices instanceof List + source: | + def owns = new ArrayList(); + for (def device : ctx.entityanalytics_okta.user.devices) { + def entry = new HashMap(); + entry.put("host_id", device?.id); + def displayName = device?.profile?.displayName; + if (displayName != null) entry.put("hostname", displayName); + owns.add(entry); + } + if (ctx.user == null) ctx.user = new HashMap(); + if (ctx.user.entity == null) ctx.user.entity = new HashMap(); + if (ctx.user.entity.relationships == null) ctx.user.entity.relationships = new HashMap(); + ctx.user.entity.relationships.put("owns", owns); + - rename: + field: supervises + target_field: entityanalytics_okta.user.supervises + tag: rename_user_supervises + ignore_missing: true + - script: + lang: painless + tag: painless_set_user_entity_relationships_supervises + description: Build user.entity.relationships.supervises from supervised user list. + if: ctx.entityanalytics_okta?.user?.supervises instanceof List + source: | + def supervises = new ArrayList(); + for (def supervised : ctx.entityanalytics_okta.user.supervises) { + def entry = new HashMap(); + if (supervised?.user_id != null) entry.put("user_id", supervised.user_id); + if (supervised?.email != null) entry.put("email", supervised.email); + if (supervised?.username != null) entry.put("username", supervised.username); + supervises.add(entry); + } + if (ctx.user == null) ctx.user = new HashMap(); + if (ctx.user.entity == null) ctx.user.entity = new HashMap(); + if (ctx.user.entity.relationships == null) ctx.user.entity.relationships = new HashMap(); + ctx.user.entity.relationships.put("supervises", supervises); - rename: field: okta.transitioningToStatus target_field: entityanalytics_okta.user.transitioning_to_status @@ -630,6 +734,11 @@ processors: copy_from: entityanalytics_okta.user.profile.manager.id tag: set_user_profile_manager ignore_empty_value: true + - set: + field: user.entity.relationships.administered_by.user_id + copy_from: entityanalytics_okta.user.profile.manager.id + tag: set_user_entity_relationships_administered_by_user_id + ignore_empty_value: true - rename: field: okta.profile.manager target_field: entityanalytics_okta.user.profile.manager.name @@ -641,6 +750,11 @@ processors: tag: append_user_profile_manager_name_into_related_user allow_duplicates: false if: ctx.entityanalytics_okta?.user?.profile?.manager?.name != null + - set: + field: user.entity.relationships.administered_by.username + copy_from: entityanalytics_okta.user.profile.manager.name + tag: set_user_entity_relationships_administered_by_username + ignore_empty_value: true - set: field: okta.credentials.recovery_question.is_set value: true @@ -716,6 +830,7 @@ processors: - entityanalytics_okta.user.profile.country_code - entityanalytics_okta.user.profile.second_email - entityanalytics_okta.user.profile.user_type + - entityanalytics_okta.user.factors tag: remove_duplicate_custom_fields ignore_missing: true if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) diff --git a/packages/entityanalytics_okta/data_stream/entity/fields/ecs.yml b/packages/entityanalytics_okta/data_stream/entity/fields/ecs.yml index 61b1130c100..a76479f2ab3 100644 --- a/packages/entityanalytics_okta/data_stream/entity/fields/ecs.yml +++ b/packages/entityanalytics_okta/data_stream/entity/fields/ecs.yml @@ -102,6 +102,58 @@ type: keyword - name: type type: keyword + - name: entity + type: group + fields: + - name: lifecycle + type: group + fields: + - name: last_activity + type: date + - name: relationships + type: group + fields: + - name: administered_by + type: group + fields: + - name: user_id + type: keyword + - name: username + type: keyword + - name: owns + type: group + fields: + - name: host_id + type: keyword + - name: hostname + type: keyword + - name: supervises + type: group + fields: + - name: user_id + type: keyword + - name: email + type: keyword + - name: username + type: keyword + - name: attributes + type: group + fields: + - name: mfa_enabled + type: boolean + - name: permissions + type: keyword +- name: host + type: group + fields: + - name: entity + type: group + fields: + - name: attributes + type: group + fields: + - name: managed + type: boolean - name: device.serial_number type: keyword description: The unique serial number serves as a distinct identifier for each device, aiding in inventory management and device authentication. diff --git a/packages/entityanalytics_okta/data_stream/entity/fields/fields.yml b/packages/entityanalytics_okta/data_stream/entity/fields/fields.yml index 90f3445e5d4..b180484935f 100644 --- a/packages/entityanalytics_okta/data_stream/entity/fields/fields.yml +++ b/packages/entityanalytics_okta/data_stream/entity/fields/fields.yml @@ -210,6 +210,50 @@ - name: type type: flattened description: user type that determines the schema for the user's profile. + - name: factors + type: group + description: MFA factors enrolled for the user. + fields: + - name: id + type: keyword + description: The ID for the factor. + - name: factorType + type: keyword + description: Type of factor. + - name: provider + type: keyword + description: Factor provider. + - name: vendorName + type: keyword + description: Factor vendor name. + - name: status + type: keyword + description: Factor status. + - name: created + type: date + description: When the factor was created. + - name: lastUpdated + type: date + description: When the factor was last updated. + - name: profile + type: flattened + description: Factor profile details. + - name: devices + type: flattened + description: Devices enrolled for the user. + - name: supervises + type: group + description: Users supervised by (direct reports of) this user. + fields: + - name: user_id + type: keyword + description: The supervised user's ID. + - name: email + type: keyword + description: The supervised user's email address. + - name: username + type: keyword + description: The supervised user's login name. - name: groups type: group fields: @@ -245,3 +289,18 @@ - name: assignment_type type: keyword description: The Okta type the role is assigned to. + - name: role + type: keyword + description: The role definition ID for custom roles. + - name: permissions + type: group + fields: + - name: label + type: keyword + description: Permission label. + - name: created + type: date + description: When the permission was created. + - name: last_updated + type: date + description: When the permission was last updated. diff --git a/packages/entityanalytics_okta/data_stream/entity/manifest.yml b/packages/entityanalytics_okta/data_stream/entity/manifest.yml index e8e1b71ac9b..0387da55410 100644 --- a/packages/entityanalytics_okta/data_stream/entity/manifest.yml +++ b/packages/entityanalytics_okta/data_stream/entity/manifest.yml @@ -130,6 +130,49 @@ streams: users' actions. Enabling this setting increases the number of requests to the /api/v1/users endpoint, with one request per user, which counts toward your Okta rate limits. + - name: enrich_user_factors + type: bool + title: Enrich User Factors + multi: false + required: false + show_user: true + default: false + description: >- + Enrich user entities with their Okta MFA factor data to determine whether MFA is enabled. + Enabling this setting increases the number of requests to the /api/v1/users endpoint, + with one request per user, which counts toward your Okta rate limits. + - name: enrich_user_perms + type: bool + title: Enrich User Permissions + multi: false + required: false + show_user: true + default: false + description: >- + Enrich user entities with the permissions assigned to their custom Okta roles. Enabling + this option implicitly enables role enrichment. Requires the okta.roles.read OAuth2 scope + and introduces one additional API call per custom role per user. + - name: enrich_user_devices + type: bool + title: Enrich User Devices + multi: false + required: false + show_user: true + default: false + description: >- + Enrich user entities with the list of devices enrolled for each user. Enabling this + setting increases the number of requests to the Okta API, with one request per user, + which counts toward your Okta rate limits. + - name: enrich_user_supervises + type: bool + title: Enrich User Supervises + multi: false + required: false + show_user: true + default: false + description: >- + Enrich user entities with the list of users they supervise (direct reports). This data + is derived from the managerId field and does not require additional API calls. - name: sync_interval type: text title: Sync Interval diff --git a/packages/entityanalytics_okta/data_stream/user/fields/ecs.yml b/packages/entityanalytics_okta/data_stream/user/fields/ecs.yml index 7ab99caceaf..932471918a6 100644 --- a/packages/entityanalytics_okta/data_stream/user/fields/ecs.yml +++ b/packages/entityanalytics_okta/data_stream/user/fields/ecs.yml @@ -102,3 +102,44 @@ type: keyword - name: type type: keyword + - name: entity + type: group + fields: + - name: lifecycle + type: group + fields: + - name: last_activity + type: date + - name: relationships + type: group + fields: + - name: administered_by + type: group + fields: + - name: user_id + type: keyword + - name: username + type: keyword + - name: owns + type: group + fields: + - name: host_id + type: keyword + - name: hostname + type: keyword + - name: supervises + type: group + fields: + - name: user_id + type: keyword + - name: email + type: keyword + - name: username + type: keyword + - name: attributes + type: group + fields: + - name: mfa_enabled + type: boolean + - name: permissions + type: keyword diff --git a/packages/entityanalytics_okta/data_stream/user/fields/fields.yml b/packages/entityanalytics_okta/data_stream/user/fields/fields.yml index 08d898acb54..e97b489d693 100644 --- a/packages/entityanalytics_okta/data_stream/user/fields/fields.yml +++ b/packages/entityanalytics_okta/data_stream/user/fields/fields.yml @@ -157,6 +157,22 @@ - name: type type: flattened description: user type that determines the schema for the user's profile. + - name: devices + type: flattened + description: Devices enrolled for the user. + - name: supervises + type: group + description: Users supervised by (direct reports of) this user. + fields: + - name: user_id + type: keyword + description: The supervised user's ID. + - name: email + type: keyword + description: The supervised user's email address. + - name: username + type: keyword + description: The supervised user's login name. - name: groups type: group fields: @@ -192,3 +208,18 @@ - name: assignment_type type: keyword description: The Okta type the role is assigned to. + - name: role + type: keyword + description: The role definition ID for custom roles. + - name: permissions + type: group + fields: + - name: label + type: keyword + description: Permission label. + - name: created + type: date + description: When the permission was created. + - name: last_updated + type: date + description: When the permission was last updated. diff --git a/packages/entityanalytics_okta/docs/README.md b/packages/entityanalytics_okta/docs/README.md index 733db50d43c..691193127b2 100644 --- a/packages/entityanalytics_okta/docs/README.md +++ b/packages/entityanalytics_okta/docs/README.md @@ -294,6 +294,7 @@ This is the `Device` dataset. | entityanalytics_okta.device.users | Users associated with the device. | flattened | | event.dataset | Event dataset. | constant_keyword | | event.module | Event module. | constant_keyword | +| host.entity.attributes.managed | | boolean | | input.type | Type of filebeat input. | keyword | | labels.identity_source | | keyword | | log.offset | Log offset. | long | @@ -357,6 +358,10 @@ This is the `User` dataset. | entityanalytics_okta.roles.id | The ID for the role. | keyword | | entityanalytics_okta.roles.label | Name of the role. | keyword | | entityanalytics_okta.roles.last_updated | When the role was last updated. | date | +| entityanalytics_okta.roles.permissions.created | When the permission was created. | date | +| entityanalytics_okta.roles.permissions.label | Permission label. | keyword | +| entityanalytics_okta.roles.permissions.last_updated | When the permission was last updated. | date | +| entityanalytics_okta.roles.role | The role definition ID for custom roles. | keyword | | entityanalytics_okta.roles.status | Role status. | keyword | | entityanalytics_okta.roles.type | Okta role type. | keyword | | entityanalytics_okta.user._embedded | embedded resources related to the user. | flattened | @@ -366,6 +371,7 @@ This is the `User` dataset. | entityanalytics_okta.user.credentials.provider.name | | keyword | | entityanalytics_okta.user.credentials.provider.type | | keyword | | entityanalytics_okta.user.credentials.recovery_question.is_set | | boolean | +| entityanalytics_okta.user.devices | Devices enrolled for the user. | flattened | | entityanalytics_okta.user.id | unique key for user. | keyword | | entityanalytics_okta.user.last_login | timestamp of last login. | date | | entityanalytics_okta.user.last_updated | timestamp when user was last updated. | date | @@ -404,6 +410,9 @@ This is the `User` dataset. | entityanalytics_okta.user.profile.zip_code | ZIP code or postal code component of user's address (postalCode). | keyword | | entityanalytics_okta.user.status | current status of user. | keyword | | entityanalytics_okta.user.status_changed | timestamp when status last changed. | date | +| entityanalytics_okta.user.supervises.email | The supervised user's email address. | keyword | +| entityanalytics_okta.user.supervises.user_id | The supervised user's ID. | keyword | +| entityanalytics_okta.user.supervises.username | The supervised user's login name. | keyword | | entityanalytics_okta.user.transitioning_to_status | target status of an in-progress asynchronous status transition. | keyword | | entityanalytics_okta.user.type | user type that determines the schema for the user's profile. | flattened | | event.dataset | Event dataset. | constant_keyword | @@ -420,6 +429,16 @@ This is the `User` dataset. | user.account.status.password_expired | | boolean | | user.account.status.recovery | | boolean | | user.account.status.suspended | | boolean | +| user.entity.attributes.mfa_enabled | | boolean | +| user.entity.attributes.permissions | | keyword | +| user.entity.lifecycle.last_activity | | date | +| user.entity.relationships.administered_by.user_id | | keyword | +| user.entity.relationships.administered_by.username | | keyword | +| user.entity.relationships.owns.host_id | | keyword | +| user.entity.relationships.owns.hostname | | keyword | +| user.entity.relationships.supervises.email | | keyword | +| user.entity.relationships.supervises.user_id | | keyword | +| user.entity.relationships.supervises.username | | keyword | | user.geo.city_name | | keyword | | user.geo.country_iso_code | | keyword | | user.geo.name | | keyword | diff --git a/packages/entityanalytics_okta/manifest.yml b/packages/entityanalytics_okta/manifest.yml index 2c61240b3ed..eb4750372e5 100644 --- a/packages/entityanalytics_okta/manifest.yml +++ b/packages/entityanalytics_okta/manifest.yml @@ -1,14 +1,14 @@ format_version: "3.0.2" name: entityanalytics_okta title: Okta Entity Analytics -version: "3.0.0" +version: "3.1.0" description: "Collect Identities from Okta with Elastic Agent." type: integration categories: - security conditions: kibana: - version: "~9.2.6 || ^9.3.1" + version: "^9.4.0" elastic: subscription: "basic" screenshots: