Skip to content

[okta] Fix user.target.email never being set for target users#18528

Draft
seanrathier wants to merge 1 commit intomainfrom
fix/okta-user-target-email-field-name
Draft

[okta] Fix user.target.email never being set for target users#18528
seanrathier wants to merge 1 commit intomainfrom
fix/okta-user-target-email-field-name

Conversation

@seanrathier
Copy link
Copy Markdown
Contributor

@seanrathier seanrathier commented Apr 20, 2026

Summary

user.target.email is never populated for Okta target user entities due to a field name mismatch in the ingest pipeline.

Root cause: The pipeline's Painless script (tag: okta-target-modifications) renames alternateIdalternate_id on every entry in okta.target. The first User-type entry is then stored as okta_target_user. However, the subsequent set processor references okta_target_user.login — a field that was never created — instead of okta_target_user.alternate_id.

# Before (broken): condition is always false, email never set
- set:
    field: user.target.email
    copy_from: okta_target_user.login        # ← field does not exist
    if: ctx.okta_target_user?.login != null

# After (fixed):
- set:
    field: user.target.email
    copy_from: okta_target_user.alternate_id  # ← field set by the Painless script
    if: ctx.okta_target_user?.alternate_id != null

Impact: Any feature that reads user.target.email from Okta system logs (e.g. Entity Analytics communicates_with relationship maintainer) receives no data from this index, even when hundreds of thousands of qualifying events are present.

Test plan

  • Ingest an Okta application.user_membership.add or similar event with a User-type target
  • Confirm user.target.email is now populated with the target user's login/email (previously null)
  • Confirm user.target.full_name and user.target.id are unaffected

@seanrathier
[okta] fix user.target.email not set: copy_from login → alternate_id
89bc4f2 
The ingest pipeline Painless script renames okta.target[].alternateId
to alternate_id, but the subsequent `set` processor references the
non-existent field okta_target_user.login. Because the condition
`ctx.okta_target_user?.login != null` is always false, user.target.email
is never populated for target user entities.

Fix: copy from alternate_id (the renamed field) instead of login.
@seanrathier seanrathier requested a review from a team as a code owner April 20, 2026 17:03
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Apr 20, 2026
edited
Loading

💔 Build Failed

Failed CI Steps

History

@andrewkroh andrewkroh added Integration:okta Okta Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Apr 20, 2026
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Apr 20, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@seanrathier seanrathier marked this pull request as draft April 20, 2026 21:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Integration:okta Okta Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@seanrathier @elasticmachine @andrewkroh