diff --git a/packages/okta/changelog.yml b/packages/okta/changelog.yml index 43389ffd681..a0c4fbaa491 100644 --- a/packages/okta/changelog.yml +++ b/packages/okta/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.12.0" + changes: + - description: Sets the ECS event categorization fields for system data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/15860 - version: "3.11.0" changes: - description: Added support for rate_limit_early_limit configuration to start rate-limiting before reaching the API response limit. diff --git a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json-expected.json b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json-expected.json index 80bbd060a51..2fe09d06959 100644 --- a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json-expected.json +++ b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json-expected.json @@ -26,8 +26,8 @@ "event": { "action": "user.session.end", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", "kind": "event", @@ -136,6 +136,9 @@ "name": "username@elastic.co" } }, + "tags": [ + "event-hook-eligiblesessionuser" + ], "user": { "email": "username@elastic.co", "full_name": "xxxxxx", diff --git a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.log-expected.json b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.log-expected.json index 35b89e2cde8..47bdd789d42 100644 --- a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.log-expected.json +++ b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.log-expected.json @@ -26,8 +26,8 @@ "event": { "action": "user.session.end", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", "kind": "event", @@ -134,6 +134,7 @@ } }, "tags": [ + "event-hook-eligiblesessionuser", "preserve_original_event" ], "user": { @@ -181,8 +182,8 @@ "event": { "action": "user.session.start", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", "kind": "event", @@ -290,7 +291,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "end-user-visibleevent-hook-eligiblesessionuser" ], "user": { "email": "xxxxxx@elastic.co", @@ -459,7 +461,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "policy" ], "user": { "email": "xxxxxx@elastic.co", @@ -506,8 +509,8 @@ "event": { "action": "user.session.end", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", "kind": "event", @@ -614,6 +617,7 @@ } }, "tags": [ + "event-hook-eligiblesessionuser", "preserve_original_event" ], "user": { @@ -661,8 +665,8 @@ "event": { "action": "user.session.start", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", "kind": "event", @@ -770,7 +774,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "end-user-visibleevent-hook-eligiblesessionuser" ], "user": { "email": "xxxxxx@elastic.co", @@ -939,7 +944,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "policy" ], "user": { "email": "xxxxxx@elastic.co", @@ -986,8 +992,8 @@ "event": { "action": "user.session.end", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", "kind": "event", @@ -1094,6 +1100,7 @@ } }, "tags": [ + "event-hook-eligiblesessionuser", "preserve_original_event" ], "user": { @@ -1141,8 +1148,8 @@ "event": { "action": "user.session.start", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", "kind": "event", @@ -1250,7 +1257,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "end-user-visibleevent-hook-eligiblesessionuser" ], "user": { "email": "xxxxxx@elastic.co", @@ -1419,7 +1427,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "policy" ], "user": { "email": "xxxxxx@elastic.co", @@ -1465,8 +1474,8 @@ "event": { "action": "user.session.end", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", "kind": "event", @@ -1556,6 +1565,7 @@ } }, "tags": [ + "event-hook-eligiblesessionuser", "preserve_original_event" ], "user": { @@ -1602,8 +1612,8 @@ "event": { "action": "user.session.start", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", "kind": "event", @@ -1694,7 +1704,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "end-user-visibleevent-hook-eligiblesessionuser" ], "user": { "email": "xxxxxx@elastic.co", @@ -1845,7 +1856,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "policy" ], "user": { "email": "xxxxxx@elastic.co", @@ -1898,8 +1910,8 @@ "event": { "action": "user.session.start", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", "kind": "event", @@ -2045,7 +2057,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "end-user-visibleevent-hook-eligiblesessionuser" ], "user": { "email": "test@test.com", @@ -2091,10 +2104,16 @@ }, "event": { "action": "user.authentication.verify", + "category": [ + "authentication" + ], "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"test1@test.com\",\"detailEntry\":null,\"displayName\":\"None\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Mobile\",\"geographicalContext\":{\"city\":\"Purcellville\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.64,\"lon\":-77.8346},\"postalCode\":\"20132\",\"state\":\"Virginia\"},\"id\":null,\"ipAddress\":\"67.43.156.14\",\"userAgent\":{\"browser\":\"SAFARI\",\"os\":\"Mac OS X (iPhone)\",\"rawUserAgent\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 15_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Safari\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"behaviors\":\"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, New City=NEGATIVE}\",\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify?autoPush=false\\u0026rememberDevice=false\"}},\"device\":null,\"displayMessage\":\"Verify user identity\",\"eventType\":\"user.authentication.verify\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2022-05-11T09:27:08.708Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Purcellville\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.64,\"lon\":-77.8346},\"postalCode\":\"20132\",\"state\":\"Virginia\"},\"ip\":\"67.43.156.14\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":7922,\"asOrg\":\"comcast\",\"domain\":\"comcast.net\",\"isProxy\":false,\"isp\":\"comcast\"},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "info" + ] }, "okta": { "actor": { @@ -2218,6 +2237,7 @@ } }, "tags": [ + "end-user-visibleuser", "preserve_original_event" ], "user": { @@ -2269,10 +2289,16 @@ }, "event": { "action": "user.authentication.verify", + "category": [ + "authentication" + ], "id": "c32ae8ec-7a68-11ed-b8a7-9134a086ef85", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"Snipped_User@domain.com\",\"detailEntry\":null,\"displayName\":\"Last_name, First_Name\",\"id\":\"user_id\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102qmxOh1EdTHqn1_86CB9fzA\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"unknown\",\"geographicalContext\":{\"city\":\"City\",\"country\":\"Country\",\"geolocation\":{\"lat\":0.00,\"lon\":0.00},\"postalCode\":\"00000\",\"state\":\"State\"},\"id\":null,\"ipAddress\":\"81.2.69.144\",\"userAgent\":{\"browser\":\"unknown\",\"os\":\"unknown\",\"rawUserAgent\":\"unknown\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"Y5elHFMngoYoVKvakwnp2wAAAKo\",\"behaviors\":\"{New Geo-Location=NEGATIVE, New Device=POSITIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, Velocity=POSITIVE, New City=NEGATIVE}\",\"dtHash\":\"751b157a5a24ed83129433243e8d42307434b047120c32d7a7f5a5d2d91726fa\",\"requestId\":\"Y5elHFMngoYoVKvakwnp2wAAAKo\",\"requestUri\":\"/api/v1/authn\",\"risk\":\"{reasons=Anomalous Device, Anomalous Location, level=HIGH}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"device\":null,\"displayMessage\":\"Verify user identity\",\"eventType\":\"user.authentication.verify\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2022-12-12T22:03:08.791Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"City\",\"country\":\"Country\",\"geolocation\":{\"lat\":0.00,\"lon\":0.00},\"postalCode\":\"00000\",\"state\":\"State\"},\"ip\":\"81.2.69.144\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":1828,\"asOrg\":\"org\",\"domain\":\"domain.com\",\"isProxy\":false,\"isp\":\"isp\"},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"Y5elHFMngoYoVKvakwnp2wAAAKo\",\"type\":\"WEB\"},\"uuid\":\"c32ae8ec-7a68-11ed-b8a7-9134a086ef85\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "info" + ] }, "okta": { "actor": { @@ -2407,6 +2433,7 @@ } }, "tags": [ + "end-user-visibleuser", "preserve_original_event" ], "user": { @@ -2453,10 +2480,16 @@ }, "event": { "action": "user.authentication.auth_via_mfa", + "category": [ + "authentication" + ], "id": "uuid", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"user@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":\"FACTOR_PROVIDER\",\"authenticationStep\":0,\"credentialProvider\":\"OKTA_CREDENTIAL_PROVIDER\",\"credentialType\":null,\"externalSessionId\":\"uuid\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Mobile\",\"geographicalContext\":{\"city\":\"Lucerne\",\"country\":\"Switzerland\",\"geolocation\":{\"lat\":47.0511,\"lon\":8.3056},\"postalCode\":\"6007\",\"state\":\"Lucerne\"},\"id\":null,\"ipAddress\":\"127.0.0.1\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Unknown mobile\",\"rawUserAgent\":\"B7FdsdB65BN.com.okta.mobile/7.12.0 OktaVerify/7.12.0 iOS/16.1.2 Apple/iPhone14,2 6C743C36-ewew-400D-8FB9-A5F049A745CF\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"uuid\",\"behaviors\":\"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=NEGATIVE}\",\"factor\":\"OKTA_VERIFY_PUSH\",\"requestId\":\"uuid\",\"requestUri\":\"/api/v1/authn/factors/id/transactions/id/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/id/transactions/id/verify?\"}},\"device\":null,\"displayMessage\":\"Authentication of user via MFA\",\"eventType\":\"user.authentication.auth_via_mfa\",\"legacyEventType\":\"core.user.factor.attempt_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-02-06T08:56:36.909Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Lucerne\",\"country\":\"Switzerland\",\"geolocation\":{\"lat\":47.0511,\"lon\":8.3056},\"postalCode\":\"6007\",\"state\":\"Lucerne\"},\"ip\":\"127.0.0.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":3303,\"asOrg\":\"bluewin is an lir and isp in switzerland.\",\"domain\":\"swisscom.ch\",\"isProxy\":false,\"isp\":\"swisscom (schweiz) ag\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"user@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"}],\"transaction\":{\"detail\":{},\"id\":\"uuid\",\"type\":\"WEB\"},\"uuid\":\"uuid\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "info" + ] }, "okta": { "actor": { @@ -2579,6 +2612,7 @@ } }, "tags": [ + "event-hook-eligiblemfa", "preserve_original_event" ], "user": { @@ -2634,10 +2668,16 @@ }, "event": { "action": "user.authentication.auth_via_mfa", + "category": [ + "authentication" + ], "id": "uuid", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"name@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":\"FACTOR_PROVIDER\",\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"id\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Bredstedt\",\"country\":\"Germany\",\"geolocation\":{\"lat\":54.6208,\"lon\":8.9631},\"postalCode\":\"25821\",\"state\":\"Schleswig-Holstein\"},\"id\":null,\"ipAddress\":\"127.0.0.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Linux\",\"rawUserAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"id\",\"behaviors\":\"{New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=POSITIVE}\",\"deviceFingerprint\":\"id\",\"dtHash\":\"hash\",\"factor\":\"FIDO_WEBAUTHN\",\"promptingPolicyTypes\":\"[OKTA_SIGN_ON]\",\"requestId\":\"id\",\"requestUri\":\"/api/v1/authn/factors/webauthn/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/webauthn/verify?rememberDevice=false\"}},\"device\":null,\"displayMessage\":\"Authentication of user via MFA\",\"eventType\":\"user.authentication.auth_via_mfa\",\"legacyEventType\":\"core.user.factor.attempt_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-02-06T08:58:37.110Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Bredstedt\",\"country\":\"Germany\",\"geolocation\":{\"lat\":54.6208,\"lon\":8.9631},\"postalCode\":\"25821\",\"state\":\"Schleswig-Holstein\"},\"ip\":\"127.0.0.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":62336,\"asOrg\":\"customer access\",\"domain\":\"german-local.net\",\"isProxy\":false,\"isp\":\"purtel.com gmbh\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"name@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"}],\"transaction\":{\"detail\":{},\"id\":\"id\",\"type\":\"WEB\"},\"uuid\":\"uuid\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "info" + ] }, "okta": { "actor": { @@ -2769,6 +2809,7 @@ } }, "tags": [ + "event-hook-eligiblemfa", "preserve_original_event" ], "user": { @@ -2823,10 +2864,16 @@ }, "event": { "action": "user.authentication.auth_via_mfa", + "category": [ + "authentication" + ], "id": "uuid", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"name@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":\"FACTOR_PROVIDER\",\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"id\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Bredstedt\",\"country\":\"Germany\",\"geolocation\":{\"lat\":54.6208,\"lon\":8.9631},\"postalCode\":\"25821\",\"state\":\"Schleswig-Holstein\"},\"id\":null,\"ipAddress\":\"127.0.0.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Linux\",\"rawUserAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"id\",\"behaviors\":\"{New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=POSITIVE}\",\"deviceFingerprint\":\"id\",\"dtHash\":\"hash\",\"factor\":\"FIDO_WEBAUTHN\",\"promptingPolicyTypes\":\"[OKTA_SIGN_ON]\",\"requestId\":\"id\",\"requestUri\":\"/api/v1/authn/factors/webauthn/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/webauthn/verify?rememberDevice=false\"}},\"device\":null,\"displayMessage\":\"Authentication of user via MFA\",\"eventType\":\"user.authentication.auth_via_mfa\",\"legacyEventType\":\"core.user.factor.attempt_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-02-06T08:58:37.110Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Bredstedt\",\"country\":\"Germany\",\"geolocation\":{\"lat\":54.6208,\"lon\":8.9631},\"postalCode\":\"25821\",\"state\":\"Schleswig-Holstein\"},\"ip\":\"127.0.0.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":62336,\"asOrg\":\"customer access\",\"domain\":\"german-local.net\",\"isProxy\":false,\"isp\":\"purtel.com gmbh\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"target_user@blah.co\",\"detailEntry\":null,\"displayName\":\"Test Target User\",\"id\":\"00udfsat7\",\"type\":\"User\"},{\"alternateId\":\"unknown\",\"detailEntry\":null,\"displayName\":\"software-users\",\"id\":\"00gofdasfdsat7\",\"type\":\"UserGroup\"}],\"transaction\":{\"detail\":{},\"id\":\"id\",\"type\":\"WEB\"},\"uuid\":\"uuid\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "info" + ] }, "okta": { "actor": { @@ -2965,6 +3012,7 @@ } }, "tags": [ + "event-hook-eligiblemfa", "preserve_original_event" ], "user": { @@ -3031,8 +3079,10 @@ "original": "{\"actor\":{\"alternateId\":\"actor.user@test.com\",\"detailEntry\":null,\"displayName\":\"Test Actor User\",\"id\":\"randomidhere\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"602deqxi8mycjkwk3sth4ci6cxxtr9rr\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"San Francisco\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7642,\"lon\":-122.3993},\"postalCode\":\"94107\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"192.168.7.19\",\"userAgent\":{\"browser\":\"CHROME\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"dtHash\":\"veqflnui3t7ql7k6v0nptw9lipilzybr\",\"requestId\":\"3bsdgs8tyatf74aufwsvkt7lv1i9x0o9\",\"requestUri\":\"/admin/group/h23gdxfk7jc8kf5fb923xc1lt5ojey93/addUser\",\"url\":\"/admin/group/h23gdxfk7jc8kf5fb923xc1lt5ojey93/addUser?\"}},\"device\":null,\"displayMessage\":\"Add user to group membership\",\"eventType\":\"group.user_membership.add\",\"legacyEventType\":\"core.user_group_member.user_add\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-04-26T16:25:06.297Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"San Francisco\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7642,\"lon\":-122.3993},\"postalCode\":\"94107\",\"state\":\"California\"},\"ip\":\"192.168.7.19\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":6461,\"asOrg\":\"elasticsearch inc\",\"domain\":\"thisisadomain.com\",\"isProxy\":false,\"isp\":\"bandwidth\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"target.user@test.com\",\"detailEntry\":null,\"displayName\":\"Target User Test Name\",\"id\":\"7cexsxmg5m671po4lmyb29a0knaqpaqg\",\"type\":\"User\"},{\"alternateId\":\"unknown\",\"detailEntry\":null,\"displayName\":\"Sales\",\"id\":\"h23gdxfk7jc8kf5fb923xc1lt5ojey93\",\"type\":\"UserGroup\"}],\"transaction\":{\"detail\":{},\"id\":\"448ahm88tkkxo0npwiu28ws20oj38nya\",\"type\":\"WEB\"},\"uuid\":\"B96ED4D1-D013-4A13-AEFE-A67FA32C5747\",\"version\":\"0\"}", "outcome": "success", "type": [ - "group", - "change" + "change", + "user", + "creation", + "group" ] }, "okta": { @@ -3145,6 +3195,7 @@ } }, "tags": [ + "event-hook-eligiblegroup", "preserve_original_event" ], "user": { @@ -3189,10 +3240,16 @@ }, "event": { "action": "app.user_management", + "category": [ + "configuration" + ], "id": "23A8F6AA-0E52-45F7-A2FB-FEF6E0B38FC7", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"system@okta.com\",\"detailEntry\":null,\"displayName\":\"Okta System\",\"id\":\"spr294puarJOdUsWD1t7\",\"type\":\"SystemPrincipal\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"4ivdy6m56cqo8s6w57o6cvq5fbb409wr\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":null,\"geographicalContext\":null,\"id\":null,\"ipAddress\":null,\"userAgent\":null,\"zone\":null},\"debugContext\":{\"debugData\":{}},\"device\":null,\"displayMessage\":\"Successfully imported new member to an app group\",\"eventType\":\"app.user_management\",\"legacyEventType\":\"app.user_management.app_group_member_import.insert_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-04-27T00:56:17.750Z\",\"request\":{\"ipChain\":[]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"domain.user@test.com\",\"detailEntry\":null,\"displayName\":\"domain.user@test.com\",\"id\":\"ew1qskfvt7mvqipcx6hxt3j95pqi01p8\",\"type\":\"AppUser\"},{\"alternateId\":\"group_email@test.com\",\"detailEntry\":null,\"displayName\":\"Payable\",\"id\":\"l2l6h6p946io0fwyd3jw7jzgy8sq6a61\",\"type\":\"AppGroup\"},{\"alternateId\":\"domain.user@test.com\",\"detailEntry\":null,\"displayName\":\"Domain User\",\"id\":\"9uuw5t9im68f03w5b9a3x72i18gugbqn\",\"type\":\"User\"},{\"alternateId\":\"G Suite\",\"detailEntry\":null,\"displayName\":\"Google Workspace\",\"id\":\"1a45g3hf19hvzgggw2ybn7e5q7xh0v4a\",\"type\":\"AppInstance\"}],\"transaction\":{\"detail\":{},\"id\":\"37r7dugr7fswsjdzv4r97layultdf19r\",\"type\":\"JOB\"},\"uuid\":\"23A8F6AA-0E52-45F7-A2FB-FEF6E0B38FC7\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "info" + ] }, "okta": { "actor": { @@ -3258,7 +3315,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "app-user-management" ], "user": { "email": "system@okta.com", @@ -3394,6 +3452,7 @@ } }, "tags": [ + "event-hook-eligibleuser", "preserve_original_event" ], "user": { @@ -3530,6 +3589,7 @@ } }, "tags": [ + "event-hook-eligibleuser", "preserve_original_event" ], "user": { @@ -3569,10 +3629,16 @@ }, "event": { "action": "user.authentication.auth_via_mfa", + "category": [ + "authentication" + ], "id": "150A5E5C-C236-426A-A0D1-B79F1E391A6B", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"test.user@domain.com\",\"detailEntry\":null,\"displayName\":\"Test User\",\"id\":\"00ua123456abcat7\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":\"FACTOR_PROVIDER\",\"authenticationStep\":0,\"credentialProvider\":\"OKTA_CREDENTIAL_PROVIDER\",\"credentialType\":null,\"externalSessionId\":\"idx123456asdsajA\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Palezieux\",\"country\":\"Switzerland\",\"geolocation\":{\"lat\":46.5379,\"lon\":6.8409},\"postalCode\":\"1607\",\"state\":\"Vaud\"},\"id\":null,\"ipAddress\":\"192.168.1.10\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"B7F62B65BN.com.okta.mobile/3.13.4 OktaDeviceSDK/0.0.1 macOS/13.3.1 Apple/MacBookPro18,2 UUID123\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"dtHash\":\"abc123456abc\",\"factor\":\"SIGNED_NONCE\",\"requestId\":\"123456abcdefghij\",\"requestUri\":\"/idp/authenticators/123456abcdefghij/transactions/123456abcdefghij/verify\",\"url\":\"/idp/authenticators/123456abcdefghij/transactions/123456abcdefghij/verify?\"}},\"device\":null,\"displayMessage\":\"Authentication of user via MFA\",\"eventType\":\"user.authentication.auth_via_mfa\",\"legacyEventType\":\"core.user.factor.attempt_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-05-22T12:11:48.092Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Palezieux\",\"country\":\"Switzerland\",\"geolocation\":{\"lat\":46.5379,\"lon\":6.8409},\"postalCode\":\"1607\",\"state\":\"Vaud\"},\"ip\":\"192.168.1.10\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":39544,\"asOrg\":\"vo energies catv customers - region of oron/vd\",\"domain\":\"voenergies.net\",\"isProxy\":false,\"isp\":\"vo energies multimedia sa\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"test.user@domain.com\",\"detailEntry\":null,\"displayName\":\"Test User\",\"id\":\"00ua123456abcat7\",\"type\":\"User\"},{\"alternateId\":\"unknown\",\"detailEntry\":{\"methodTypeUsed\":\"Use Okta FastPass\",\"methodUsedVerifiedProperties\":\"[DEVICE_BOUND, PHISHING_RESISTANT, USER_VERIFYING, USER_PRESENCE, HARDWARE_PROTECTED]\"},\"displayName\":\"Okta Verify\",\"id\":\"00ua123456abcat7\",\"type\":\"AuthenticatorEnrollment\"}],\"transaction\":{\"detail\":{},\"id\":\"00ua123456abcat7\",\"type\":\"WEB\"},\"uuid\":\"150A5E5C-C236-426A-A0D1-B79F1E391A6B\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "info" + ] }, "okta": { "actor": { @@ -3691,6 +3757,7 @@ } }, "tags": [ + "event-hook-eligiblemfa", "preserve_original_event" ], "user": { @@ -3741,10 +3808,17 @@ }, "event": { "action": "device.user.add", + "category": [ + "iam" + ], "id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"john.doe@elastic.co\",\"detailEntry\":null,\"displayName\":\"John Doe\",\"id\":\"00aabbccddeeffaaaaaa\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"abcdefghijklM-NopQrsTUvWx\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Bay Shore\",\"country\":\"United States\",\"geolocation\":{\"lat\":40.7051,\"lon\":-73.243},\"postalCode\":\"11706\",\"state\":\"New York\"},\"id\":null,\"ipAddress\":\"192.168.1.10\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"FAKEFAKEFAKE.com.okta.mobile/8.1.1 OktaDeviceSDK/0.0.1 macOS/13.4.0 Apple/MacBookPro16,2 RANDOM-AAAA-BBBB-CCCC-DDDDDDDDDDDD\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"requestId\":\"XXXXXXXXXXXXXXXXXX\",\"requestUri\":\"/idp/authenticators\",\"url\":\"/idp/authenticators?\"}},\"device\":null,\"displayMessage\":\"Add device to user\",\"eventType\":\"device.user.add\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-06-07T15:49:45.109Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Bay Shore\",\"country\":\"United States\",\"geolocation\":{\"lat\":40.7051,\"lon\":-73.243},\"postalCode\":\"11706\",\"state\":\"New York\"},\"ip\":\"175.16.199.18\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":701,\"asOrg\":\"verizon\",\"domain\":\"verizon.net\",\"isProxy\":false,\"isp\":\"verizon\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"deviceStatus\":\"CREATED\",\"managed\":\"false\",\"oktaDeviceId\":\"xxxxxxxxxxxxxxxxx\",\"osPlatform\":\"MACOS\",\"osVersion\":\"13.4.0\",\"serialNumber\":\"XXXXXXXX\",\"tpmPresent\":\"false\",\"uuid\":\"AAAAAAAA-CCCC-DDDD-EEEE-BBBBBBBBBBBB\"},\"displayName\":\"John's MacBook Pro\",\"id\":\"fakefakefakefake\",\"type\":\"UDDevice\"}],\"transaction\":{\"detail\":{\"requestApiTokenId\":\"aa.aa.bbbbbbbbbbbbbbbbbbbbbbb_wwwwwwwwwwwwwwww\"},\"id\":\"ABCDEFCGALKDJDLK\",\"type\":\"WEB\"},\"uuid\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "user", + "creation" + ] }, "okta": { "actor": { @@ -3850,6 +3924,7 @@ } }, "tags": [ + "device-identityevent-hook-eligibleoie-onlyuser", "preserve_original_event" ], "user": { @@ -3896,10 +3971,17 @@ }, "event": { "action": "device.user.add", + "category": [ + "iam" + ], "id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"john.doe@elastic.co\",\"detailEntry\":null,\"displayName\":\"John Doe\",\"id\":\"00aabbccddeeffaaaaaa\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"abcdefghijklM-NopQrsTUvWx\",\"interface\":null,\"issuer\":null,\"rootSessionId\":\"xYz123\"},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Bay Shore\",\"country\":\"United States\",\"geolocation\":{\"lat\":40.7051,\"lon\":-73.243},\"postalCode\":\"11706\",\"state\":\"New York\"},\"id\":null,\"ipAddress\":\"192.168.1.10\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"FAKEFAKEFAKE.com.okta.mobile/8.1.1 OktaDeviceSDK/0.0.1 macOS/13.4.0 Apple/MacBookPro16,2 RANDOM-AAAA-BBBB-CCCC-DDDDDDDDDDDD\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"requestId\":\"XXXXXXXXXXXXXXXXXX\",\"requestUri\":\"/idp/authenticators\",\"url\":\"/idp/authenticators?\"}},\"device\":null,\"displayMessage\":\"Add device to user\",\"eventType\":\"device.user.add\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-06-07T15:49:45.109Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Bay Shore\",\"country\":\"United States\",\"geolocation\":{\"lat\":40.7051,\"lon\":-73.243},\"postalCode\":\"11706\",\"state\":\"New York\"},\"ip\":\"175.16.199.18\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":701,\"asOrg\":\"verizon\",\"domain\":\"verizon.net\",\"isProxy\":false,\"isp\":\"verizon\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"deviceStatus\":\"CREATED\",\"managed\":\"false\",\"oktaDeviceId\":\"xxxxxxxxxxxxxxxxx\",\"osPlatform\":\"MACOS\",\"osVersion\":\"13.4.0\",\"serialNumber\":\"XXXXXXXX\",\"tpmPresent\":\"false\",\"uuid\":\"AAAAAAAA-CCCC-DDDD-EEEE-BBBBBBBBBBBB\"},\"displayName\":\"John's MacBook Pro\",\"id\":\"fakefakefakefake\",\"type\":\"UDDevice\"}],\"transaction\":{\"detail\":{\"requestApiTokenId\":\"aa.aa.bbbbbbbbbbbbbbbbbbbbbbb_wwwwwwwwwwwwwwww\",\"rootApiTokenId\":\"uIxB1234\"},\"id\":\"ABCDEFCGALKDJDLK\",\"type\":\"WEB\"},\"uuid\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "user", + "creation" + ] }, "okta": { "actor": { @@ -4007,6 +4089,7 @@ } }, "tags": [ + "device-identityevent-hook-eligibleoie-onlyuser", "preserve_original_event" ], "user": { @@ -4053,10 +4136,16 @@ }, "event": { "action": "system.idp.lifecycle.update", + "category": [ + "configuration" + ], "id": "1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"bob@example.com\",\"detailEntry\":null,\"displayName\":\"Example Display Name\",\"id\":\"2h6z8d9g3c1h5q0u0h\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"PPnOj1MkDzz017IOa7ibM1fVF\",\"interface\":null,\"issuer\":null,\"rootSessionId\":\"trslP9xeLAISN2PxTGrXj33BA\"},\"client\":{\"device\":\"Unknown\",\"geographicalContext\":{\"city\":\"Council Bluffs\",\"country\":\"United States\",\"geolocation\":{\"lat\":41.2591,\"lon\":-95.8517},\"postalCode\":\"51502\",\"state\":\"Iowa\"},\"id\":null,\"ipAddress\":\"203.0.113.144\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Unknown\",\"rawUserAgent\":\"pekko-http/1.2.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"dtHash\":\"8c2a5f7d1b3e9a4c6d09b6a1e32d847f9c5d1e2b6c0a5f8d2e9b01c3456789a\",\"protocol\":\"SAML 2.0\",\"requestId\":\"b2k8hJm5j17uL9W3S3ZfR9b2L2x\",\"requestUri\":\"/api/v1/idps/1i6q4p0j9g5zMv2g7a0x0y3\",\"url\":\"/api/v1/idps/1i6q4p0j9g5zMv2g7a0x0y3?\"}},\"device\":null,\"displayMessage\":\"Update an Identity Provider\",\"eventType\":\"system.idp.lifecycle.update\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2025-08-19T19: 49: 51.342Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":null,\"ip\":\"127.0.0.1\",\"source\":null,\"version\":\"V4\"},{\"geographicalContext\":{\"city\":\"Council Bluffs\",\"country\":\"United States\",\"geolocation\":{\"lat\":41.2591,\"lon\":-95.8517},\"postalCode\":\"51502\",\"state\":\"Iowa\"},\"ip\":\"203.0.113.144\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":396982,\"asOrg\":\"google\",\"domain\":\"googleusercontent.com\",\"isProxy\":false,\"isp\":\"google\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"saml_idp\",\"changeDetails\":{\"from\":{\"policySubject\":{\"filter\":\"^$\",\"matchType\":\"USERNAME\",\"userNameTemplate\":{\"template\":\"idpuser.email\"}}},\"to\":{\"policySubject\":{\"filter\":\"^.+@(?i)(?:example\\\\.com)$\",\"matchType\":\"USERNAME\",\"userNameTemplate\":{\"template\":\"idpuser.email\"}}}},\"detailEntry\":null,\"displayName\":\"iam-service-tr-kl-9081549725-rgt-ad49c6\",\"id\":\"1i6q4p0j9g5zMv2g7a0x0y3\",\"type\":\"IdentityProvider\"}],\"transaction\":{\"detail\":{\"requestApiTokenId\":\"1t3u8Lxy5qA7kGj2F9d4\",\"rootApiTokenId\":\"1t3u8Lxy5qA7kGj2F9d4\"},\"id\":\"b2k8hJm5j17uL9W3S3ZfR9b2L2x\",\"type\":\"WEB\"},\"uuid\":\"1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "change" + ] }, "okta": { "actor": { @@ -4197,6 +4286,7 @@ } }, "tags": [ + "event-hook-eligible", "preserve_original_event" ], "user": { diff --git a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-no-flattened-events.log-expected.json b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-no-flattened-events.log-expected.json index ac38a703c30..efc6c30d365 100644 --- a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-no-flattened-events.log-expected.json +++ b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-no-flattened-events.log-expected.json @@ -26,8 +26,8 @@ "event": { "action": "user.session.end", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", "kind": "event", @@ -128,6 +128,7 @@ } }, "tags": [ + "event-hook-eligiblesessionuser", "preserve_original_event" ], "user": { @@ -175,8 +176,8 @@ "event": { "action": "user.session.start", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", "kind": "event", @@ -277,7 +278,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "end-user-visibleevent-hook-eligiblesessionuser" ], "user": { "email": "xxxxxx@elastic.co", @@ -439,7 +441,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "policy" ], "user": { "email": "xxxxxx@elastic.co", @@ -486,8 +489,8 @@ "event": { "action": "user.session.end", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", "kind": "event", @@ -588,6 +591,7 @@ } }, "tags": [ + "event-hook-eligiblesessionuser", "preserve_original_event" ], "user": { @@ -635,8 +639,8 @@ "event": { "action": "user.session.start", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", "kind": "event", @@ -737,7 +741,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "end-user-visibleevent-hook-eligiblesessionuser" ], "user": { "email": "xxxxxx@elastic.co", @@ -899,7 +904,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "policy" ], "user": { "email": "xxxxxx@elastic.co", @@ -946,8 +952,8 @@ "event": { "action": "user.session.end", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", "kind": "event", @@ -1048,6 +1054,7 @@ } }, "tags": [ + "event-hook-eligiblesessionuser", "preserve_original_event" ], "user": { @@ -1095,8 +1102,8 @@ "event": { "action": "user.session.start", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", "kind": "event", @@ -1197,7 +1204,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "end-user-visibleevent-hook-eligiblesessionuser" ], "user": { "email": "xxxxxx@elastic.co", @@ -1359,7 +1367,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "policy" ], "user": { "email": "xxxxxx@elastic.co", @@ -1405,8 +1414,8 @@ "event": { "action": "user.session.end", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", "kind": "event", @@ -1490,6 +1499,7 @@ } }, "tags": [ + "event-hook-eligiblesessionuser", "preserve_original_event" ], "user": { @@ -1536,8 +1546,8 @@ "event": { "action": "user.session.start", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", "kind": "event", @@ -1621,7 +1631,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "end-user-visibleevent-hook-eligiblesessionuser" ], "user": { "email": "xxxxxx@elastic.co", @@ -1765,7 +1776,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "policy" ], "user": { "email": "xxxxxx@elastic.co", @@ -1818,8 +1830,8 @@ "event": { "action": "user.session.start", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", "kind": "event", @@ -1959,7 +1971,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "end-user-visibleevent-hook-eligiblesessionuser" ], "user": { "email": "test@test.com", @@ -2005,10 +2018,16 @@ }, "event": { "action": "user.authentication.verify", + "category": [ + "authentication" + ], "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"test1@test.com\",\"detailEntry\":null,\"displayName\":\"None\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Mobile\",\"geographicalContext\":{\"city\":\"Purcellville\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.64,\"lon\":-77.8346},\"postalCode\":\"20132\",\"state\":\"Virginia\"},\"id\":null,\"ipAddress\":\"67.43.156.14\",\"userAgent\":{\"browser\":\"SAFARI\",\"os\":\"Mac OS X (iPhone)\",\"rawUserAgent\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 15_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Safari\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"behaviors\":\"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, New City=NEGATIVE}\",\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify?autoPush=false\\u0026rememberDevice=false\"}},\"device\":null,\"displayMessage\":\"Verify user identity\",\"eventType\":\"user.authentication.verify\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2022-05-11T09:27:08.708Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Purcellville\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.64,\"lon\":-77.8346},\"postalCode\":\"20132\",\"state\":\"Virginia\"},\"ip\":\"67.43.156.14\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":7922,\"asOrg\":\"comcast\",\"domain\":\"comcast.net\",\"isProxy\":false,\"isp\":\"comcast\"},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "info" + ] }, "okta": { "actor": { @@ -2125,6 +2144,7 @@ } }, "tags": [ + "end-user-visibleuser", "preserve_original_event" ], "user": { @@ -2176,10 +2196,16 @@ }, "event": { "action": "user.authentication.verify", + "category": [ + "authentication" + ], "id": "c32ae8ec-7a68-11ed-b8a7-9134a086ef85", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"Snipped_User@domain.com\",\"detailEntry\":null,\"displayName\":\"Last_name, First_Name\",\"id\":\"user_id\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102qmxOh1EdTHqn1_86CB9fzA\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"unknown\",\"geographicalContext\":{\"city\":\"City\",\"country\":\"Country\",\"geolocation\":{\"lat\":0.00,\"lon\":0.00},\"postalCode\":\"00000\",\"state\":\"State\"},\"id\":null,\"ipAddress\":\"81.2.69.144\",\"userAgent\":{\"browser\":\"unknown\",\"os\":\"unknown\",\"rawUserAgent\":\"unknown\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"Y5elHFMngoYoVKvakwnp2wAAAKo\",\"behaviors\":\"{New Geo-Location=NEGATIVE, New Device=POSITIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, Velocity=POSITIVE, New City=NEGATIVE}\",\"dtHash\":\"751b157a5a24ed83129433243e8d42307434b047120c32d7a7f5a5d2d91726fa\",\"requestId\":\"Y5elHFMngoYoVKvakwnp2wAAAKo\",\"requestUri\":\"/api/v1/authn\",\"risk\":\"{reasons=Anomalous Device, Anomalous Location, level=HIGH}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"device\":null,\"displayMessage\":\"Verify user identity\",\"eventType\":\"user.authentication.verify\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2022-12-12T22:03:08.791Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"City\",\"country\":\"Country\",\"geolocation\":{\"lat\":0.00,\"lon\":0.00},\"postalCode\":\"00000\",\"state\":\"State\"},\"ip\":\"81.2.69.144\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":1828,\"asOrg\":\"org\",\"domain\":\"domain.com\",\"isProxy\":false,\"isp\":\"isp\"},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"Y5elHFMngoYoVKvakwnp2wAAAKo\",\"type\":\"WEB\"},\"uuid\":\"c32ae8ec-7a68-11ed-b8a7-9134a086ef85\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "info" + ] }, "okta": { "actor": { @@ -2307,6 +2333,7 @@ } }, "tags": [ + "end-user-visibleuser", "preserve_original_event" ], "user": { @@ -2353,10 +2380,16 @@ }, "event": { "action": "user.authentication.auth_via_mfa", + "category": [ + "authentication" + ], "id": "uuid", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"user@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":\"FACTOR_PROVIDER\",\"authenticationStep\":0,\"credentialProvider\":\"OKTA_CREDENTIAL_PROVIDER\",\"credentialType\":null,\"externalSessionId\":\"uuid\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Mobile\",\"geographicalContext\":{\"city\":\"Lucerne\",\"country\":\"Switzerland\",\"geolocation\":{\"lat\":47.0511,\"lon\":8.3056},\"postalCode\":\"6007\",\"state\":\"Lucerne\"},\"id\":null,\"ipAddress\":\"127.0.0.1\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Unknown mobile\",\"rawUserAgent\":\"B7FdsdB65BN.com.okta.mobile/7.12.0 OktaVerify/7.12.0 iOS/16.1.2 Apple/iPhone14,2 6C743C36-ewew-400D-8FB9-A5F049A745CF\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"uuid\",\"behaviors\":\"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=NEGATIVE}\",\"factor\":\"OKTA_VERIFY_PUSH\",\"requestId\":\"uuid\",\"requestUri\":\"/api/v1/authn/factors/id/transactions/id/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/id/transactions/id/verify?\"}},\"device\":null,\"displayMessage\":\"Authentication of user via MFA\",\"eventType\":\"user.authentication.auth_via_mfa\",\"legacyEventType\":\"core.user.factor.attempt_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-02-06T08:56:36.909Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Lucerne\",\"country\":\"Switzerland\",\"geolocation\":{\"lat\":47.0511,\"lon\":8.3056},\"postalCode\":\"6007\",\"state\":\"Lucerne\"},\"ip\":\"127.0.0.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":3303,\"asOrg\":\"bluewin is an lir and isp in switzerland.\",\"domain\":\"swisscom.ch\",\"isProxy\":false,\"isp\":\"swisscom (schweiz) ag\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"user@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"}],\"transaction\":{\"detail\":{},\"id\":\"uuid\",\"type\":\"WEB\"},\"uuid\":\"uuid\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "info" + ] }, "okta": { "actor": { @@ -2472,6 +2505,7 @@ } }, "tags": [ + "event-hook-eligiblemfa", "preserve_original_event" ], "user": { @@ -2527,10 +2561,16 @@ }, "event": { "action": "user.authentication.auth_via_mfa", + "category": [ + "authentication" + ], "id": "uuid", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"name@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":\"FACTOR_PROVIDER\",\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"id\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Bredstedt\",\"country\":\"Germany\",\"geolocation\":{\"lat\":54.6208,\"lon\":8.9631},\"postalCode\":\"25821\",\"state\":\"Schleswig-Holstein\"},\"id\":null,\"ipAddress\":\"127.0.0.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Linux\",\"rawUserAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"id\",\"behaviors\":\"{New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=POSITIVE}\",\"deviceFingerprint\":\"id\",\"dtHash\":\"hash\",\"factor\":\"FIDO_WEBAUTHN\",\"promptingPolicyTypes\":\"[OKTA_SIGN_ON]\",\"requestId\":\"id\",\"requestUri\":\"/api/v1/authn/factors/webauthn/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/webauthn/verify?rememberDevice=false\"}},\"device\":null,\"displayMessage\":\"Authentication of user via MFA\",\"eventType\":\"user.authentication.auth_via_mfa\",\"legacyEventType\":\"core.user.factor.attempt_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-02-06T08:58:37.110Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Bredstedt\",\"country\":\"Germany\",\"geolocation\":{\"lat\":54.6208,\"lon\":8.9631},\"postalCode\":\"25821\",\"state\":\"Schleswig-Holstein\"},\"ip\":\"127.0.0.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":62336,\"asOrg\":\"customer access\",\"domain\":\"german-local.net\",\"isProxy\":false,\"isp\":\"purtel.com gmbh\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"name@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"}],\"transaction\":{\"detail\":{},\"id\":\"id\",\"type\":\"WEB\"},\"uuid\":\"uuid\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "info" + ] }, "okta": { "actor": { @@ -2653,6 +2693,7 @@ } }, "tags": [ + "event-hook-eligiblemfa", "preserve_original_event" ], "user": { @@ -2707,10 +2748,16 @@ }, "event": { "action": "user.authentication.auth_via_mfa", + "category": [ + "authentication" + ], "id": "uuid", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"name@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":\"FACTOR_PROVIDER\",\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"id\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Bredstedt\",\"country\":\"Germany\",\"geolocation\":{\"lat\":54.6208,\"lon\":8.9631},\"postalCode\":\"25821\",\"state\":\"Schleswig-Holstein\"},\"id\":null,\"ipAddress\":\"127.0.0.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Linux\",\"rawUserAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"id\",\"behaviors\":\"{New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=POSITIVE}\",\"deviceFingerprint\":\"id\",\"dtHash\":\"hash\",\"factor\":\"FIDO_WEBAUTHN\",\"promptingPolicyTypes\":\"[OKTA_SIGN_ON]\",\"requestId\":\"id\",\"requestUri\":\"/api/v1/authn/factors/webauthn/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/webauthn/verify?rememberDevice=false\"}},\"device\":null,\"displayMessage\":\"Authentication of user via MFA\",\"eventType\":\"user.authentication.auth_via_mfa\",\"legacyEventType\":\"core.user.factor.attempt_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-02-06T08:58:37.110Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Bredstedt\",\"country\":\"Germany\",\"geolocation\":{\"lat\":54.6208,\"lon\":8.9631},\"postalCode\":\"25821\",\"state\":\"Schleswig-Holstein\"},\"ip\":\"127.0.0.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":62336,\"asOrg\":\"customer access\",\"domain\":\"german-local.net\",\"isProxy\":false,\"isp\":\"purtel.com gmbh\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"target_user@blah.co\",\"detailEntry\":null,\"displayName\":\"Test Target User\",\"id\":\"00udfsat7\",\"type\":\"User\"},{\"alternateId\":\"unknown\",\"detailEntry\":null,\"displayName\":\"software-users\",\"id\":\"00gofdasfdsat7\",\"type\":\"UserGroup\"}],\"transaction\":{\"detail\":{},\"id\":\"id\",\"type\":\"WEB\"},\"uuid\":\"uuid\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "info" + ] }, "okta": { "actor": { @@ -2840,6 +2887,7 @@ } }, "tags": [ + "event-hook-eligiblemfa", "preserve_original_event" ], "user": { @@ -2906,8 +2954,10 @@ "original": "{\"actor\":{\"alternateId\":\"actor.user@test.com\",\"detailEntry\":null,\"displayName\":\"Test Actor User\",\"id\":\"randomidhere\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"602deqxi8mycjkwk3sth4ci6cxxtr9rr\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"San Francisco\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7642,\"lon\":-122.3993},\"postalCode\":\"94107\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"192.168.7.19\",\"userAgent\":{\"browser\":\"CHROME\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"dtHash\":\"veqflnui3t7ql7k6v0nptw9lipilzybr\",\"requestId\":\"3bsdgs8tyatf74aufwsvkt7lv1i9x0o9\",\"requestUri\":\"/admin/group/h23gdxfk7jc8kf5fb923xc1lt5ojey93/addUser\",\"url\":\"/admin/group/h23gdxfk7jc8kf5fb923xc1lt5ojey93/addUser?\"}},\"device\":null,\"displayMessage\":\"Add user to group membership\",\"eventType\":\"group.user_membership.add\",\"legacyEventType\":\"core.user_group_member.user_add\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-04-26T16:25:06.297Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"San Francisco\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7642,\"lon\":-122.3993},\"postalCode\":\"94107\",\"state\":\"California\"},\"ip\":\"192.168.7.19\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":6461,\"asOrg\":\"elasticsearch inc\",\"domain\":\"thisisadomain.com\",\"isProxy\":false,\"isp\":\"bandwidth\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"target.user@test.com\",\"detailEntry\":null,\"displayName\":\"Target User Test Name\",\"id\":\"7cexsxmg5m671po4lmyb29a0knaqpaqg\",\"type\":\"User\"},{\"alternateId\":\"unknown\",\"detailEntry\":null,\"displayName\":\"Sales\",\"id\":\"h23gdxfk7jc8kf5fb923xc1lt5ojey93\",\"type\":\"UserGroup\"}],\"transaction\":{\"detail\":{},\"id\":\"448ahm88tkkxo0npwiu28ws20oj38nya\",\"type\":\"WEB\"},\"uuid\":\"B96ED4D1-D013-4A13-AEFE-A67FA32C5747\",\"version\":\"0\"}", "outcome": "success", "type": [ - "group", - "change" + "change", + "user", + "creation", + "group" ] }, "okta": { @@ -3014,6 +3064,7 @@ } }, "tags": [ + "event-hook-eligiblegroup", "preserve_original_event" ], "user": { @@ -3058,10 +3109,16 @@ }, "event": { "action": "app.user_management", + "category": [ + "configuration" + ], "id": "23A8F6AA-0E52-45F7-A2FB-FEF6E0B38FC7", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"system@okta.com\",\"detailEntry\":null,\"displayName\":\"Okta System\",\"id\":\"spr294puarJOdUsWD1t7\",\"type\":\"SystemPrincipal\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"4ivdy6m56cqo8s6w57o6cvq5fbb409wr\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":null,\"geographicalContext\":null,\"id\":null,\"ipAddress\":null,\"userAgent\":null,\"zone\":null},\"debugContext\":{\"debugData\":{}},\"device\":null,\"displayMessage\":\"Successfully imported new member to an app group\",\"eventType\":\"app.user_management\",\"legacyEventType\":\"app.user_management.app_group_member_import.insert_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-04-27T00:56:17.750Z\",\"request\":{\"ipChain\":[]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"domain.user@test.com\",\"detailEntry\":null,\"displayName\":\"domain.user@test.com\",\"id\":\"ew1qskfvt7mvqipcx6hxt3j95pqi01p8\",\"type\":\"AppUser\"},{\"alternateId\":\"group_email@test.com\",\"detailEntry\":null,\"displayName\":\"Payable\",\"id\":\"l2l6h6p946io0fwyd3jw7jzgy8sq6a61\",\"type\":\"AppGroup\"},{\"alternateId\":\"domain.user@test.com\",\"detailEntry\":null,\"displayName\":\"Domain User\",\"id\":\"9uuw5t9im68f03w5b9a3x72i18gugbqn\",\"type\":\"User\"},{\"alternateId\":\"G Suite\",\"detailEntry\":null,\"displayName\":\"Google Workspace\",\"id\":\"1a45g3hf19hvzgggw2ybn7e5q7xh0v4a\",\"type\":\"AppInstance\"}],\"transaction\":{\"detail\":{},\"id\":\"37r7dugr7fswsjdzv4r97layultdf19r\",\"type\":\"JOB\"},\"uuid\":\"23A8F6AA-0E52-45F7-A2FB-FEF6E0B38FC7\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "info" + ] }, "okta": { "actor": { @@ -3127,7 +3184,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "app-user-management" ], "user": { "email": "system@okta.com", @@ -3263,6 +3321,7 @@ } }, "tags": [ + "event-hook-eligibleuser", "preserve_original_event" ], "user": { @@ -3399,6 +3458,7 @@ } }, "tags": [ + "event-hook-eligibleuser", "preserve_original_event" ], "user": { @@ -3438,10 +3498,16 @@ }, "event": { "action": "user.authentication.auth_via_mfa", + "category": [ + "authentication" + ], "id": "150A5E5C-C236-426A-A0D1-B79F1E391A6B", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"test.user@domain.com\",\"detailEntry\":null,\"displayName\":\"Test User\",\"id\":\"00ua123456abcat7\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":\"FACTOR_PROVIDER\",\"authenticationStep\":0,\"credentialProvider\":\"OKTA_CREDENTIAL_PROVIDER\",\"credentialType\":null,\"externalSessionId\":\"idx123456asdsajA\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Palezieux\",\"country\":\"Switzerland\",\"geolocation\":{\"lat\":46.5379,\"lon\":6.8409},\"postalCode\":\"1607\",\"state\":\"Vaud\"},\"id\":null,\"ipAddress\":\"192.168.1.10\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"B7F62B65BN.com.okta.mobile/3.13.4 OktaDeviceSDK/0.0.1 macOS/13.3.1 Apple/MacBookPro18,2 UUID123\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"dtHash\":\"abc123456abc\",\"factor\":\"SIGNED_NONCE\",\"requestId\":\"123456abcdefghij\",\"requestUri\":\"/idp/authenticators/123456abcdefghij/transactions/123456abcdefghij/verify\",\"url\":\"/idp/authenticators/123456abcdefghij/transactions/123456abcdefghij/verify?\"}},\"device\":null,\"displayMessage\":\"Authentication of user via MFA\",\"eventType\":\"user.authentication.auth_via_mfa\",\"legacyEventType\":\"core.user.factor.attempt_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-05-22T12:11:48.092Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Palezieux\",\"country\":\"Switzerland\",\"geolocation\":{\"lat\":46.5379,\"lon\":6.8409},\"postalCode\":\"1607\",\"state\":\"Vaud\"},\"ip\":\"192.168.1.10\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":39544,\"asOrg\":\"vo energies catv customers - region of oron/vd\",\"domain\":\"voenergies.net\",\"isProxy\":false,\"isp\":\"vo energies multimedia sa\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"test.user@domain.com\",\"detailEntry\":null,\"displayName\":\"Test User\",\"id\":\"00ua123456abcat7\",\"type\":\"User\"},{\"alternateId\":\"unknown\",\"detailEntry\":{\"methodTypeUsed\":\"Use Okta FastPass\",\"methodUsedVerifiedProperties\":\"[DEVICE_BOUND, PHISHING_RESISTANT, USER_VERIFYING, USER_PRESENCE, HARDWARE_PROTECTED]\"},\"displayName\":\"Okta Verify\",\"id\":\"00ua123456abcat7\",\"type\":\"AuthenticatorEnrollment\"}],\"transaction\":{\"detail\":{},\"id\":\"00ua123456abcat7\",\"type\":\"WEB\"},\"uuid\":\"150A5E5C-C236-426A-A0D1-B79F1E391A6B\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "info" + ] }, "okta": { "actor": { @@ -3553,6 +3619,7 @@ } }, "tags": [ + "event-hook-eligiblemfa", "preserve_original_event" ], "user": { @@ -3603,10 +3670,17 @@ }, "event": { "action": "device.user.add", + "category": [ + "iam" + ], "id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"john.doe@elastic.co\",\"detailEntry\":null,\"displayName\":\"John Doe\",\"id\":\"00aabbccddeeffaaaaaa\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"abcdefghijklM-NopQrsTUvWx\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Bay Shore\",\"country\":\"United States\",\"geolocation\":{\"lat\":40.7051,\"lon\":-73.243},\"postalCode\":\"11706\",\"state\":\"New York\"},\"id\":null,\"ipAddress\":\"192.168.1.10\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"FAKEFAKEFAKE.com.okta.mobile/8.1.1 OktaDeviceSDK/0.0.1 macOS/13.4.0 Apple/MacBookPro16,2 RANDOM-AAAA-BBBB-CCCC-DDDDDDDDDDDD\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"requestId\":\"XXXXXXXXXXXXXXXXXX\",\"requestUri\":\"/idp/authenticators\",\"url\":\"/idp/authenticators?\"}},\"device\":null,\"displayMessage\":\"Add device to user\",\"eventType\":\"device.user.add\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-06-07T15:49:45.109Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Bay Shore\",\"country\":\"United States\",\"geolocation\":{\"lat\":40.7051,\"lon\":-73.243},\"postalCode\":\"11706\",\"state\":\"New York\"},\"ip\":\"175.16.199.18\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":701,\"asOrg\":\"verizon\",\"domain\":\"verizon.net\",\"isProxy\":false,\"isp\":\"verizon\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"deviceStatus\":\"CREATED\",\"managed\":\"false\",\"oktaDeviceId\":\"xxxxxxxxxxxxxxxxx\",\"osPlatform\":\"MACOS\",\"osVersion\":\"13.4.0\",\"serialNumber\":\"XXXXXXXX\",\"tpmPresent\":\"false\",\"uuid\":\"AAAAAAAA-CCCC-DDDD-EEEE-BBBBBBBBBBBB\"},\"displayName\":\"John's MacBook Pro\",\"id\":\"fakefakefakefake\",\"type\":\"UDDevice\"}],\"transaction\":{\"detail\":{\"requestApiTokenId\":\"aa.aa.bbbbbbbbbbbbbbbbbbbbbbb_wwwwwwwwwwwwwwww\"},\"id\":\"ABCDEFCGALKDJDLK\",\"type\":\"WEB\"},\"uuid\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "user", + "creation" + ] }, "okta": { "actor": { @@ -3707,6 +3781,7 @@ } }, "tags": [ + "device-identityevent-hook-eligibleoie-onlyuser", "preserve_original_event" ], "user": { @@ -3753,10 +3828,17 @@ }, "event": { "action": "device.user.add", + "category": [ + "iam" + ], "id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"john.doe@elastic.co\",\"detailEntry\":null,\"displayName\":\"John Doe\",\"id\":\"00aabbccddeeffaaaaaa\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"abcdefghijklM-NopQrsTUvWx\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Bay Shore\",\"country\":\"United States\",\"geolocation\":{\"lat\":40.7051,\"lon\":-73.243},\"postalCode\":\"11706\",\"state\":\"New York\"},\"id\":null,\"ipAddress\":\"192.168.1.10\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"FAKEFAKEFAKE.com.okta.mobile/8.1.1 OktaDeviceSDK/0.0.1 macOS/13.4.0 Apple/MacBookPro16,2 RANDOM-AAAA-BBBB-CCCC-DDDDDDDDDDDD\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"clientAuthType\":\"client_secret_post\",\"grantedScopes\":\"okta.logs.read\",\"requestId\":\"76094a4ec67ae862a88c9d274b2353c9\",\"responseTime\":\"269\",\"dtHash\":\"redacted\",\"clientSecret\":\"E5NMtFDu1xVWq6Stx_AlRA\",\"requestUri\":\"/oauth2/v1/token\",\"requestedScopes\":\"okta.logs.read\",\"threatSuspected\":\"false\",\"grantType\":\"client_credentials\",\"url\":\"/oauth2/v1/token?\"}},\"device\":null,\"displayMessage\":\"Add device to user\",\"eventType\":\"device.user.add\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-06-07T15:49:45.109Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Bay Shore\",\"country\":\"United States\",\"geolocation\":{\"lat\":40.7051,\"lon\":-73.243},\"postalCode\":\"11706\",\"state\":\"New York\"},\"ip\":\"175.16.199.18\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":701,\"asOrg\":\"verizon\",\"domain\":\"verizon.net\",\"isProxy\":false,\"isp\":\"verizon\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"deviceStatus\":\"CREATED\",\"managed\":\"false\",\"oktaDeviceId\":\"xxxxxxxxxxxxxxxxx\",\"osPlatform\":\"MACOS\",\"osVersion\":\"13.4.0\",\"serialNumber\":\"XXXXXXXX\",\"tpmPresent\":\"false\",\"uuid\":\"AAAAAAAA-CCCC-DDDD-EEEE-BBBBBBBBBBBB\"},\"displayName\":\"John's MacBook Pro\",\"id\":\"fakefakefakefake\",\"type\":\"UDDevice\"}],\"transaction\":{\"detail\":{\"requestApiTokenId\":\"aa.aa.bbbbbbbbbbbbbbbbbbbbbbb_wwwwwwwwwwwwwwww\"},\"id\":\"ABCDEFCGALKDJDLK\",\"type\":\"WEB\"},\"uuid\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "user", + "creation" + ] }, "okta": { "actor": { @@ -3865,6 +3947,7 @@ } }, "tags": [ + "device-identityevent-hook-eligibleoie-onlyuser", "preserve_original_event" ], "user": { @@ -3911,10 +3994,17 @@ }, "event": { "action": "device.user.add", + "category": [ + "iam" + ], "id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"john.doe@elastic.co\",\"detailEntry\":null,\"displayName\":\"John Doe\",\"id\":\"00aabbccddeeffaaaaaa\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"abcdefghijklM-NopQrsTUvWx\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Bay Shore\",\"country\":\"United States\",\"geolocation\":{\"lat\":40.7051,\"lon\":-73.243},\"postalCode\":\"11706\",\"state\":\"New York\"},\"id\":null,\"ipAddress\":\"192.168.1.10\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"FAKEFAKEFAKE.com.okta.mobile/8.1.1 OktaDeviceSDK/0.0.1 macOS/13.4.0 Apple/MacBookPro16,2 RANDOM-AAAA-BBBB-CCCC-DDDDDDDDDDDD\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"clientAuthType\":\"client_secret_post\",\"grantedScopes\":\"okta.logs.read\",\"requestId\":\"76094a4ec67ae862a88c9d274b2353c9\",\"responseTime\":\"269\",\"dtHash\":\"redacted\",\"clientSecret\":\"E5NMtFDu1xVWq6Stx_AlRA\",\"requestUri\":\"/oauth2/v1/token\",\"requestedScopes\":\"okta.logs.read\",\"threatSuspected\":\"false\",\"grantType\":\"client_credentials\",\"url\":\"/oauth2/v1/token?\",\"tunnels\":\"[{\\\"anonymous\\\":true,\\\"operator\\\":\\\"WARP_VPN\\\",\\\"type\\\":\\\"VPN\\\"}]\"}},\"device\":null,\"displayMessage\":\"Add device to user\",\"eventType\":\"device.user.add\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-06-07T15:49:45.109Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Bay Shore\",\"country\":\"United States\",\"geolocation\":{\"lat\":40.7051,\"lon\":-73.243},\"postalCode\":\"11706\",\"state\":\"New York\"},\"ip\":\"175.16.199.18\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":701,\"asOrg\":\"verizon\",\"domain\":\"verizon.net\",\"isProxy\":false,\"isp\":\"verizon\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"deviceStatus\":\"CREATED\",\"managed\":\"false\",\"oktaDeviceId\":\"xxxxxxxxxxxxxxxxx\",\"osPlatform\":\"MACOS\",\"osVersion\":\"13.4.0\",\"serialNumber\":\"XXXXXXXX\",\"tpmPresent\":\"false\",\"uuid\":\"AAAAAAAA-CCCC-DDDD-EEEE-BBBBBBBBBBBB\"},\"displayName\":\"John's MacBook Pro\",\"id\":\"fakefakefakefake\",\"type\":\"UDDevice\"}],\"transaction\":{\"detail\":{\"requestApiTokenId\":\"aa.aa.bbbbbbbbbbbbbbbbbbbbbbb_wwwwwwwwwwwwwwww\"},\"id\":\"ABCDEFCGALKDJDLK\",\"type\":\"WEB\"},\"uuid\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "user", + "creation" + ] }, "okta": { "actor": { @@ -4030,6 +4120,7 @@ } }, "tags": [ + "device-identityevent-hook-eligibleoie-onlyuser", "preserve_original_event" ], "user": { @@ -4076,10 +4167,16 @@ }, "event": { "action": "system.idp.lifecycle.update", + "category": [ + "configuration" + ], "id": "1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"bob@example.com\",\"detailEntry\":null,\"displayName\":\"Example Display Name\",\"id\":\"2h6z8d9g3c1h5q0u0h\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"PPnOj1MkDzz017IOa7ibM1fVF\",\"interface\":null,\"issuer\":null,\"rootSessionId\":\"trslP9xeLAISN2PxTGrXj33BA\"},\"client\":{\"device\":\"Unknown\",\"geographicalContext\":{\"city\":\"Council Bluffs\",\"country\":\"United States\",\"geolocation\":{\"lat\":41.2591,\"lon\":-95.8517},\"postalCode\":\"51502\",\"state\":\"Iowa\"},\"id\":null,\"ipAddress\":\"203.0.113.144\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Unknown\",\"rawUserAgent\":\"pekko-http/1.2.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"dtHash\":\"8c2a5f7d1b3e9a4c6d09b6a1e32d847f9c5d1e2b6c0a5f8d2e9b01c3456789a\",\"protocol\":\"SAML 2.0\",\"requestId\":\"b2k8hJm5j17uL9W3S3ZfR9b2L2x\",\"requestUri\":\"/api/v1/idps/1i6q4p0j9g5zMv2g7a0x0y3\",\"url\":\"/api/v1/idps/1i6q4p0j9g5zMv2g7a0x0y3?\"}},\"device\":null,\"displayMessage\":\"Update an Identity Provider\",\"eventType\":\"system.idp.lifecycle.update\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2025-08-19T19: 49: 51.342Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":null,\"ip\":\"127.0.0.1\",\"source\":null,\"version\":\"V4\"},{\"geographicalContext\":{\"city\":\"Council Bluffs\",\"country\":\"United States\",\"geolocation\":{\"lat\":41.2591,\"lon\":-95.8517},\"postalCode\":\"51502\",\"state\":\"Iowa\"},\"ip\":\"203.0.113.144\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":396982,\"asOrg\":\"google\",\"domain\":\"googleusercontent.com\",\"isProxy\":false,\"isp\":\"google\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"saml_idp\",\"changeDetails\":{\"from\":{\"policySubject\":{\"filter\":\"^$\",\"matchType\":\"USERNAME\",\"userNameTemplate\":{\"template\":\"idpuser.email\"}}},\"to\":{\"policySubject\":{\"filter\":\"^.+@(?i)(?:example\\\\.com)$\",\"matchType\":\"USERNAME\",\"userNameTemplate\":{\"template\":\"idpuser.email\"}}}},\"detailEntry\":null,\"displayName\":\"iam-service-tr-kl-9081549725-rgt-ad49c6\",\"id\":\"1i6q4p0j9g5zMv2g7a0x0y3\",\"type\":\"IdentityProvider\"}],\"transaction\":{\"detail\":{\"requestApiTokenId\":\"1t3u8Lxy5qA7kGj2F9d4\",\"rootApiTokenId\":\"1t3u8Lxy5qA7kGj2F9d4\"},\"id\":\"b2k8hJm5j17uL9W3S3ZfR9b2L2x\",\"type\":\"WEB\"},\"uuid\":\"1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "change" + ] }, "okta": { "actor": { @@ -4214,6 +4311,7 @@ } }, "tags": [ + "event-hook-eligible", "preserve_original_event" ], "user": { diff --git a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-yes-flattened-events.log-expected.json b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-yes-flattened-events.log-expected.json index 17838005f82..a90e8478fc0 100644 --- a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-yes-flattened-events.log-expected.json +++ b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-yes-flattened-events.log-expected.json @@ -26,8 +26,8 @@ "event": { "action": "user.session.end", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", "kind": "event", @@ -134,6 +134,7 @@ } }, "tags": [ + "event-hook-eligiblesessionuser", "preserve_original_event" ], "user": { @@ -181,8 +182,8 @@ "event": { "action": "user.session.start", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", "kind": "event", @@ -290,7 +291,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "end-user-visibleevent-hook-eligiblesessionuser" ], "user": { "email": "xxxxxx@elastic.co", @@ -459,7 +461,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "policy" ], "user": { "email": "xxxxxx@elastic.co", @@ -506,8 +509,8 @@ "event": { "action": "user.session.end", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", "kind": "event", @@ -614,6 +617,7 @@ } }, "tags": [ + "event-hook-eligiblesessionuser", "preserve_original_event" ], "user": { @@ -661,8 +665,8 @@ "event": { "action": "user.session.start", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", "kind": "event", @@ -770,7 +774,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "end-user-visibleevent-hook-eligiblesessionuser" ], "user": { "email": "xxxxxx@elastic.co", @@ -939,7 +944,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "policy" ], "user": { "email": "xxxxxx@elastic.co", @@ -986,8 +992,8 @@ "event": { "action": "user.session.end", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", "kind": "event", @@ -1094,6 +1100,7 @@ } }, "tags": [ + "event-hook-eligiblesessionuser", "preserve_original_event" ], "user": { @@ -1141,8 +1148,8 @@ "event": { "action": "user.session.start", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", "kind": "event", @@ -1250,7 +1257,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "end-user-visibleevent-hook-eligiblesessionuser" ], "user": { "email": "xxxxxx@elastic.co", @@ -1419,7 +1427,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "policy" ], "user": { "email": "xxxxxx@elastic.co", @@ -1465,8 +1474,8 @@ "event": { "action": "user.session.end", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", "kind": "event", @@ -1556,6 +1565,7 @@ } }, "tags": [ + "event-hook-eligiblesessionuser", "preserve_original_event" ], "user": { @@ -1602,8 +1612,8 @@ "event": { "action": "user.session.start", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", "kind": "event", @@ -1694,7 +1704,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "end-user-visibleevent-hook-eligiblesessionuser" ], "user": { "email": "xxxxxx@elastic.co", @@ -1845,7 +1856,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "policy" ], "user": { "email": "xxxxxx@elastic.co", @@ -1898,8 +1910,8 @@ "event": { "action": "user.session.start", "category": [ - "authentication", - "session" + "session", + "authentication" ], "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", "kind": "event", @@ -2045,7 +2057,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "end-user-visibleevent-hook-eligiblesessionuser" ], "user": { "email": "test@test.com", @@ -2091,10 +2104,16 @@ }, "event": { "action": "user.authentication.verify", + "category": [ + "authentication" + ], "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"test1@test.com\",\"detailEntry\":null,\"displayName\":\"None\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Mobile\",\"geographicalContext\":{\"city\":\"Purcellville\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.64,\"lon\":-77.8346},\"postalCode\":\"20132\",\"state\":\"Virginia\"},\"id\":null,\"ipAddress\":\"67.43.156.14\",\"userAgent\":{\"browser\":\"SAFARI\",\"os\":\"Mac OS X (iPhone)\",\"rawUserAgent\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 15_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Safari\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"behaviors\":\"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, New City=NEGATIVE}\",\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify?autoPush=false\\u0026rememberDevice=false\"}},\"device\":null,\"displayMessage\":\"Verify user identity\",\"eventType\":\"user.authentication.verify\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2022-05-11T09:27:08.708Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Purcellville\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.64,\"lon\":-77.8346},\"postalCode\":\"20132\",\"state\":\"Virginia\"},\"ip\":\"67.43.156.14\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":7922,\"asOrg\":\"comcast\",\"domain\":\"comcast.net\",\"isProxy\":false,\"isp\":\"comcast\"},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "info" + ] }, "okta": { "actor": { @@ -2218,6 +2237,7 @@ } }, "tags": [ + "end-user-visibleuser", "preserve_original_event" ], "user": { @@ -2269,10 +2289,16 @@ }, "event": { "action": "user.authentication.verify", + "category": [ + "authentication" + ], "id": "c32ae8ec-7a68-11ed-b8a7-9134a086ef85", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"Snipped_User@domain.com\",\"detailEntry\":null,\"displayName\":\"Last_name, First_Name\",\"id\":\"user_id\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102qmxOh1EdTHqn1_86CB9fzA\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"unknown\",\"geographicalContext\":{\"city\":\"City\",\"country\":\"Country\",\"geolocation\":{\"lat\":0.00,\"lon\":0.00},\"postalCode\":\"00000\",\"state\":\"State\"},\"id\":null,\"ipAddress\":\"81.2.69.144\",\"userAgent\":{\"browser\":\"unknown\",\"os\":\"unknown\",\"rawUserAgent\":\"unknown\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"Y5elHFMngoYoVKvakwnp2wAAAKo\",\"behaviors\":\"{New Geo-Location=NEGATIVE, New Device=POSITIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, Velocity=POSITIVE, New City=NEGATIVE}\",\"dtHash\":\"751b157a5a24ed83129433243e8d42307434b047120c32d7a7f5a5d2d91726fa\",\"requestId\":\"Y5elHFMngoYoVKvakwnp2wAAAKo\",\"requestUri\":\"/api/v1/authn\",\"risk\":\"{reasons=Anomalous Device, Anomalous Location, level=HIGH}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"device\":null,\"displayMessage\":\"Verify user identity\",\"eventType\":\"user.authentication.verify\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2022-12-12T22:03:08.791Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"City\",\"country\":\"Country\",\"geolocation\":{\"lat\":0.00,\"lon\":0.00},\"postalCode\":\"00000\",\"state\":\"State\"},\"ip\":\"81.2.69.144\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":1828,\"asOrg\":\"org\",\"domain\":\"domain.com\",\"isProxy\":false,\"isp\":\"isp\"},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"Y5elHFMngoYoVKvakwnp2wAAAKo\",\"type\":\"WEB\"},\"uuid\":\"c32ae8ec-7a68-11ed-b8a7-9134a086ef85\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "info" + ] }, "okta": { "actor": { @@ -2407,6 +2433,7 @@ } }, "tags": [ + "end-user-visibleuser", "preserve_original_event" ], "user": { @@ -2453,10 +2480,16 @@ }, "event": { "action": "user.authentication.auth_via_mfa", + "category": [ + "authentication" + ], "id": "uuid", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"user@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":\"FACTOR_PROVIDER\",\"authenticationStep\":0,\"credentialProvider\":\"OKTA_CREDENTIAL_PROVIDER\",\"credentialType\":null,\"externalSessionId\":\"uuid\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Mobile\",\"geographicalContext\":{\"city\":\"Lucerne\",\"country\":\"Switzerland\",\"geolocation\":{\"lat\":47.0511,\"lon\":8.3056},\"postalCode\":\"6007\",\"state\":\"Lucerne\"},\"id\":null,\"ipAddress\":\"127.0.0.1\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Unknown mobile\",\"rawUserAgent\":\"B7FdsdB65BN.com.okta.mobile/7.12.0 OktaVerify/7.12.0 iOS/16.1.2 Apple/iPhone14,2 6C743C36-ewew-400D-8FB9-A5F049A745CF\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"uuid\",\"behaviors\":\"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=NEGATIVE}\",\"factor\":\"OKTA_VERIFY_PUSH\",\"requestId\":\"uuid\",\"requestUri\":\"/api/v1/authn/factors/id/transactions/id/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/id/transactions/id/verify?\"}},\"device\":null,\"displayMessage\":\"Authentication of user via MFA\",\"eventType\":\"user.authentication.auth_via_mfa\",\"legacyEventType\":\"core.user.factor.attempt_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-02-06T08:56:36.909Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Lucerne\",\"country\":\"Switzerland\",\"geolocation\":{\"lat\":47.0511,\"lon\":8.3056},\"postalCode\":\"6007\",\"state\":\"Lucerne\"},\"ip\":\"127.0.0.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":3303,\"asOrg\":\"bluewin is an lir and isp in switzerland.\",\"domain\":\"swisscom.ch\",\"isProxy\":false,\"isp\":\"swisscom (schweiz) ag\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"user@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"}],\"transaction\":{\"detail\":{},\"id\":\"uuid\",\"type\":\"WEB\"},\"uuid\":\"uuid\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "info" + ] }, "okta": { "actor": { @@ -2579,6 +2612,7 @@ } }, "tags": [ + "event-hook-eligiblemfa", "preserve_original_event" ], "user": { @@ -2634,10 +2668,16 @@ }, "event": { "action": "user.authentication.auth_via_mfa", + "category": [ + "authentication" + ], "id": "uuid", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"name@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":\"FACTOR_PROVIDER\",\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"id\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Bredstedt\",\"country\":\"Germany\",\"geolocation\":{\"lat\":54.6208,\"lon\":8.9631},\"postalCode\":\"25821\",\"state\":\"Schleswig-Holstein\"},\"id\":null,\"ipAddress\":\"127.0.0.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Linux\",\"rawUserAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"id\",\"behaviors\":\"{New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=POSITIVE}\",\"deviceFingerprint\":\"id\",\"dtHash\":\"hash\",\"factor\":\"FIDO_WEBAUTHN\",\"promptingPolicyTypes\":\"[OKTA_SIGN_ON]\",\"requestId\":\"id\",\"requestUri\":\"/api/v1/authn/factors/webauthn/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/webauthn/verify?rememberDevice=false\"}},\"device\":null,\"displayMessage\":\"Authentication of user via MFA\",\"eventType\":\"user.authentication.auth_via_mfa\",\"legacyEventType\":\"core.user.factor.attempt_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-02-06T08:58:37.110Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Bredstedt\",\"country\":\"Germany\",\"geolocation\":{\"lat\":54.6208,\"lon\":8.9631},\"postalCode\":\"25821\",\"state\":\"Schleswig-Holstein\"},\"ip\":\"127.0.0.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":62336,\"asOrg\":\"customer access\",\"domain\":\"german-local.net\",\"isProxy\":false,\"isp\":\"purtel.com gmbh\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"name@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"}],\"transaction\":{\"detail\":{},\"id\":\"id\",\"type\":\"WEB\"},\"uuid\":\"uuid\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "info" + ] }, "okta": { "actor": { @@ -2769,6 +2809,7 @@ } }, "tags": [ + "event-hook-eligiblemfa", "preserve_original_event" ], "user": { @@ -2823,10 +2864,16 @@ }, "event": { "action": "user.authentication.auth_via_mfa", + "category": [ + "authentication" + ], "id": "uuid", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"name@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":\"FACTOR_PROVIDER\",\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"id\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Bredstedt\",\"country\":\"Germany\",\"geolocation\":{\"lat\":54.6208,\"lon\":8.9631},\"postalCode\":\"25821\",\"state\":\"Schleswig-Holstein\"},\"id\":null,\"ipAddress\":\"127.0.0.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Linux\",\"rawUserAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"id\",\"behaviors\":\"{New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=POSITIVE}\",\"deviceFingerprint\":\"id\",\"dtHash\":\"hash\",\"factor\":\"FIDO_WEBAUTHN\",\"promptingPolicyTypes\":\"[OKTA_SIGN_ON]\",\"requestId\":\"id\",\"requestUri\":\"/api/v1/authn/factors/webauthn/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/webauthn/verify?rememberDevice=false\"}},\"device\":null,\"displayMessage\":\"Authentication of user via MFA\",\"eventType\":\"user.authentication.auth_via_mfa\",\"legacyEventType\":\"core.user.factor.attempt_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-02-06T08:58:37.110Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Bredstedt\",\"country\":\"Germany\",\"geolocation\":{\"lat\":54.6208,\"lon\":8.9631},\"postalCode\":\"25821\",\"state\":\"Schleswig-Holstein\"},\"ip\":\"127.0.0.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":62336,\"asOrg\":\"customer access\",\"domain\":\"german-local.net\",\"isProxy\":false,\"isp\":\"purtel.com gmbh\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"target_user@blah.co\",\"detailEntry\":null,\"displayName\":\"Test Target User\",\"id\":\"00udfsat7\",\"type\":\"User\"},{\"alternateId\":\"unknown\",\"detailEntry\":null,\"displayName\":\"software-users\",\"id\":\"00gofdasfdsat7\",\"type\":\"UserGroup\"}],\"transaction\":{\"detail\":{},\"id\":\"id\",\"type\":\"WEB\"},\"uuid\":\"uuid\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "info" + ] }, "okta": { "actor": { @@ -2965,6 +3012,7 @@ } }, "tags": [ + "event-hook-eligiblemfa", "preserve_original_event" ], "user": { @@ -3031,8 +3079,10 @@ "original": "{\"actor\":{\"alternateId\":\"actor.user@test.com\",\"detailEntry\":null,\"displayName\":\"Test Actor User\",\"id\":\"randomidhere\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"602deqxi8mycjkwk3sth4ci6cxxtr9rr\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"San Francisco\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7642,\"lon\":-122.3993},\"postalCode\":\"94107\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"192.168.7.19\",\"userAgent\":{\"browser\":\"CHROME\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"dtHash\":\"veqflnui3t7ql7k6v0nptw9lipilzybr\",\"requestId\":\"3bsdgs8tyatf74aufwsvkt7lv1i9x0o9\",\"requestUri\":\"/admin/group/h23gdxfk7jc8kf5fb923xc1lt5ojey93/addUser\",\"url\":\"/admin/group/h23gdxfk7jc8kf5fb923xc1lt5ojey93/addUser?\"}},\"device\":null,\"displayMessage\":\"Add user to group membership\",\"eventType\":\"group.user_membership.add\",\"legacyEventType\":\"core.user_group_member.user_add\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-04-26T16:25:06.297Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"San Francisco\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7642,\"lon\":-122.3993},\"postalCode\":\"94107\",\"state\":\"California\"},\"ip\":\"192.168.7.19\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":6461,\"asOrg\":\"elasticsearch inc\",\"domain\":\"thisisadomain.com\",\"isProxy\":false,\"isp\":\"bandwidth\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"target.user@test.com\",\"detailEntry\":null,\"displayName\":\"Target User Test Name\",\"id\":\"7cexsxmg5m671po4lmyb29a0knaqpaqg\",\"type\":\"User\"},{\"alternateId\":\"unknown\",\"detailEntry\":null,\"displayName\":\"Sales\",\"id\":\"h23gdxfk7jc8kf5fb923xc1lt5ojey93\",\"type\":\"UserGroup\"}],\"transaction\":{\"detail\":{},\"id\":\"448ahm88tkkxo0npwiu28ws20oj38nya\",\"type\":\"WEB\"},\"uuid\":\"B96ED4D1-D013-4A13-AEFE-A67FA32C5747\",\"version\":\"0\"}", "outcome": "success", "type": [ - "group", - "change" + "change", + "user", + "creation", + "group" ] }, "okta": { @@ -3145,6 +3195,7 @@ } }, "tags": [ + "event-hook-eligiblegroup", "preserve_original_event" ], "user": { @@ -3189,10 +3240,16 @@ }, "event": { "action": "app.user_management", + "category": [ + "configuration" + ], "id": "23A8F6AA-0E52-45F7-A2FB-FEF6E0B38FC7", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"system@okta.com\",\"detailEntry\":null,\"displayName\":\"Okta System\",\"id\":\"spr294puarJOdUsWD1t7\",\"type\":\"SystemPrincipal\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"4ivdy6m56cqo8s6w57o6cvq5fbb409wr\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":null,\"geographicalContext\":null,\"id\":null,\"ipAddress\":null,\"userAgent\":null,\"zone\":null},\"debugContext\":{\"debugData\":{}},\"device\":null,\"displayMessage\":\"Successfully imported new member to an app group\",\"eventType\":\"app.user_management\",\"legacyEventType\":\"app.user_management.app_group_member_import.insert_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-04-27T00:56:17.750Z\",\"request\":{\"ipChain\":[]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"domain.user@test.com\",\"detailEntry\":null,\"displayName\":\"domain.user@test.com\",\"id\":\"ew1qskfvt7mvqipcx6hxt3j95pqi01p8\",\"type\":\"AppUser\"},{\"alternateId\":\"group_email@test.com\",\"detailEntry\":null,\"displayName\":\"Payable\",\"id\":\"l2l6h6p946io0fwyd3jw7jzgy8sq6a61\",\"type\":\"AppGroup\"},{\"alternateId\":\"domain.user@test.com\",\"detailEntry\":null,\"displayName\":\"Domain User\",\"id\":\"9uuw5t9im68f03w5b9a3x72i18gugbqn\",\"type\":\"User\"},{\"alternateId\":\"G Suite\",\"detailEntry\":null,\"displayName\":\"Google Workspace\",\"id\":\"1a45g3hf19hvzgggw2ybn7e5q7xh0v4a\",\"type\":\"AppInstance\"}],\"transaction\":{\"detail\":{},\"id\":\"37r7dugr7fswsjdzv4r97layultdf19r\",\"type\":\"JOB\"},\"uuid\":\"23A8F6AA-0E52-45F7-A2FB-FEF6E0B38FC7\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "info" + ] }, "okta": { "actor": { @@ -3258,7 +3315,8 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "app-user-management" ], "user": { "email": "system@okta.com", @@ -3394,6 +3452,7 @@ } }, "tags": [ + "event-hook-eligibleuser", "preserve_original_event" ], "user": { @@ -3530,6 +3589,7 @@ } }, "tags": [ + "event-hook-eligibleuser", "preserve_original_event" ], "user": { @@ -3569,10 +3629,16 @@ }, "event": { "action": "user.authentication.auth_via_mfa", + "category": [ + "authentication" + ], "id": "150A5E5C-C236-426A-A0D1-B79F1E391A6B", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"test.user@domain.com\",\"detailEntry\":null,\"displayName\":\"Test User\",\"id\":\"00ua123456abcat7\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":\"FACTOR_PROVIDER\",\"authenticationStep\":0,\"credentialProvider\":\"OKTA_CREDENTIAL_PROVIDER\",\"credentialType\":null,\"externalSessionId\":\"idx123456asdsajA\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Palezieux\",\"country\":\"Switzerland\",\"geolocation\":{\"lat\":46.5379,\"lon\":6.8409},\"postalCode\":\"1607\",\"state\":\"Vaud\"},\"id\":null,\"ipAddress\":\"192.168.1.10\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"B7F62B65BN.com.okta.mobile/3.13.4 OktaDeviceSDK/0.0.1 macOS/13.3.1 Apple/MacBookPro18,2 UUID123\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"dtHash\":\"abc123456abc\",\"factor\":\"SIGNED_NONCE\",\"requestId\":\"123456abcdefghij\",\"requestUri\":\"/idp/authenticators/123456abcdefghij/transactions/123456abcdefghij/verify\",\"url\":\"/idp/authenticators/123456abcdefghij/transactions/123456abcdefghij/verify?\"}},\"device\":null,\"displayMessage\":\"Authentication of user via MFA\",\"eventType\":\"user.authentication.auth_via_mfa\",\"legacyEventType\":\"core.user.factor.attempt_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-05-22T12:11:48.092Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Palezieux\",\"country\":\"Switzerland\",\"geolocation\":{\"lat\":46.5379,\"lon\":6.8409},\"postalCode\":\"1607\",\"state\":\"Vaud\"},\"ip\":\"192.168.1.10\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":39544,\"asOrg\":\"vo energies catv customers - region of oron/vd\",\"domain\":\"voenergies.net\",\"isProxy\":false,\"isp\":\"vo energies multimedia sa\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"test.user@domain.com\",\"detailEntry\":null,\"displayName\":\"Test User\",\"id\":\"00ua123456abcat7\",\"type\":\"User\"},{\"alternateId\":\"unknown\",\"detailEntry\":{\"methodTypeUsed\":\"Use Okta FastPass\",\"methodUsedVerifiedProperties\":\"[DEVICE_BOUND, PHISHING_RESISTANT, USER_VERIFYING, USER_PRESENCE, HARDWARE_PROTECTED]\"},\"displayName\":\"Okta Verify\",\"id\":\"00ua123456abcat7\",\"type\":\"AuthenticatorEnrollment\"}],\"transaction\":{\"detail\":{},\"id\":\"00ua123456abcat7\",\"type\":\"WEB\"},\"uuid\":\"150A5E5C-C236-426A-A0D1-B79F1E391A6B\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "info" + ] }, "okta": { "actor": { @@ -3691,6 +3757,7 @@ } }, "tags": [ + "event-hook-eligiblemfa", "preserve_original_event" ], "user": { @@ -3741,10 +3808,17 @@ }, "event": { "action": "device.user.add", + "category": [ + "iam" + ], "id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"john.doe@elastic.co\",\"detailEntry\":null,\"displayName\":\"John Doe\",\"id\":\"00aabbccddeeffaaaaaa\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"abcdefghijklM-NopQrsTUvWx\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Bay Shore\",\"country\":\"United States\",\"geolocation\":{\"lat\":40.7051,\"lon\":-73.243},\"postalCode\":\"11706\",\"state\":\"New York\"},\"id\":null,\"ipAddress\":\"192.168.1.10\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"FAKEFAKEFAKE.com.okta.mobile/8.1.1 OktaDeviceSDK/0.0.1 macOS/13.4.0 Apple/MacBookPro16,2 RANDOM-AAAA-BBBB-CCCC-DDDDDDDDDDDD\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"requestId\":\"XXXXXXXXXXXXXXXXXX\",\"requestUri\":\"/idp/authenticators\",\"url\":\"/idp/authenticators?\"}},\"device\":null,\"displayMessage\":\"Add device to user\",\"eventType\":\"device.user.add\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-06-07T15:49:45.109Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Bay Shore\",\"country\":\"United States\",\"geolocation\":{\"lat\":40.7051,\"lon\":-73.243},\"postalCode\":\"11706\",\"state\":\"New York\"},\"ip\":\"175.16.199.18\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":701,\"asOrg\":\"verizon\",\"domain\":\"verizon.net\",\"isProxy\":false,\"isp\":\"verizon\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"deviceStatus\":\"CREATED\",\"managed\":\"false\",\"oktaDeviceId\":\"xxxxxxxxxxxxxxxxx\",\"osPlatform\":\"MACOS\",\"osVersion\":\"13.4.0\",\"serialNumber\":\"XXXXXXXX\",\"tpmPresent\":\"false\",\"uuid\":\"AAAAAAAA-CCCC-DDDD-EEEE-BBBBBBBBBBBB\"},\"displayName\":\"John's MacBook Pro\",\"id\":\"fakefakefakefake\",\"type\":\"UDDevice\"}],\"transaction\":{\"detail\":{\"requestApiTokenId\":\"aa.aa.bbbbbbbbbbbbbbbbbbbbbbb_wwwwwwwwwwwwwwww\"},\"id\":\"ABCDEFCGALKDJDLK\",\"type\":\"WEB\"},\"uuid\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "user", + "creation" + ] }, "okta": { "actor": { @@ -3850,6 +3924,7 @@ } }, "tags": [ + "device-identityevent-hook-eligibleoie-onlyuser", "preserve_original_event" ], "user": { @@ -3896,10 +3971,17 @@ }, "event": { "action": "device.user.add", + "category": [ + "iam" + ], "id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"john.doe@elastic.co\",\"detailEntry\":null,\"displayName\":\"John Doe\",\"id\":\"00aabbccddeeffaaaaaa\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"abcdefghijklM-NopQrsTUvWx\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Bay Shore\",\"country\":\"United States\",\"geolocation\":{\"lat\":40.7051,\"lon\":-73.243},\"postalCode\":\"11706\",\"state\":\"New York\"},\"id\":null,\"ipAddress\":\"192.168.1.10\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"FAKEFAKEFAKE.com.okta.mobile/8.1.1 OktaDeviceSDK/0.0.1 macOS/13.4.0 Apple/MacBookPro16,2 RANDOM-AAAA-BBBB-CCCC-DDDDDDDDDDDD\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"clientAuthType\":\"client_secret_post\",\"grantedScopes\":\"okta.logs.read\",\"requestId\":\"76094a4ec67ae862a88c9d274b2353c9\",\"responseTime\":\"269\",\"dtHash\":\"redacted\",\"clientSecret\":\"E5NMtFDu1xVWq6Stx_AlRA\",\"requestUri\":\"/oauth2/v1/token\",\"requestedScopes\":\"okta.logs.read\",\"threatSuspected\":\"false\",\"grantType\":\"client_credentials\",\"url\":\"/oauth2/v1/token?\"}},\"device\":null,\"displayMessage\":\"Add device to user\",\"eventType\":\"device.user.add\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-06-07T15:49:45.109Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Bay Shore\",\"country\":\"United States\",\"geolocation\":{\"lat\":40.7051,\"lon\":-73.243},\"postalCode\":\"11706\",\"state\":\"New York\"},\"ip\":\"175.16.199.18\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":701,\"asOrg\":\"verizon\",\"domain\":\"verizon.net\",\"isProxy\":false,\"isp\":\"verizon\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"deviceStatus\":\"CREATED\",\"managed\":\"false\",\"oktaDeviceId\":\"xxxxxxxxxxxxxxxxx\",\"osPlatform\":\"MACOS\",\"osVersion\":\"13.4.0\",\"serialNumber\":\"XXXXXXXX\",\"tpmPresent\":\"false\",\"uuid\":\"AAAAAAAA-CCCC-DDDD-EEEE-BBBBBBBBBBBB\"},\"displayName\":\"John's MacBook Pro\",\"id\":\"fakefakefakefake\",\"type\":\"UDDevice\"}],\"transaction\":{\"detail\":{\"requestApiTokenId\":\"aa.aa.bbbbbbbbbbbbbbbbbbbbbbb_wwwwwwwwwwwwwwww\"},\"id\":\"ABCDEFCGALKDJDLK\",\"type\":\"WEB\"},\"uuid\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "user", + "creation" + ] }, "okta": { "actor": { @@ -4019,6 +4101,7 @@ } }, "tags": [ + "device-identityevent-hook-eligibleoie-onlyuser", "preserve_original_event" ], "user": { @@ -4065,10 +4148,17 @@ }, "event": { "action": "device.user.add", + "category": [ + "iam" + ], "id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"john.doe@elastic.co\",\"detailEntry\":null,\"displayName\":\"John Doe\",\"id\":\"00aabbccddeeffaaaaaa\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"abcdefghijklM-NopQrsTUvWx\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Bay Shore\",\"country\":\"United States\",\"geolocation\":{\"lat\":40.7051,\"lon\":-73.243},\"postalCode\":\"11706\",\"state\":\"New York\"},\"id\":null,\"ipAddress\":\"192.168.1.10\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"FAKEFAKEFAKE.com.okta.mobile/8.1.1 OktaDeviceSDK/0.0.1 macOS/13.4.0 Apple/MacBookPro16,2 RANDOM-AAAA-BBBB-CCCC-DDDDDDDDDDDD\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"clientAuthType\":\"client_secret_post\",\"grantedScopes\":\"okta.logs.read\",\"requestId\":\"76094a4ec67ae862a88c9d274b2353c9\",\"responseTime\":\"269\",\"dtHash\":\"redacted\",\"clientSecret\":\"E5NMtFDu1xVWq6Stx_AlRA\",\"requestUri\":\"/oauth2/v1/token\",\"requestedScopes\":\"okta.logs.read\",\"threatSuspected\":\"false\",\"grantType\":\"client_credentials\",\"url\":\"/oauth2/v1/token?\",\"tunnels\":\"[{\\\"anonymous\\\":true,\\\"operator\\\":\\\"WARP_VPN\\\",\\\"type\\\":\\\"VPN\\\"}]\"}},\"device\":null,\"displayMessage\":\"Add device to user\",\"eventType\":\"device.user.add\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-06-07T15:49:45.109Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Bay Shore\",\"country\":\"United States\",\"geolocation\":{\"lat\":40.7051,\"lon\":-73.243},\"postalCode\":\"11706\",\"state\":\"New York\"},\"ip\":\"175.16.199.18\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":701,\"asOrg\":\"verizon\",\"domain\":\"verizon.net\",\"isProxy\":false,\"isp\":\"verizon\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"deviceStatus\":\"CREATED\",\"managed\":\"false\",\"oktaDeviceId\":\"xxxxxxxxxxxxxxxxx\",\"osPlatform\":\"MACOS\",\"osVersion\":\"13.4.0\",\"serialNumber\":\"XXXXXXXX\",\"tpmPresent\":\"false\",\"uuid\":\"AAAAAAAA-CCCC-DDDD-EEEE-BBBBBBBBBBBB\"},\"displayName\":\"John's MacBook Pro\",\"id\":\"fakefakefakefake\",\"type\":\"UDDevice\"}],\"transaction\":{\"detail\":{\"requestApiTokenId\":\"aa.aa.bbbbbbbbbbbbbbbbbbbbbbb_wwwwwwwwwwwwwwww\"},\"id\":\"ABCDEFCGALKDJDLK\",\"type\":\"WEB\"},\"uuid\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\",\"version\":\"0\"}", - "outcome": "success" + "outcome": "success", + "type": [ + "user", + "creation" + ] }, "okta": { "actor": { @@ -4195,6 +4285,7 @@ } }, "tags": [ + "device-identityevent-hook-eligibleoie-onlyuser", "preserve_original_event" ], "user": { diff --git a/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml index 10705d42b9b..80e726962a7 100644 --- a/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml +++ b/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml @@ -177,6 +177,9 @@ processors: value: info if: '["policy.evaluate_sign_on"].contains(ctx.okta?.event_type)' allow_duplicates: false + - pipeline: + tag: pipeline_ecs_category_type + name: '{{ IngestPipeline "ecs_category_type" }}' - rename: field: json.uuid target_field: okta.uuid diff --git a/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/ecs_category_type.yml b/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/ecs_category_type.yml new file mode 100644 index 00000000000..8d0eb43e3aa --- /dev/null +++ b/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/ecs_category_type.yml @@ -0,0 +1,6527 @@ +--- +description: |- + Code generated by dispear; DO NOT EDIT. + + Okta event type mapping to ECS event type and category. +processors: + - script: + description: Map Okta event types to event.type and event.category. + tag: script + if: ctx.okta?.event_type != null + params: + access.request.cancel: + category: + - iam + tags: + - access + - event-hook-eligible + type: + - deletion + access.request.condition.activate: + category: + - iam + tags: + - access + - event-hook-eligible + type: + - info + access.request.condition.create: + category: + - iam + tags: + - access + - event-hook-eligible + type: + - creation + access.request.condition.deactivate: + category: + - iam + tags: + - access + - event-hook-eligible + type: + - info + access.request.condition.delete: + category: + - iam + tags: + - access + - event-hook-eligible + type: + - deletion + access.request.condition.invalidate: + category: + - iam + tags: + - access + - event-hook-eligible + type: + - info + access.request.condition.update: + category: + - iam + tags: + - access + - event-hook-eligible + type: + - change + access.request.create: + category: + - iam + tags: + - access + - event-hook-eligible + type: + - creation + access.request.expire: + category: + - iam + tags: + - access + - event-hook-eligible + type: + - info + access.request.reject: + category: + - iam + tags: + - access + - event-hook-eligible + type: + - info + access.request.resolve: + category: + - iam + tags: + - access + - event-hook-eligible + type: + - info + access.request.sequence.create: + category: + - iam + tags: + - access + - event-hook-eligible + type: + - creation + access.request.sequence.delete: + category: + - iam + tags: + - access + - event-hook-eligible + type: + - deletion + access.request.sequence.update: + category: + - iam + tags: + - access + - event-hook-eligible + type: + - change + access.request.settings.update: + category: + - iam + tags: + - access + - event-hook-eligible + type: + - change + access.review.action: + category: + - iam + tags: + - access-review + - event-hook-eligible + type: + - info + access.review.close: + category: + - iam + tags: + - access-review + - event-hook-eligible + type: + - info + access.review.create: + category: + - iam + tags: + - access-review + - event-hook-eligible + type: + - creation + access.review.remediate: + category: + - iam + tags: + - access-review + - event-hook-eligible + type: + - info + access.review.start: + category: + - iam + tags: + - access-review + - event-hook-eligible + type: + - info + access.review.update: + category: + - iam + tags: + - access-review + - event-hook-eligible + type: + - change + account.org.add: + category: + - configuration + tags: + - account-service + type: + - creation + account.org.delete.cancel: + category: + - configuration + tags: + - account-service + type: + - deletion + account.org.delete.request: + category: + - configuration + tags: + - account-service + type: + - deletion + account.org.product.update: + category: + - configuration + tags: + - account-service + type: + - change + account.org.status.update: + category: + - configuration + tags: + - account-service + type: + - change + - info + analytics.feedback.provide: + category: + - configuration + type: + - info + analytics.reports.export.download: + category: + - configuration + type: + - info + analytics.reports.export.generate: + category: + - configuration + type: + - creation + - info + analytics.reports.export.request: + category: + - configuration + type: + - info + app.access_request.approver.approve: + category: + - iam + tags: + - app-instance-request + - event-hook-eligible + type: + - admin + app.access_request.approver.deny: + category: + - iam + tags: + - app-instance-request + - event-hook-eligible + type: + - admin + app.access_request.delete: + category: + - iam + tags: + - app-instance-request + - event-hook-eligible + type: + - admin + - deletion + app.access_request.deny: + category: + - iam + tags: + - app-instance-request + - event-hook-eligible + type: + - info + app.access_request.expire: + category: + - iam + tags: + - app-instance-request + - event-hook-eligible + type: + - info + app.access_request.grant: + category: + - iam + tags: + - app-instance-request + - event-hook-eligible + type: + - info + app.access_request.request: + category: + - iam + tags: + - app-instance-request + - event-hook-eligible + type: + - info + app.ad.api.user_import.account_locked: + category: + - iam + tags: + - ad-app + type: + - user + app.ad.api.user_import.warn.skipped_contact.attribute_invalid_value: + category: + - iam + tags: + - ad-app + type: + - user + app.ad.api.user_import.warn.skipped_user.attribute_invalid_value: + category: + - iam + tags: + - ad-app + type: + - user + app.ad.api.user_import.warn.skipped_user.missing_required_attribute: + category: + - iam + tags: + - ad-app + type: + - user + app.app_instance.csr.generate: + category: + - configuration + tags: + - app + type: + - creation + app.app_instance.csr.publish: + category: + - configuration + tags: + - app + type: + - info + app.app_instance.csr.revoke: + category: + - configuration + tags: + - app + type: + - deletion + app.app_instance.provision_sync_job.completed: + category: + - iam + tags: + - adminappuser-provision + type: + - creation + app.app_instance.provision_sync_job.failed: + category: + - iam + tags: + - adminappuser-provision + type: + - creation + - info + app.app_instance.provision_sync_job.started: + category: + - iam + tags: + - adminappuser-provision + type: + - creation + app.audit_report.download: + category: + - configuration + tags: + - app + type: + - info + app.audit_report.download.local.active: + category: + - configuration + tags: + - app + type: + - info + app.audit_report.download.local.deprov: + category: + - configuration + tags: + - app + type: + - info + app.audit_report.download.rogue.report: + category: + - configuration + tags: + - app + type: + - info + app.generic.unauth_app_access_attempt: + category: + - authentication + tags: + - app + type: + - info + app.inbound_del_auth.login_success: + category: + - authentication + tags: + - delegated-auth + type: + - info + - start + app.kerberos_rich_client.account_not_found: + category: + - configuration + tags: + - appkerberos-rich-client + type: + - info + app.kerberos_rich_client.instance_not_found: + category: + - configuration + tags: + - appkerberos-rich-client + type: + - info + app.kerberos_rich_client.multiple_accounts_found: + category: + - configuration + tags: + - appkerberos-rich-client + type: + - info + app.kerberos_rich_client.user_authentication_successful: + category: + - authentication + tags: + - appkerberos-rich-client + type: + - info + app.keys.clone: + category: + - configuration + tags: + - app + type: + - info + app.keys.generate: + category: + - configuration + tags: + - app + type: + - creation + app.keys.rotate: + category: + - configuration + tags: + - app + type: + - change + app.ldap.password.change.failed: + category: + - authentication + tags: + - ldap-app + type: + - info + app.oauth2.admin.consent.grant: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-org-as + type: + - info + app.oauth2.admin.consent.revoke: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-org-as + type: + - info + app.oauth2.api_resource.create: + category: + - authentication + tags: + - oauth2oauth2-api-resource + type: + - info + app.oauth2.api_resource.delete: + category: + - authentication + tags: + - oauth2oauth2-api-resource + type: + - info + app.oauth2.api_resource.update: + category: + - authentication + tags: + - oauth2oauth2-api-resource + type: + - info + app.oauth2.as.authorize: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.authorize.code: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.authorize.implicit.access_token: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.authorize.implicit.id_token: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.authorize.scope_denied: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.consent.grant: + category: + - authentication + tags: + - event-hook-eligibleoauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.consent.revoke: + category: + - authentication + tags: + - event-hook-eligibleoauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.consent.revoke.implicit.as: + category: + - authentication + tags: + - event-hook-eligibleoauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.consent.revoke.implicit.client: + category: + - authentication + tags: + - event-hook-eligibleoauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.consent.revoke.implicit.scope: + category: + - authentication + tags: + - event-hook-eligibleoauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.consent.revoke.implicit.user: + category: + - authentication + tags: + - event-hook-eligibleoauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.consent.revoke.user: + category: + - authentication + tags: + - event-hook-eligibleoauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.consent.revoke.user.client: + category: + - authentication + tags: + - event-hook-eligibleoauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.evaluate.claim: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.interact.interaction_code: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.interact.interaction_handle: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.key.rollover: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.resource_server.credentials.lifecycle.activate: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-custom-as + type: + - start + app.oauth2.as.resource_server.credentials.lifecycle.create: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.resource_server.credentials.lifecycle.deactivate: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-custom-as + type: + - end + - start + app.oauth2.as.resource_server.credentials.lifecycle.delete: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.token.detect_reuse: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.token.grant: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.token.grant.access_token: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.token.grant.device_secret: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.token.grant.id_token: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.token.grant.refresh_token: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.as.token.revoke: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.authorize: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-org-as + type: + - info + app.oauth2.authorize.code: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-org-as + type: + - info + app.oauth2.authorize.implicit.access_token: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-org-as + type: + - info + app.oauth2.authorize.implicit.id_token: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-org-as + type: + - info + app.oauth2.client.lifecycle.activate: + category: + - authentication + tags: + - oauth2oauth2-clientoauth2-client-lifecycle + type: + - start + app.oauth2.client.lifecycle.create: + category: + - authentication + tags: + - oauth2oauth2-clientoauth2-client-lifecycle + type: + - info + app.oauth2.client.lifecycle.deactivate: + category: + - authentication + tags: + - oauth2oauth2-clientoauth2-client-lifecycle + type: + - end + - start + app.oauth2.client.lifecycle.delete: + category: + - authentication + tags: + - oauth2oauth2-clientoauth2-client-lifecycle + type: + - info + app.oauth2.client.lifecycle.update: + category: + - authentication + tags: + - oauth2oauth2-clientoauth2-client-lifecycle + type: + - info + app.oauth2.client.privilege.grant: + category: + - authentication + tags: + - event-hook-eligibleoauth2oauth2-client + type: + - info + app.oauth2.client.privilege.revoke: + category: + - authentication + tags: + - event-hook-eligibleoauth2oauth2-client + type: + - info + app.oauth2.client.read_client_secret: + category: + - authentication + tags: + - oauth2oauth2-client + type: + - info + app.oauth2.client_id_rate_limit_warning: + category: + - authentication + tags: + - oauth2oauth2-client + type: + - info + app.oauth2.consent.grant: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-org-as + type: + - info + app.oauth2.credentials.lifecycle.activate: + category: + - authentication + tags: + - oauth2oauth2-clientoauth2-client-credentials-lifecycle + type: + - start + app.oauth2.credentials.lifecycle.create: + category: + - authentication + tags: + - oauth2oauth2-clientoauth2-client-credentials-lifecycle + type: + - info + app.oauth2.credentials.lifecycle.deactivate: + category: + - authentication + tags: + - oauth2oauth2-clientoauth2-client-credentials-lifecycle + type: + - end + - start + app.oauth2.credentials.lifecycle.delete: + category: + - authentication + tags: + - oauth2oauth2-clientoauth2-client-credentials-lifecycle + type: + - info + app.oauth2.interact.interaction_code: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-org-as + type: + - info + app.oauth2.interact.interaction_handle: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-org-as + type: + - info + app.oauth2.invalid_client_credentials: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-org-as + type: + - info + app.oauth2.key.rollover: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-org-as + type: + - info + app.oauth2.signon: + category: + - authentication + tags: + - oauth2oauth2-client + type: + - info + app.oauth2.token.detect_reuse: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-org-as + type: + - info + app.oauth2.token.grant: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-org-as + type: + - info + app.oauth2.token.grant.access_token: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-org-as + type: + - info + app.oauth2.token.grant.id_jag: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-org-as + type: + - info + app.oauth2.token.grant.id_token: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-org-as + type: + - info + app.oauth2.token.grant.refresh_token: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-org-as + type: + - info + app.oauth2.token.revoke: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-org-as + type: + - info + app.oauth2.token.revoke.implicit.as: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-org-as + type: + - info + app.oauth2.token.revoke.implicit.client: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-org-as + type: + - info + app.oauth2.token.revoke.implicit.user: + category: + - authentication + tags: + - oauth2oauth2-as-runtimeoauth2-org-as + type: + - info + app.oauth2.trusted_server.add: + category: + - authentication + tags: + - event-hook-eligibleoauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.oauth2.trusted_server.delete: + category: + - authentication + tags: + - event-hook-eligibleoauth2oauth2-as-runtimeoauth2-custom-as + type: + - info + app.office365.api.change.domain.federation.success: + category: + - iam + tags: + - appoffice365-app + type: + - change + app.office365.api.error.ad.user: + category: + - iam + tags: + - appoffice365-app + type: + - user + app.office365.api.error.check.user.exists: + category: + - iam + tags: + - appoffice365-app + type: + - user + app.office365.api.error.create.user: + category: + - iam + tags: + - appoffice365-app + type: + - creation + - user + app.office365.api.error.deactivate.user: + category: + - iam + tags: + - appoffice365-app + type: + - user + app.office365.api.error.download.custom.objects: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.error.download.groups: + category: + - iam + tags: + - appoffice365-app + type: + - group + app.office365.api.error.download.users: + category: + - iam + tags: + - appoffice365-app + type: + - user + app.office365.api.error.endpoint.unavailable: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.error.get.company.dirsync.failure: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.error.get.company.dirsync.status.failure: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.error.get.company.dirsync.status.pending: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.error.get.object.ids.by.group.id: + category: + - iam + tags: + - office365-app + type: + - group + app.office365.api.error.group.create.failure: + category: + - iam + tags: + - appoffice365-app + type: + - creation + - group + app.office365.api.error.group.create.failure.name.in.use: + category: + - iam + tags: + - appoffice365-app + type: + - creation + - group + app.office365.api.error.group.delete.failure: + category: + - iam + tags: + - appoffice365-app + type: + - deletion + - group + app.office365.api.error.group.membership.update.assignment.failure: + category: + - iam + tags: + - appoffice365-app + type: + - change + - group + app.office365.api.error.group.membership.update.failure: + category: + - iam + tags: + - appoffice365-app + type: + - change + - group + app.office365.api.error.group.membership.update.group.not.found.failure: + category: + - iam + tags: + - appoffice365-app + type: + - change + - group + app.office365.api.error.group.membership.update.removal.failure: + category: + - iam + tags: + - appoffice365-app + type: + - change + - group + app.office365.api.error.group.update.failure: + category: + - iam + tags: + - appoffice365-app + type: + - change + - group + app.office365.api.error.group.update.failure.not.found: + category: + - iam + tags: + - appoffice365-app + type: + - change + - group + app.office365.api.error.import.profile: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.error.no.endpoints.found: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.error.push.password: + category: + - authentication + tags: + - appoffice365-app + type: + - info + app.office365.api.error.push.profile: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.error.reactivate.user: + category: + - iam + tags: + - appoffice365-app + type: + - user + app.office365.api.error.remove.domain.federation.failure: + category: + - iam + tags: + - appoffice365-app + type: + - deletion + app.office365.api.error.remove.domain.federation.failure.access.denied: + category: + - iam + tags: + - appoffice365-app + type: + - deletion + app.office365.api.error.remove.domain.federation.failure.domain.not.found: + category: + - iam + tags: + - appoffice365-app + type: + - deletion + app.office365.api.error.revoke.refresh.token: + category: + - authentication + tags: + - appoffice365-app + type: + - info + app.office365.api.error.set.company.dirsync.failure: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.error.set.company.dirsync.status.failure: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.error.set.domain.federation.failure: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.error.set.domain.federation.failure.access.denied: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.error.set.domain.federation.failure.domain.default: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.error.set.domain.federation.failure.domain.not.found: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.error.sync.contact: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.error.sync.finalize: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.error.sync.group: + category: + - iam + tags: + - appoffice365-app + type: + - group + app.office365.api.error.sync.not.activated: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.error.sync.set.attribute: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.error.sync.user: + category: + - iam + tags: + - appoffice365-app + type: + - user + app.office365.api.error.unable.to.create.graph.client: + category: + - iam + tags: + - appoffice365-app + type: + - creation + app.office365.api.error.validate.admin.creds: + category: + - iam + tags: + - appoffice365-app + type: + - admin + app.office365.api.error.validate.creds: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.error.validate.creds.unknown.exception: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.error.x-ms-forwarded-client-ip-header.absent: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.remove.domain.federation.success: + category: + - iam + tags: + - appoffice365-app + type: + - deletion + app.office365.api.set.domain.federation.success: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.sync.complete: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.sync.heartbeat.sent: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.sync.job.complete: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.sync.job.complete.contact: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.api.sync.job.complete.group: + category: + - iam + tags: + - appoffice365-app + type: + - group + app.office365.api.sync.job.complete.user: + category: + - iam + tags: + - appoffice365-app + type: + - user + app.office365.clientplatform.conversion.job.processing.app.instance: + category: + - configuration + tags: + - appoffice365-app + type: + - info + app.office365.clientplatform.conversion.job.skipping.migration: + category: + - configuration + tags: + - appoffice365-app + type: + - info + app.office365.dirsync.skipping.conflict-object: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.dirsync.skipping.critical-system-object: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.dirsync.skipping.non-security-group-invalid-mail: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.dirsync.skipping.reserved-attribute-value: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.dirsync.skipping.systemmailbox: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.dirsync.skipping.without-name-and-displayname: + category: + - iam + tags: + - appoffice365-app + type: + - info + app.office365.error.importing.user: + category: + - iam + tags: + - appoffice365-app + type: + - user + app.office365.graph.api.error.no.mailbox.found: + category: + - configuration + tags: + - appoffice365-app + type: + - info + app.office365.graph.api.error.rate-limit.exceeded: + category: + - configuration + tags: + - appoffice365-app + type: + - info + app.office365.graph.api.error.service.principal.creation.failed: + category: + - configuration + tags: + - office365-app + type: + - info + app.office365.graph.api.error.service.principal.msgraph.authentication.failure: + category: + - authentication + tags: + - office365-app + type: + - info + app.office365.service.principal.cleanup.job.complete: + category: + - configuration + tags: + - appoffice365-app + type: + - info + app.office365.service.principal.cleanup.job.invalid.credentials: + category: + - authentication + tags: + - appoffice365-app + type: + - info + app.office365.service.principal.cleanup.job.processing: + category: + - configuration + tags: + - appoffice365-app + type: + - info + app.office365.service.principal.cleanup.job.skipping.missing.creds: + category: + - configuration + tags: + - appoffice365-app + type: + - info + app.office365.service.principal.cleanup.job.skipping.no.service.principal: + category: + - configuration + tags: + - appoffice365-app + type: + - info + app.office365.service.principal.cleanup.job.unable.to.delete.service.principal: + category: + - configuration + tags: + - appoffice365-app + type: + - deletion + app.office365.user.delete.success: + category: + - iam + tags: + - appoffice365-app + type: + - deletion + - user + app.office365.user.lifecycle.action.failed: + category: + - iam + tags: + - appoffice365-app + type: + - user + app.office365.user.remove.licenses.success: + category: + - iam + tags: + - appoffice365-app + type: + - deletion + - user + app.policy.sign_on.update: + category: + - configuration + tags: + - policy + type: + - change + app.radius.agent.listener.failed: + category: + - network + type: + - denied + - protocol + app.radius.agent.listener.succeeded: + category: + - network + type: + - protocol + app.radius.agent.port_inaccessible: + category: + - network + type: + - access + - protocol + app.radius.agent.port_reaccessible: + category: + - network + type: + - access + - protocol + app.radius.info_access.no_permission: + category: + - iam + type: + - info + app.radius.info_access.partial_permission: + category: + - iam + type: + - info + app.realtimesync.import.details.add_user: + category: + - configuration + tags: + - app + type: + - creation + app.realtimesync.import.details.delete_user: + category: + - configuration + tags: + - app + type: + - deletion + app.realtimesync.import.details.update_user: + category: + - configuration + tags: + - app + type: + - change + - info + app.request_new.notify: + category: + - configuration + type: + - info + app.rum.config.validation.error: + category: + - configuration + type: + - info + app.rum.is.api.account.error: + category: + - configuration + type: + - info + app.rum.package.thrown.error: + category: + - configuration + type: + - info + app.rum.validation.error: + category: + - configuration + type: + - info + app.saml.sensitive.attribute.update: + category: + - configuration + type: + - change + app.user_management: + category: + - configuration + tags: + - app-user-management + type: + - info + app.user_management.grouppush.mapping.created.from.rule: + category: + - configuration + tags: + - app + type: + - creation + app.user_management.grouppush.mapping.created.from.rule.error.duplicate: + category: + - configuration + tags: + - app + type: + - creation + app.user_management.grouppush.mapping.created.from.rule.error.validation: + category: + - configuration + tags: + - app + type: + - creation + app.user_management.grouppush.mapping.created.from.rule.errors: + category: + - configuration + tags: + - app + type: + - creation + app.user_management.grouppush.mapping.okta.users.ignored: + category: + - configuration + tags: + - appapp-user-management + type: + - info + app.user_management.import.csv.line.error: + category: + - configuration + tags: + - app + type: + - info + app.user_management.push_new_user_success: + category: + - configuration + tags: + - app + type: + - info + app.user_management.update_from_master_failed: + category: + - configuration + tags: + - app + type: + - change + app.user_management.user_group_import.create_failure: + category: + - configuration + tags: + - appapp-user-management + type: + - creation + app.user_management.user_group_import.delete_success: + category: + - configuration + tags: + - appapp-user-management + type: + - deletion + app.user_management.user_group_import.update_failure: + category: + - configuration + tags: + - appapp-user-management + type: + - change + app.user_management.user_group_import.upsert_fail: + category: + - configuration + tags: + - appapp-user-management + type: + - info + app.user_management.user_group_import.upsert_success: + category: + - configuration + tags: + - appapp-user-management + type: + - info + application.appuser.mapping.invalid.expression: + category: + - iam + tags: + - app + type: + - user + application.cache.invalidate: + category: + - configuration + tags: + - invalidate-app-list-cache + type: + - info + application.configuration.detect_error: + category: + - configuration + tags: + - app + type: + - info + application.configuration.disable_delauth_outbound: + category: + - authentication + tags: + - app + type: + - end + application.configuration.disable_fed_broker_mode: + category: + - configuration + tags: + - app + type: + - info + application.configuration.enable_delauth_outbound: + category: + - authentication + tags: + - app + type: + - start + application.configuration.enable_fed_broker_mode: + category: + - configuration + tags: + - app + type: + - info + application.configuration.import_schema: + category: + - configuration + tags: + - app-api + type: + - info + application.configuration.read_client_secret: + category: + - configuration + type: + - info + application.configuration.reset_logo: + category: + - configuration + tags: + - app + type: + - change + application.configuration.update: + category: + - configuration + tags: + - app-api + type: + - change + application.configuration.update_api_credentials_for_pass_change: + category: + - authentication + tags: + - app + type: + - info + application.configuration.update_logo: + category: + - configuration + tags: + - app + type: + - change + application.configuration.update_rate_limits: + category: + - configuration + tags: + - app + type: + - change + application.integration.api_query: + category: + - configuration + tags: + - app-api + type: + - info + application.integration.authentication_failure: + category: + - authentication + tags: + - app-api + type: + - info + application.integration.general_failure: + category: + - configuration + tags: + - app-api + type: + - info + application.integration.rate_limit_exceeded: + category: + - configuration + tags: + - app-api + type: + - info + application.integration.transfer_files: + category: + - configuration + tags: + - app-api + type: + - info + application.lifecycle.activate: + category: + - configuration + tags: + - app + - event-hook-eligible + type: + - info + application.lifecycle.create: + category: + - configuration + tags: + - app + - event-hook-eligible + type: + - creation + application.lifecycle.deactivate: + category: + - configuration + tags: + - app + - event-hook-eligible + type: + - info + application.lifecycle.delete: + category: + - configuration + tags: + - app + - event-hook-eligible + type: + - deletion + application.lifecycle.update: + category: + - configuration + tags: + - app + - event-hook-eligible + type: + - change + application.policy.sign_on.deny_access: + category: + - configuration + tags: + - app + - event-hook-eligible + type: + - access + - info + application.policy.sign_on.rule.create: + category: + - configuration + tags: + - app + type: + - creation + application.policy.sign_on.rule.delete: + category: + - configuration + tags: + - app + type: + - deletion + application.policy.sign_on.update: + category: + - configuration + tags: + - appchangeDetails + - changeDetails + type: + - change + application.provision.field_mapping_rule.change: + category: + - configuration + tags: + - field-mapping-rule-modification + type: + - change + - creation + application.provision.group.add: + category: + - iam + tags: + - app-api + type: + - creation + - group + application.provision.group.import: + category: + - iam + tags: + - app-api + type: + - creation + - group + application.provision.group.remove: + category: + - iam + tags: + - app-api + type: + - creation + - deletion + - group + application.provision.group.update: + category: + - iam + tags: + - app-api + type: + - change + - creation + - group + application.provision.group.verify_exists: + category: + - iam + tags: + - app-api + type: + - creation + - group + application.provision.group_membership.add: + category: + - iam + tags: + - app-api + type: + - creation + - group + application.provision.group_membership.import: + category: + - iam + tags: + - app-api + type: + - creation + - group + application.provision.group_membership.remove: + category: + - iam + tags: + - app-api + type: + - creation + - deletion + - group + application.provision.group_membership.update: + category: + - iam + tags: + - app-api + type: + - change + - creation + - group + application.provision.group_push.activate_mapping: + category: + - configuration + tags: + - app + type: + - creation + application.provision.group_push.deactivate_mapping: + category: + - configuration + tags: + - app + type: + - creation + application.provision.group_push.delete_appgroup: + category: + - configuration + tags: + - app + type: + - creation + - deletion + application.provision.group_push.mapping.and.groups.deleted.rule.deleted: + category: + - configuration + tags: + - app + type: + - creation + - deletion + application.provision.group_push.mapping.app.group.renamed: + category: + - iam + tags: + - app + type: + - creation + - group + application.provision.group_push.mapping.app.group.renamed.failed: + category: + - iam + tags: + - app + type: + - creation + - group + application.provision.group_push.mapping.created: + category: + - configuration + tags: + - app + type: + - creation + application.provision.group_push.mapping.created.from.rule.warning.duplicate.name: + category: + - configuration + tags: + - app + type: + - creation + application.provision.group_push.mapping.created.from.rule.warning.duplicate.name.tobecreated: + category: + - configuration + tags: + - app + type: + - creation + application.provision.group_push.mapping.created.from.rule.warning.upsertGroup.duplicate.name: + category: + - iam + tags: + - app + type: + - creation + - group + application.provision.group_push.mapping.deactivated.source.group.renamed: + category: + - iam + tags: + - app + type: + - creation + - group + application.provision.group_push.mapping.deactivated.source.group.renamed.failed: + category: + - iam + tags: + - app + type: + - creation + - group + application.provision.group_push.mapping.update.or.delete.failed: + category: + - configuration + tags: + - app + type: + - change + - creation + - deletion + application.provision.group_push.mapping.update.or.delete.failed.with.error: + category: + - configuration + tags: + - app + - event-hook-eligible + type: + - change + - creation + - deletion + application.provision.group_push.push_memberships: + category: + - iam + tags: + - app + type: + - creation + - group + application.provision.group_push.pushed: + category: + - configuration + tags: + - app + type: + - creation + application.provision.group_push.removed: + category: + - configuration + tags: + - app + type: + - creation + - deletion + application.provision.group_push.updated: + category: + - configuration + tags: + - app + type: + - change + - creation + application.provision.integration.call_api: + category: + - configuration + tags: + - app-api + type: + - creation + application.provision.user.activate: + category: + - iam + tags: + - app-api + type: + - creation + - user + application.provision.user.deactivate: + category: + - iam + tags: + - app-api + type: + - creation + - user + application.provision.user.deprovision: + category: + - iam + tags: + - app + type: + - creation + - deletion + - user + application.provision.user.import: + category: + - iam + tags: + - app-api + type: + - creation + - user + application.provision.user.import_profile: + category: + - iam + tags: + - app-api + type: + - creation + - user + application.provision.user.password: + category: + - authentication + tags: + - app-api + type: + - info + application.provision.user.push: + category: + - iam + tags: + - app-api + type: + - creation + - user + application.provision.user.push_okta_password: + category: + - authentication + tags: + - app + type: + - info + application.provision.user.push_password: + category: + - authentication + tags: + - app + type: + - info + application.provision.user.push_profile: + category: + - iam + tags: + - app-api + type: + - creation + - user + application.provision.user.reactivate: + category: + - iam + tags: + - app-api + type: + - creation + - user + application.provision.user.sync: + category: + - iam + tags: + - app + - event-hook-eligible + type: + - creation + - user + application.provision.user.verify_exists: + category: + - iam + tags: + - app-api + type: + - creation + - user + application.registration_policy.lifecycle.create: + category: + - configuration + tags: + - app + type: + - creation + application.registration_policy.lifecycle.update: + category: + - configuration + tags: + - app + type: + - change + application.user_membership.add: + category: + - iam + tags: + - event-hook-eligibleuser-provision + type: + - creation + - user + application.user_membership.approve: + category: + - iam + tags: + - user-provision + type: + - user + application.user_membership.change_password: + category: + - authentication + tags: + - app + - event-hook-eligible + type: + - info + application.user_membership.change_username: + category: + - iam + tags: + - app + type: + - change + - user + application.user_membership.deprovision: + category: + - iam + tags: + - user-provision + type: + - deletion + - user + application.user_membership.provision: + category: + - iam + tags: + - user-provision + type: + - creation + - user + application.user_membership.remove: + category: + - iam + tags: + - event-hook-eligibleuser-provision + type: + - deletion + - user + application.user_membership.restore: + category: + - iam + tags: + - app + type: + - user + application.user_membership.restore_password: + category: + - authentication + tags: + - app + type: + - info + application.user_membership.revoke: + category: + - iam + tags: + - user-provision + type: + - deletion + - user + application.user_membership.show_password: + category: + - authentication + tags: + - app + type: + - info + application.user_membership.update: + category: + - iam + tags: + - app + - event-hook-eligible + type: + - change + - user + certification.campaign.close: + category: + - configuration + tags: + - certification + - event-hook-eligible + type: + - info + certification.campaign.context.update: + category: + - configuration + tags: + - certification + - event-hook-eligible + type: + - change + certification.campaign.create: + category: + - configuration + type: + - creation + certification.campaign.delete: + category: + - configuration + type: + - deletion + certification.campaign.item.decide: + category: + - configuration + tags: + - certification + - event-hook-eligible + type: + - info + certification.campaign.item.remediate: + category: + - configuration + tags: + - certification + - event-hook-eligible + type: + - info + certification.campaign.launch: + category: + - configuration + tags: + - certification + - event-hook-eligible + type: + - info + certification.campaign.update: + category: + - configuration + type: + - change + certification.remediation.open: + category: + - configuration + type: + - info + core.concurrency.org.limit.violation: + category: + - configuration + tags: + - concurrency-limit + type: + - info + core.el.evaluate: + category: + - configuration + tags: + - okta-el + type: + - info + core.user_auth.idp.x509.crl_download_failure: + category: + - authentication + tags: + - x509-idp-auth + type: + - info + credential.register: + category: + - authentication + tags: + - user-factor + type: + - info + credential.revoke: + category: + - authentication + tags: + - user-factor + type: + - info + device.assurance.policy.add: + category: + - configuration + tags: + - device-identityoie-only + type: + - creation + device.assurance.policy.delete: + category: + - configuration + tags: + - device-identityoie-only + type: + - deletion + device.assurance.policy.update: + category: + - configuration + tags: + - device-identityoie-onlychangeDetails + - changeDetails + type: + - change + device.custom_push.send_notification: + category: + - authentication + tags: + - custom-push + type: + - info + device.desktop_mfa.configuration.update: + category: + - authentication + tags: + - device-mfaoie-onlychangeDetails + - changeDetails + type: + - info + device.desktop_mfa.device_logout.completed: + category: + - authentication + tags: + - device-mfaoie-only + type: + - end + device.desktop_mfa.device_logout.started: + category: + - authentication + tags: + - device-mfaoie-only + type: + - end + - start + device.desktop_mfa.enrollment.create: + category: + - authentication + tags: + - device-mfaoie-only + type: + - info + device.desktop_mfa.recovery_pin.generate: + category: + - authentication + tags: + - device-mfaoie-only + type: + - info + device.desktop_mfa.recovery_pin.rotate_secret: + category: + - authentication + tags: + - device-mfaoie-only + type: + - info + device.enrollment.create: + category: + - host + tags: + - device-identityevent-hook-eligibleoie-onlyuser + type: + - info + device.integration.endpoint_security.activate: + category: + - configuration + tags: + - device-identityoie-onlyuser + type: + - info + device.integration.endpoint_security.deactivate: + category: + - configuration + tags: + - device-identityoie-onlyuser + type: + - info + device.lifecycle.activate: + category: + - host + tags: + - device-identityevent-hook-eligibleoie-onlyuser + type: + - start + device.lifecycle.deactivate: + category: + - host + tags: + - device-identityevent-hook-eligibleoie-onlyuser + type: + - end + - start + device.lifecycle.delete: + category: + - host + tags: + - device-identityevent-hook-eligibleoie-onlyuser + type: + - info + device.lifecycle.suspend: + category: + - host + tags: + - device-identityevent-hook-eligibleoie-onlyuser + type: + - end + device.lifecycle.unsuspend: + category: + - host + tags: + - device-identityevent-hook-eligibleoie-onlyuser + type: + - end + device.local_account.create: + category: + - host + tags: + - device-ssooie-only + type: + - info + device.password_sync.authentication: + category: + - authentication + tags: + - device-ssooie-only + type: + - info + device.password_sync.enrollment.create: + category: + - authentication + tags: + - device-ssooie-only + type: + - info + device.platform.add: + category: + - host + tags: + - device-identityoie-onlyuser + type: + - info + device.platform.delete: + category: + - host + tags: + - device-identityoie-onlyuser + type: + - info + device.platform.renew: + category: + - host + tags: + - device-identityoie-only + type: + - info + device.platform.secret_key.reset: + category: + - host + tags: + - device-identityoie-onlyuser + type: + - change + device.platform.update: + category: + - host + tags: + - device-identityoie-onlyuser + type: + - change + device.platform_sso.keys.register: + category: + - authentication + tags: + - device-ssooie-only + type: + - info + device.posture.check.add: + category: + - host + tags: + - device-identityoie-only + type: + - info + device.posture.check.delete: + category: + - host + tags: + - device-identityoie-only + type: + - info + device.posture.check.update: + category: + - host + tags: + - device-identityoie-onlychangeDetails + - changeDetails + type: + - change + device.push.provider.create: + category: + - host + tags: + - oie-onlypush-provider + type: + - info + device.push.provider.delete: + category: + - host + tags: + - oie-onlypush-provider + type: + - info + device.push.provider.update: + category: + - host + tags: + - oie-onlypush-provider + type: + - change + device.signals.status.timeout: + category: + - host + tags: + - device-identityoie-only + type: + - info + device.token.enrollment.create: + category: + - authentication + tags: + - deviceoie-onlyuser + type: + - info + device.user.add: + category: + - iam + tags: + - device-identityevent-hook-eligibleoie-onlyuser + type: + - creation + - user + device.user.remove: + category: + - iam + tags: + - device-identityevent-hook-eligibleoie-onlyuser + type: + - deletion + - user + device.user_os_account.sync: + category: + - host + tags: + - device-mfadevice-ssooie-only + type: + - info + directory.app_user_profile.bootstrap: + category: + - iam + type: + - creation + - user + directory.app_user_profile.update: + category: + - iam + type: + - change + - user + directory.external.group.membership.add: + category: + - iam + tags: + - ad-agentgroupuser + type: + - creation + - group + directory.external.group.membership.remove: + category: + - iam + tags: + - ad-agentgroupuser + type: + - deletion + - group + directory.linked_object.create: + category: + - configuration + type: + - creation + directory.linked_object.delete: + category: + - configuration + type: + - deletion + directory.mapping.update: + category: + - configuration + type: + - change + directory.non_default_user_profile.create: + category: + - iam + type: + - creation + - user + directory.user_profile.bootstrap: + category: + - iam + type: + - creation + - user + directory.user_profile.update: + category: + - iam + tags: + - event-hook + - event-hook + - event-hook + - event-hook + - event-hook + - event-hook + - event-hook + type: + - change + - info + - user + group.application_assignment.add: + category: + - iam + tags: + - event-hook-eligiblegroup + type: + - creation + - group + group.application_assignment.remove: + category: + - iam + tags: + - event-hook-eligiblegroup + type: + - deletion + - group + group.application_assignment.skip_assignment_reconcile: + category: + - iam + type: + - group + group.application_assignment.update: + category: + - iam + tags: + - event-hook-eligiblegroup + type: + - change + - group + group.lifecycle.create: + category: + - iam + tags: + - event-hook-eligiblegroup + type: + - creation + - group + group.lifecycle.delete: + category: + - iam + tags: + - event-hook-eligiblegroup + type: + - deletion + - group + group.privilege.grant: + category: + - iam + tags: + - event-hook-eligiblegroup + type: + - group + - info + group.privilege.revoke: + category: + - iam + tags: + - event-hook-eligiblegroup + type: + - deletion + - group + group.profile.update: + category: + - iam + tags: + - event-hook-eligiblegroup + type: + - admin + - change + - group + group.user_membership.add: + category: + - iam + tags: + - event-hook-eligiblegroup + type: + - creation + - group + - user + group.user_membership.remove: + category: + - iam + tags: + - event-hook-eligiblegroup + type: + - deletion + - group + - user + group.user_membership.rule.add_exclusion: + category: + - iam + type: + - creation + - group + - user + group.user_membership.rule.deactivated: + category: + - iam + type: + - group + - user + group.user_membership.rule.error: + category: + - iam + type: + - group + - user + group.user_membership.rule.evaluation: + category: + - iam + type: + - group + - user + group.user_membership.rule.invalidate: + category: + - iam + type: + - group + - user + group.user_membership.rule.trigger: + category: + - iam + type: + - group + - user + iam.policy.configuration.update: + category: + - configuration + tags: + - admin-role + - event-hook-eligible + type: + - change + - info + iam.resourceset.bindings.add: + category: + - configuration + tags: + - admin-role + - event-hook-eligible + type: + - creation + - info + iam.resourceset.bindings.delete: + category: + - configuration + tags: + - admin-role + - event-hook-eligible + type: + - deletion + - info + iam.resourceset.create: + category: + - configuration + tags: + - admin-role + - event-hook-eligible + type: + - creation + - info + iam.resourceset.delete: + category: + - configuration + tags: + - admin-role + - event-hook-eligible + type: + - deletion + - info + iam.resourceset.resources.add: + category: + - configuration + tags: + - admin-role + - event-hook-eligible + type: + - creation + - info + iam.resourceset.resources.delete: + category: + - configuration + tags: + - admin-role + - event-hook-eligible + type: + - deletion + - info + iam.resourceset.resources.update: + category: + - configuration + tags: + - admin-role + - event-hook-eligible + type: + - change + - info + iam.resourceset.update: + category: + - configuration + tags: + - admin-role + - event-hook-eligible + type: + - change + - info + iam.role.create: + category: + - iam + tags: + - admin-role + - event-hook-eligible + type: + - creation + - info + iam.role.delete: + category: + - iam + tags: + - admin-role + - event-hook-eligible + type: + - deletion + - info + iam.role.permission.conditions.add: + category: + - iam + tags: + - admin-role + - event-hook-eligible + type: + - creation + iam.role.permission.conditions.delete: + category: + - iam + tags: + - admin-role + - event-hook-eligible + type: + - deletion + iam.role.permissions.add: + category: + - iam + tags: + - admin-role + - event-hook-eligible + type: + - creation + - info + iam.role.permissions.delete: + category: + - iam + tags: + - admin-role + - event-hook-eligible + type: + - deletion + - info + iam.role.update: + category: + - iam + tags: + - admin-role + - event-hook-eligible + - inline-hook + - inline-hook + - inline-hook + - inline-hook + - event-hook-eligibleinline-hook + - inline-hook + - inline-hook + - inline-hook + type: + - change + - info + integration.api_service.lifecycle.authorize: + category: + - authentication + type: + - info + integration.api_service.lifecycle.revoke: + category: + - configuration + type: + - deletion + mim.command.generic.acknowledged: + category: + - configuration + type: + - info + mim.command.generic.cancelled: + category: + - configuration + type: + - deletion + mim.command.generic.delegated: + category: + - configuration + type: + - info + mim.command.generic.error: + category: + - configuration + type: + - info + mim.command.generic.new: + category: + - configuration + type: + - info + mim.command.generic.notnow: + category: + - configuration + type: + - info + mim.command.ios.acknowledged: + category: + - configuration + type: + - info + mim.command.ios.cancelled: + category: + - configuration + type: + - deletion + mim.command.ios.error: + category: + - configuration + type: + - info + mim.command.ios.formaterror: + category: + - configuration + type: + - info + mim.command.ios.new: + category: + - configuration + type: + - info + mim.createEnrollment.ANDROID: + category: + - configuration + type: + - creation + mim.createEnrollment.IOS: + category: + - configuration + type: + - creation + mim.createEnrollment.OSX: + category: + - configuration + type: + - creation + mim.createEnrollment.UNKNOWN: + category: + - configuration + type: + - creation + mim.createEnrollment.WINDOWS: + category: + - configuration + type: + - creation + mim.streamDevicesCSVDownload: + category: + - configuration + tags: + - network-zone + - oauth2oauth2-as-lifecycle + - oauth2oauth2-as-lifecycle + - oauth2oauth2-as-lifecycle + - oauth2oauth2-as-lifecycle + - oauth2oauth2-as-lifecycle + - oauth2oauth2-claim + - oauth2oauth2-claim + - oauth2oauth2-claim + - oauth2oauth2-scope + - oauth2oauth2-scope + - oauth2oauth2-scope + type: + - info + org.not_configured_origin.redirection.usage: + category: + - configuration + type: + - info + pam.active_directory.account_discovery.complete: + category: + - configuration + type: + - info + pam.active_directory.account_rule.applied: + category: + - configuration + type: + - info + pam.active_directory.account_rule.update: + category: + - configuration + type: + - change + pam.active_directory.connection.update: + category: + - network + type: + - connection + pam.ad_connection.create: + category: + - network + type: + - connection + pam.ad_connection.delete: + category: + - network + type: + - connection + pam.ad_connection.update: + category: + - network + type: + - connection + pam.ad_task_settings.create: + category: + - configuration + type: + - creation + pam.ad_task_settings.delete: + category: + - configuration + type: + - deletion + pam.ad_task_settings.update: + category: + - configuration + type: + - change + pam.ad_task_settings.update_schedule: + category: + - configuration + type: + - change + pam.ad_user_sync_task_settings.activate: + category: + - configuration + type: + - info + pam.ad_user_sync_task_settings.create: + category: + - configuration + type: + - creation + pam.ad_user_sync_task_settings.deactivate: + category: + - configuration + type: + - info + pam.ad_user_sync_task_settings.delete: + category: + - configuration + type: + - deletion + pam.ad_user_sync_task_settings.update: + category: + - configuration + type: + - change + pam.ad_user_sync_task_settings.update_schedule: + category: + - configuration + type: + - change + pam.apikey.delete: + category: + - configuration + type: + - deletion + pam.apikey.rotate: + category: + - configuration + type: + - change + pam.auth_token.issue: + category: + - authentication + type: + - info + pam.billing_contact.create: + category: + - configuration + type: + - creation + pam.client.assign: + category: + - configuration + type: + - info + pam.client.enroll: + category: + - configuration + type: + - creation + pam.client.remove: + category: + - configuration + type: + - deletion + pam.client.state.update: + category: + - configuration + type: + - change + pam.client_enrollment_policies.create: + category: + - configuration + type: + - creation + pam.client_enrollment_policies.delete: + category: + - configuration + type: + - deletion + pam.client_enrollment_policies.update: + category: + - configuration + type: + - change + pam.client_enrollment_policy_token.delete: + category: + - authentication + type: + - info + pam.client_enrollment_policy_token.rotate: + category: + - authentication + type: + - info + pam.cloud_account.create: + category: + - configuration + type: + - creation + pam.cloud_account.delete: + category: + - configuration + type: + - deletion + pam.cloud_account.update: + category: + - configuration + type: + - change + pam.entitlement_sudo.add_to_project: + category: + - configuration + type: + - creation + pam.entitlement_sudo.create: + category: + - configuration + type: + - creation + pam.entitlement_sudo.remove: + category: + - configuration + type: + - deletion + pam.entitlement_sudo.remove_from_project: + category: + - configuration + type: + - deletion + pam.entitlement_sudo.update: + category: + - configuration + type: + - change + pam.gateway.create: + category: + - configuration + type: + - creation + pam.gateway.delete: + category: + - configuration + type: + - deletion + pam.gateway.setup_token.create: + category: + - authentication + type: + - info + pam.gateway.setup_token.delete: + category: + - authentication + type: + - info + pam.gateway.setup_token.update: + category: + - authentication + type: + - info + pam.gateway.update: + category: + - configuration + type: + - change + pam.gateway_creds.issue: + category: + - configuration + type: + - info + pam.group.bulk_membership_change: + category: + - iam + type: + - group + pam.group.create: + category: + - iam + type: + - creation + - group + pam.group.delete: + category: + - iam + type: + - deletion + - group + pam.incoming_federation.approve: + category: + - configuration + type: + - info + pam.incoming_federation.request: + category: + - configuration + type: + - info + pam.member.add: + category: + - configuration + type: + - creation + pam.member.remove: + category: + - configuration + type: + - deletion + pam.offline_disabled_event: + category: + - configuration + type: + - info + pam.offline_enabled_event: + category: + - configuration + type: + - info + pam.offline_group.secrets.rotate: + category: + - iam + type: + - change + - group + pam.outgoing_federation.approve: + category: + - configuration + type: + - info + pam.password.change: + category: + - authentication + type: + - info + pam.password.reset: + category: + - authentication + type: + - info + pam.permission.change: + category: + - iam + type: + - change + pam.preauthorization.create: + category: + - authentication + type: + - info + pam.preauthorization.update: + category: + - authentication + type: + - info + pam.project.add_group: + category: + - configuration + type: + - creation + pam.project.create: + category: + - configuration + type: + - creation + pam.project.delete: + category: + - configuration + type: + - deletion + pam.project.remove_group: + category: + - configuration + type: + - deletion + pam.project.update: + category: + - configuration + type: + - change + pam.project_group_selector.update: + category: + - configuration + type: + - change + pam.resource.checkin.end: + category: + - configuration + type: + - info + pam.resource.checkin.start: + category: + - configuration + type: + - info + pam.resource.checkout: + category: + - configuration + type: + - info + pam.resource_group.create: + category: + - iam + type: + - admin + - creation + - group + pam.resource_group.delete: + category: + - iam + type: + - admin + - deletion + - group + pam.resource_group.update: + category: + - iam + type: + - admin + - change + - group + pam.secret.create: + category: + - configuration + type: + - creation + pam.secret.delete: + category: + - configuration + type: + - deletion + pam.secret.reveal: + category: + - configuration + type: + - info + pam.secret.update: + category: + - configuration + type: + - change + pam.secret_folder.create: + category: + - configuration + type: + - creation + pam.secret_folder.delete: + category: + - configuration + type: + - deletion + pam.secret_folder.update: + category: + - configuration + type: + - change + pam.security_policy.create: + category: + - configuration + type: + - creation + pam.security_policy.delete: + category: + - configuration + type: + - deletion + pam.security_policy.evaluate: + category: + - configuration + type: + - info + pam.security_policy.update: + category: + - configuration + type: + - change + pam.server.enroll: + category: + - configuration + type: + - creation + pam.server.reassign: + category: + - configuration + type: + - info + pam.server.remove: + category: + - configuration + type: + - deletion + pam.server.ssh_login: + category: + - authentication + type: + - start + pam.server_account.discovered: + category: + - configuration + type: + - info + pam.server_account.password_change.initiated: + category: + - authentication + type: + - start + pam.server_account.password_change.out_of_band: + category: + - authentication + type: + - info + pam.server_account.password_change.update: + category: + - authentication + type: + - info + pam.server_account.update: + category: + - configuration + type: + - change + pam.server_labels.update: + category: + - configuration + type: + - change + pam.service.create: + category: + - configuration + type: + - creation + pam.service.remove: + category: + - configuration + type: + - deletion + pam.service_account.assign: + category: + - configuration + type: + - info + pam.service_account.create: + category: + - configuration + type: + - creation + pam.service_account.delete: + category: + - configuration + type: + - deletion + pam.service_account.password.reveal: + category: + - authentication + type: + - info + pam.service_account.password.update: + category: + - authentication + type: + - info + pam.service_account.password_rotation.end: + category: + - authentication + type: + - end + pam.service_account.password_rotation.start: + category: + - authentication + type: + - start + pam.service_account.update: + category: + - configuration + type: + - change + pam.sudo_command_bundle.create: + category: + - configuration + type: + - creation + pam.sudo_command_bundle.delete: + category: + - configuration + type: + - deletion + pam.sudo_command_bundle.update: + category: + - configuration + type: + - change + pam.team.create: + category: + - configuration + type: + - creation + pam.team_group_attribute.create: + category: + - configuration + type: + - creation + pam.team_group_attribute.delete: + category: + - configuration + type: + - deletion + pam.team_group_attribute.update: + category: + - configuration + type: + - change + pam.team_invitation.create: + category: + - configuration + type: + - creation + pam.team_project_group_attribute.create: + category: + - configuration + type: + - creation + pam.team_project_group_attribute.delete: + category: + - configuration + type: + - deletion + pam.team_project_group_attribute.update: + category: + - configuration + type: + - change + pam.team_project_user_attribute.create: + category: + - configuration + type: + - creation + pam.team_project_user_attribute.delete: + category: + - configuration + type: + - deletion + pam.team_project_user_attribute.update: + category: + - configuration + type: + - change + pam.team_settings.update: + category: + - configuration + type: + - change + pam.team_user_attribute.create: + category: + - configuration + type: + - creation + pam.team_user_attribute.delete: + category: + - configuration + type: + - deletion + pam.team_user_attribute.update: + category: + - configuration + type: + - change + pam.unbound_client.enroll: + category: + - configuration + type: + - creation + pam.unmanaged_server.create: + category: + - configuration + type: + - creation + pam.user.create: + category: + - iam + type: + - creation + - user + pam.user.remove: + category: + - iam + type: + - deletion + - user + pam.user.update: + category: + - iam + type: + - change + - user + pam.user_creds.issue: + category: + - configuration + type: + - info + personal.admin.configuration.update: + category: + - configuration + tags: + - okta-personal + type: + - change + personal.user.app_migration.export: + category: + - iam + tags: + - okta-personal + type: + - user + pki.ca.add: + category: + - configuration + tags: + - device-identityoie-onlyuser + type: + - creation + pki.ca.delete: + category: + - configuration + tags: + - device-identityoie-onlyuser + type: + - deletion + pki.ca.renew: + category: + - configuration + tags: + - device-identityoie-only + type: + - info + pki.cert.bind: + category: + - configuration + tags: + - device-identityoie-onlyuser + type: + - info + pki.cert.crl_download_failure: + category: + - configuration + tags: + - device-identityoie-only + type: + - info + pki.cert.issue: + category: + - configuration + tags: + - device-trust-cert-distribution-and-binding + type: + - info + pki.cert.lifecycle.activate: + category: + - configuration + tags: + - device-identityoie-onlyuser + type: + - info + pki.cert.lifecycle.delete: + category: + - configuration + tags: + - device-identityoie-onlyuser + type: + - deletion + pki.cert.lifecycle.hold: + category: + - configuration + tags: + - device-identityoie-onlyuser + type: + - info + pki.cert.lifecycle.revoke: + category: + - configuration + tags: + - device-identityoie-onlyuser + type: + - deletion + pki.cert.lifecycle.suspend: + category: + - configuration + tags: + - device-identityoie-onlyuser + type: + - info + pki.cert.renew: + category: + - configuration + tags: + - device-trust-cert-distribution-and-binding + type: + - info + pki.cert.revoke: + category: + - configuration + tags: + - device-trust-cert-distribution-and-binding + type: + - deletion + plugin.downloaded: + category: + - configuration + type: + - info + plugin.script_status: + category: + - configuration + type: + - info + policy.auth_reevaluate.action: + category: + - authentication + type: + - info + policy.auth_reevaluate.enforce: + category: + - authentication + type: + - info + policy.auth_reevaluate.fail: + category: + - authentication + tags: + - event-hook-eligiblepolicysecuritysession + type: + - info + policy.continuous_access.action: + category: + - configuration + type: + - access + policy.continuous_access.evaluate: + category: + - configuration + type: + - access + policy.entity_risk.action: + category: + - configuration + type: + - info + policy.entity_risk.evaluate: + category: + - configuration + type: + - info + policy.evaluate_sign_on: + category: + - authentication + tags: + - policy + type: + - info + policy.execute.user.start: + category: + - iam + tags: + - policy + type: + - user + policy.lifecycle.activate: + category: + - configuration + tags: + - event-hook-eligiblepolicy + type: + - info + policy.lifecycle.create: + category: + - configuration + tags: + - policy + type: + - creation + policy.lifecycle.deactivate: + category: + - configuration + tags: + - event-hook-eligiblepolicy + type: + - info + policy.lifecycle.delete: + category: + - configuration + tags: + - policy + type: + - deletion + policy.lifecycle.overwrite: + category: + - configuration + tags: + - policy + type: + - info + policy.lifecycle.update: + category: + - configuration + tags: + - event-hook-eligible + type: + - change + policy.mapping.create: + category: + - configuration + tags: + - policy + type: + - creation + policy.rule.action.execute: + category: + - configuration + tags: + - policy + type: + - info + policy.rule.activate: + category: + - configuration + tags: + - event-hook-eligiblepolicy + type: + - info + policy.rule.add: + category: + - configuration + tags: + - event-hook-eligiblepolicy + type: + - creation + policy.rule.deactivate: + category: + - configuration + tags: + - event-hook-eligiblepolicy + type: + - info + policy.rule.delete: + category: + - configuration + tags: + - event-hook-eligiblepolicy + type: + - deletion + policy.rule.invalidate: + category: + - configuration + tags: + - policy + type: + - info + policy.rule.update: + category: + - configuration + tags: + - event-hook-eligiblepolicy + type: + - change + policy.scheduled.execute: + category: + - configuration + tags: + - policy + type: + - info + security.attack.end: + category: + - threat + tags: + - threat-insight + type: + - indicator + security.attack.start: + category: + - threat + tags: + - threat-insight + type: + - indicator + security.attack_protection.settings.update: + category: + - configuration + tags: + - mfasecuritychangeDetails + - changeDetails + type: + - change + security.authenticator.lifecycle.activate: + category: + - authentication + tags: + - authenticatorevent-hook-eligibleoie-only + type: + - info + - start + security.authenticator.lifecycle.create: + category: + - authentication + tags: + - authenticatorevent-hook-eligibleoie-only + type: + - info + security.authenticator.lifecycle.deactivate: + category: + - authentication + tags: + - authenticatorevent-hook-eligibleoie-only + type: + - end + - info + - start + security.authenticator.lifecycle.update: + category: + - authentication + tags: + - authenticatorevent-hook-eligibleoie-only + type: + - info + security.behavior.settings.create: + category: + - configuration + tags: + - behavior-settings + type: + - creation + - info + security.behavior.settings.delete: + category: + - configuration + tags: + - behavior-settings + type: + - deletion + - info + security.behavior.settings.update: + category: + - configuration + tags: + - behavior-settings + type: + - change + - info + security.breached_credential.detected: + category: + - authentication + tags: + - accountevent-hook-eligiblesecurityuser + type: + - info + security.device.add_request_blacklist_policy: + category: + - threat + security.device.remove_request_blacklist_policy: + category: + - threat + security.device.temporarily_disable_blacklisting: + category: + - threat + security.events.provider.activate: + category: + - threat + tags: + - security + security.events.provider.create: + category: + - threat + tags: + - security + security.events.provider.deactivate: + category: + - threat + tags: + - security + security.events.provider.delete: + category: + - threat + tags: + - security + security.events.provider.receive_event: + category: + - threat + security.events.provider.update: + category: + - threat + tags: + - security + security.events.transmitter.create: + category: + - threat + tags: + - security + security.events.transmitter.delete: + category: + - threat + tags: + - security + security.events.transmitter.update: + category: + - threat + tags: + - security + security.request.blocked: + category: + - threat + tags: + - security + security.session.detect_client_roaming: + category: + - session + type: + - info + security.threat.configuration.update: + category: + - configuration + tags: + - threat-insight-configuration + type: + - change + - info + security.threat.detected: + category: + - threat + tags: + - securitythreat-insight + type: + - indicator + security.trusted_origin.activate: + category: + - threat + tags: + - event-hook-eligible + security.trusted_origin.create: + category: + - threat + tags: + - event-hook-eligibletrusted-origins + security.trusted_origin.deactivate: + category: + - threat + tags: + - event-hook-eligible + security.trusted_origin.delete: + category: + - threat + tags: + - event-hook-eligibletrusted-origins + security.trusted_origin.update: + category: + - threat + tags: + - event-hook-eligibletrusted-origins + security.voice.add_country_blacklist: + category: + - threat + security.voice.remove_country_blacklist: + category: + - threat + security.zone.make_blacklist: + category: + - configuration + tags: + - network-zonesecurity + type: + - info + security.zone.remove_blacklist: + category: + - configuration + tags: + - network-zonesecurity + - self-service + - self-service + type: + - deletion + support.org.update: + category: + - configuration + tags: + - support-audit + type: + - change + - info + support.org.view: + category: + - configuration + tags: + - support-audit + type: + - info + system.agent.ad.config_change_detected: + category: + - configuration + tags: + - ad-agentchangeDetails + - changeDetails + type: + - info + system.agent.ad.connect: + category: + - configuration + tags: + - ad-agent + type: + - info + system.agent.ad.create: + category: + - configuration + tags: + - ad-agent + type: + - creation + system.agent.ad.deactivate: + category: + - configuration + tags: + - ad-agent + type: + - info + system.agent.ad.delete: + category: + - configuration + tags: + - ad-agent + type: + - deletion + system.agent.ad.import_ou: + category: + - configuration + tags: + - ad-agent + type: + - info + system.agent.ad.import_user: + category: + - configuration + tags: + - ad-agent + type: + - info + system.agent.ad.invoke_dir: + category: + - configuration + tags: + - ad-agent + type: + - info + system.agent.ad.reactivate: + category: + - configuration + tags: + - ad-agent + type: + - info + system.agent.ad.read_config: + category: + - configuration + tags: + - ad-agent + type: + - info + system.agent.ad.read_dirsync: + category: + - configuration + tags: + - ad-agent + type: + - info + system.agent.ad.read_ldap: + category: + - configuration + tags: + - ad-agent + type: + - info + system.agent.ad.read_schema: + category: + - configuration + tags: + - ad-agent + type: + - info + system.agent.ad.read_topology: + category: + - configuration + tags: + - ad-agent + type: + - info + system.agent.ad.realtimesync: + category: + - configuration + tags: + - ad-agent + type: + - info + system.agent.ad.reset_user_password: + category: + - authentication + tags: + - ad-agent + type: + - info + system.agent.ad.start: + category: + - configuration + tags: + - ad-agent + type: + - info + system.agent.ad.unlock_user_account: + category: + - configuration + tags: + - ad-agent + type: + - info + system.agent.ad.update: + category: + - configuration + tags: + - ad-agent + type: + - change + system.agent.ad.update_user: + category: + - configuration + tags: + - ad-agent + type: + - change + system.agent.ad.upgrade: + category: + - configuration + tags: + - ad-agent + type: + - info + system.agent.ad.upload_iwa_log: + category: + - configuration + tags: + - ad-agent + type: + - info + system.agent.ad.upload_log: + category: + - configuration + tags: + - ad-agent + type: + - info + system.agent.ad.write_ldap: + category: + - configuration + tags: + - ad-agent + type: + - info + system.agent.auto_update: + category: + - configuration + tags: + - ad-agentagent-pool + type: + - info + system.agent.connector.connect: + category: + - configuration + tags: + - connector-agent + type: + - info + system.agent.connector.deactivate: + category: + - configuration + tags: + - connector-agent + type: + - info + system.agent.connector.delete: + category: + - configuration + tags: + - connector-agent + type: + - deletion + system.agent.connector.reactivate: + category: + - configuration + tags: + - connector-agent + type: + - info + system.agent.ldap.change_user_password: + category: + - authentication + tags: + - ldap-app + type: + - info + system.agent.ldap.config_change_detected: + category: + - configuration + tags: + - ldap-appchangeDetails + - changeDetails + type: + - info + system.agent.ldap.create_user_JIT: + category: + - configuration + tags: + - ldap-app + type: + - creation + system.agent.ldap.disconnect: + category: + - configuration + tags: + - ldap-app + type: + - info + system.agent.ldap.realtimesync: + category: + - configuration + tags: + - ldap-app + type: + - info + system.agent.ldap.reconnect: + category: + - configuration + tags: + - ldap-app + type: + - info + system.agent.ldap.reset_user_password: + category: + - authentication + tags: + - ldap-app + type: + - info + system.agent.ldap.unlock_user_account: + category: + - configuration + tags: + - ldap-app + type: + - info + system.agent.ldap.update_user: + category: + - configuration + tags: + - ldap-app + type: + - change + system.agent.ldap.update_user_password: + category: + - authentication + tags: + - ldap-app + type: + - info + system.agent.register: + category: + - configuration + type: + - creation + - info + system.agent_pools.auto_update: + category: + - configuration + tags: + - ad-agentagent-pool + type: + - info + system.api_token.create: + category: + - authentication + tags: + - event-hook-eligibletoken + type: + - info + system.api_token.enable: + category: + - authentication + type: + - start + system.api_token.request_outside_allowed_range: + category: + - authentication + tags: + - event-hook-eligibletoken + type: + - info + system.api_token.revoke: + category: + - authentication + tags: + - event-hook-eligibletoken + type: + - info + system.api_token.update: + category: + - authentication + type: + - info + system.beta.feature.enable: + category: + - configuration + tags: + - adminself-service-feature-managementsystem + type: + - info + system.brand.create: + category: + - configuration + tags: + - admin + type: + - creation + - info + system.brand.delete: + category: + - configuration + tags: + - admin + type: + - deletion + - info + system.brand.update: + category: + - configuration + tags: + - admin + type: + - change + - info + system.captcha.create: + category: + - configuration + type: + - creation + system.captcha.delete: + category: + - configuration + type: + - deletion + system.captcha.update: + category: + - configuration + type: + - change + system.client.concurrency_rate_limit.notification: + category: + - configuration + tags: + - system + type: + - info + system.client.concurrency_rate_limit.violation: + category: + - configuration + tags: + - system + type: + - info + system.client.rate_limit.notification: + category: + - configuration + tags: + - system + type: + - info + system.client.rate_limit.violation: + category: + - configuration + tags: + - system + type: + - info + system.csv.import_user: + category: + - configuration + tags: + - system + type: + - info + system.custom_error.delete: + category: + - configuration + tags: + - admin + type: + - deletion + system.custom_error.update: + category: + - configuration + tags: + - admin + type: + - change + system.custom_signin.delete: + category: + - authentication + tags: + - admin + type: + - start + system.custom_signin.update: + category: + - authentication + tags: + - admin + type: + - start + system.custom_signout.update: + category: + - authentication + tags: + - admin + type: + - end + system.custom_url_domain.cert_renew: + category: + - configuration + tags: + - system + type: + - info + system.custom_url_domain.cert_upload: + category: + - configuration + type: + - info + system.custom_url_domain.delete: + category: + - configuration + tags: + - admin + type: + - deletion + - info + system.custom_url_domain.initiate: + category: + - configuration + tags: + - admin + type: + - info + system.custom_url_domain.update: + category: + - configuration + tags: + - admin + type: + - change + - info + system.custom_url_domain.verify: + category: + - configuration + tags: + - admin + type: + - info + system.directory.debugger.extend: + category: + - configuration + type: + - info + system.directory.debugger.grant: + category: + - configuration + type: + - info + system.directory.debugger.query_executed: + category: + - configuration + type: + - info + system.directory.debugger.revoke: + category: + - configuration + type: + - deletion + - info + system.dr.failback: + category: + - configuration + type: + - info + system.dr.failover: + category: + - configuration + type: + - info + system.email.account_unlock.sent_message: + category: + - configuration + type: + - info + system.email.bounce.removal: + category: + - configuration + type: + - info + system.email.challenge_factor_redeemed: + category: + - authentication + type: + - info + system.email.delivery: + category: + - configuration + tags: + - email + - event-hook-eligible + type: + - info + system.email.mfa_enroll_notification.sent_message: + category: + - authentication + type: + - info + system.email.mfa_reset_notification.sent_message: + category: + - authentication + type: + - info + system.email.new_device_notification.sent_message: + category: + - configuration + type: + - info + system.email.password_reset.sent_message: + category: + - authentication + type: + - info + system.email.send_factor_verify_message: + category: + - authentication + type: + - info + system.email.template.create: + category: + - configuration + type: + - creation + system.email.template.delete: + category: + - configuration + type: + - deletion + system.email.template.settings_changed: + category: + - configuration + type: + - info + system.email.template.update: + category: + - configuration + type: + - change + system.email_domain.create: + category: + - configuration + tags: + - admin + type: + - creation + - info + system.email_domain.delete: + category: + - configuration + tags: + - admin + type: + - deletion + - info + system.email_domain.update: + category: + - configuration + tags: + - admin + type: + - change + - info + system.email_domain.verify: + category: + - configuration + tags: + - admin + type: + - info + system.feature.disable: + category: + - configuration + tags: + - adminself-service-feature-managementsystem + type: + - info + system.feature.ea_auto_enroll: + category: + - configuration + tags: + - adminself-service-feature-managementsystem + type: + - info + system.feature.enable: + category: + - configuration + tags: + - adminself-service-feature-managementsystem + type: + - info + system.hook.key.created: + category: + - configuration + tags: + - hook-key + type: + - creation + - info + system.hook.key.deleted: + category: + - configuration + tags: + - hook-key + type: + - deletion + - info + system.hook.key.updated: + category: + - configuration + tags: + - hook-key + type: + - change + - info + system.identity_sources.bulk_delete: + category: + - configuration + tags: + - identity-sources + type: + - info + system.identity_sources.bulk_group_delete: + category: + - configuration + tags: + - identity-sources + type: + - info + system.identity_sources.bulk_group_membership_delete: + category: + - iam + tags: + - identity-sources + type: + - group + system.identity_sources.bulk_group_membership_upsert: + category: + - iam + tags: + - identity-sources + type: + - group + system.identity_sources.bulk_group_upsert: + category: + - configuration + tags: + - identity-sources + type: + - info + system.identity_sources.bulk_upsert: + category: + - configuration + tags: + - identity-sources + type: + - info + system.idp.key.create: + category: + - configuration + tags: + - event-hook-eligibleidp + type: + - creation + system.idp.key.delete: + category: + - configuration + tags: + - event-hook-eligibleidp + type: + - deletion + system.idp.key.update: + category: + - configuration + tags: + - event-hook-eligibleidp + type: + - change + system.idp.lifecycle.activate: + category: + - configuration + tags: + - event-hook-eligibleidp + type: + - info + system.idp.lifecycle.create: + category: + - configuration + tags: + - event-hook-eligibleidp + type: + - creation + system.idp.lifecycle.deactivate: + category: + - configuration + tags: + - event-hook-eligibleidp + type: + - info + system.idp.lifecycle.delete: + category: + - configuration + tags: + - event-hook-eligibleidp + type: + - deletion + system.idp.lifecycle.read_client_secret: + category: + - configuration + tags: + - event-hook-eligibleidp + type: + - info + system.idp.lifecycle.update: + category: + - configuration + tags: + - event-hook-eligible + type: + - change + system.import.clear.unconfirmed.users.summary: + category: + - configuration + tags: + - app + type: + - info + system.import.complete: + category: + - configuration + tags: + - event-hook-eligibleimportsystem + type: + - info + system.import.complete_batch: + category: + - configuration + type: + - info + system.import.custom_object.complete: + category: + - configuration + type: + - info + system.import.custom_object.create: + category: + - configuration + type: + - creation + system.import.custom_object.delete: + category: + - configuration + type: + - deletion + system.import.custom_object.update: + category: + - configuration + type: + - change + system.import.download.complete: + category: + - configuration + type: + - info + system.import.download.start: + category: + - configuration + type: + - info + system.import.entitlement: + category: + - configuration + type: + - info + system.import.entitlement.mismatch: + category: + - configuration + type: + - info + system.import.group.complete: + category: + - iam + type: + - group + system.import.group.create: + category: + - iam + tags: + - event-hook-eligibleimportsystem + type: + - creation + - group + system.import.group.delete: + category: + - iam + tags: + - event-hook-eligibleimportsystem + type: + - deletion + - group + system.import.group.start: + category: + - iam + type: + - group + system.import.group.update: + category: + - iam + type: + - change + - group + system.import.group_membership.complete: + category: + - iam + type: + - group + system.import.implicit_deletion.complete: + category: + - configuration + type: + - info + system.import.implicit_deletion.start: + category: + - configuration + type: + - info + system.import.import_profile: + category: + - configuration + type: + - info + system.import.import_provisioning_info: + category: + - configuration + type: + - info + system.import.membership_processing.complete: + category: + - iam + type: + - info + system.import.membership_processing.start: + category: + - iam + type: + - info + system.import.object_creation.complete: + category: + - configuration + type: + - info + system.import.object_creation.start: + category: + - configuration + type: + - info + system.import.roadblock: + category: + - configuration + tags: + - event-hook-eligibleimportsystem + type: + - info + system.import.roadblock.reschedule_and_resume: + category: + - configuration + type: + - info + system.import.roadblock.resume: + category: + - configuration + type: + - info + system.import.roadblock.updated: + category: + - configuration + type: + - change + system.import.schedule: + category: + - configuration + tags: + - app + type: + - info + system.import.session.cancelled: + category: + - session + type: + - info + system.import.session.created: + category: + - session + type: + - info + system.import.session.expired: + category: + - session + type: + - end + system.import.session.triggered: + category: + - session + type: + - info + system.import.start: + category: + - configuration + tags: + - event-hook-eligibleimportsystem + type: + - info + system.import.user.complete: + category: + - iam + type: + - user + system.import.user.create: + category: + - iam + type: + - creation + - user + system.import.user.delete: + category: + - iam + type: + - deletion + - user + system.import.user.match: + category: + - iam + type: + - user + system.import.user.start: + category: + - iam + type: + - user + system.import.user.suspend: + category: + - iam + type: + - user + system.import.user.unsuspend: + category: + - iam + type: + - user + system.import.user.unsuspend_after_confirm: + category: + - iam + type: + - user + system.import.user.update: + category: + - iam + type: + - change + - user + system.import.user.update_user_lifecycle_from_master: + category: + - iam + type: + - change + - user + system.import.user_csv.complete: + category: + - configuration + tags: + - admincsv-uploaduser-import + type: + - info + system.import.user_csv.start: + category: + - configuration + tags: + - admincsv-uploaduser-import + type: + - info + system.import.user_match.confirm: + category: + - configuration + tags: + - app + type: + - info + system.import.user_match.unignore: + category: + - configuration + tags: + - app + type: + - info + system.import.user_match.update: + category: + - configuration + tags: + - app + type: + - change + system.import.user_matching.complete: + category: + - configuration + type: + - info + system.import.user_matching.start: + category: + - configuration + type: + - info + system.iwa.create: + category: + - configuration + type: + - creation + system.iwa.go_offline: + category: + - configuration + type: + - info + system.iwa.go_online: + category: + - configuration + type: + - info + system.iwa.promote_primary: + category: + - configuration + type: + - info + system.iwa.remove: + category: + - configuration + type: + - deletion + system.iwa.update: + category: + - configuration + type: + - change + system.iwa.use_default: + category: + - configuration + type: + - info + system.iwa_agentless.auth: + category: + - authentication + type: + - info + system.iwa_agentless.auth_after_redirect: + category: + - authentication + type: + - info + system.iwa_agentless.redirect: + category: + - configuration + type: + - info + system.iwa_agentless.update: + category: + - configuration + type: + - change + system.iwa_agentless.user.not_found: + category: + - iam + type: + - info + - user + system.iwa_agentless_kerberos.update: + category: + - configuration + type: + - change + system.ldapi.admin_limit_exceeded: + category: + - configuration + type: + - info + system.ldapi.bind: + category: + - authentication + type: + - info + system.ldapi.search: + category: + - configuration + type: + - info + system.ldapi.unbind: + category: + - authentication + type: + - info + system.log_stream.lifecycle.activate: + category: + - configuration + tags: + - event-hook-eligiblelog-stream + type: + - info + system.log_stream.lifecycle.create: + category: + - configuration + tags: + - event-hook-eligiblelog-stream + type: + - creation + - info + system.log_stream.lifecycle.deactivate: + category: + - configuration + tags: + - event-hook-eligiblelog-stream + type: + - info + system.log_stream.lifecycle.delete: + category: + - configuration + tags: + - event-hook-eligiblelog-stream + type: + - deletion + - info + system.log_stream.lifecycle.update: + category: + - configuration + tags: + - event-hook-eligiblelog-stream + type: + - change + - info + system.mfa.factor.activate: + category: + - authentication + type: + - start + system.mfa.factor.deactivate: + category: + - authentication + type: + - end + system.oauth2.token.request_outside_allowed_range: + category: + - authentication + tags: + - event-hook-eligibleoauth2 + type: + - info + system.operation.concurrency_limit.violation: + category: + - configuration + tags: + - system + type: + - info + system.operation.rate_limit.violation: + category: + - configuration + tags: + - system + type: + - info + system.operation.rate_limit.warning: + category: + - configuration + tags: + - system + type: + - info + system.org.captcha.activate: + category: + - configuration + type: + - info + system.org.captcha.deactivate: + category: + - configuration + type: + - info + system.org.lifecycle.create: + category: + - configuration + tags: + - system + type: + - creation + system.org.rate_limit.burst: + category: + - configuration + tags: + - system + type: + - info + system.org.rate_limit.expiration.warning: + category: + - configuration + tags: + - system + type: + - info + system.org.rate_limit.violation: + category: + - configuration + tags: + - event-hook-eligiblesystem + type: + - info + system.org.rate_limit.warning: + category: + - configuration + tags: + - event-hook-eligiblesystem + type: + - info + system.org.task.remove: + category: + - configuration + tags: + - system + type: + - deletion + system.push.send_factor_verify_push: + category: + - authentication + type: + - info + system.rate_limit.configuration.update: + category: + - configuration + tags: + - system + type: + - change + system.self_service.configuration.update: + category: + - configuration + tags: + - self-servicechangeDetails + - changeDetails + type: + - change + system.sms.receive_status: + category: + - configuration + type: + - info + system.sms.send_account_unlock_message: + category: + - configuration + type: + - info + system.sms.send_factor_verify_message: + category: + - authentication + type: + - info + system.sms.send_okta_push_verify_message: + category: + - configuration + type: + - info + system.sms.send_password_reset_message: + category: + - authentication + type: + - info + system.sms.send_phone_verification_message: + category: + - authentication + tags: + - event-hook-eligiblesmssystem + type: + - info + system.theme.update: + category: + - configuration + tags: + - admin + type: + - change + system.voice.receive_status: + category: + - configuration + type: + - info + system.voice.send_account_unlock_call: + category: + - configuration + type: + - info + system.voice.send_call: + category: + - configuration + type: + - info + system.voice.send_mfa_challenge_call: + category: + - authentication + type: + - info + system.voice.send_password_reset_call: + category: + - authentication + type: + - info + system.voice.send_phone_verification_call: + category: + - authentication + tags: + - event-hook-eligiblevoice + type: + - info + system.well_known_uri.update: + category: + - configuration + tags: + - adminchangeDetails + - changeDetails + type: + - change + task.lifecycle.activate: + category: + - configuration + type: + - info + task.lifecycle.create: + category: + - configuration + type: + - creation + task.lifecycle.deactivate: + category: + - configuration + type: + - info + task.lifecycle.delete: + category: + - configuration + type: + - deletion + task.lifecycle.update: + category: + - configuration + type: + - change + user.account.expire_password: + category: + - authentication + type: + - end + - info + user.account.lock: + category: + - iam + tags: + - accountevent-hook-eligibleuser + type: + - user + user.account.lock.limit: + category: + - iam + type: + - user + user.account.preference_update: + category: + - iam + type: + - user + user.account.privilege.grant: + category: + - iam + tags: + - event-hook-eligibleuser + type: + - info + - user + user.account.privilege.revoke: + category: + - iam + tags: + - event-hook-eligibleuser + type: + - deletion + - user + user.account.report_suspicious_activity_by_enduser: + category: + - iam + tags: + - event-based-trigger-eligibleevent-hook-eligibleuser + type: + - info + - user + user.account.reset_password: + category: + - authentication + tags: + - accountevent-hook-eligibleuser + type: + - info + user.account.unlock: + category: + - iam + tags: + - accountevent-hook-eligibleuser + type: + - user + user.account.unlock_by_admin: + category: + - iam + tags: + - accountevent-hook-eligibleuser + type: + - user + user.account.unlock_failure: + category: + - iam + type: + - user + user.account.unlock_token: + category: + - iam + type: + - user + user.account.update_password: + category: + - authentication + tags: + - accountend-user-visibleevent-hook-eligibleuser + type: + - info + user.account.update_primary_email: + category: + - iam + tags: + - accountend-user-visibleuseruser-config + type: + - change + - user + user.account.update_profile: + category: + - iam + tags: + - accountevent-hook-eligibleuseruser-config + type: + - change + - user + user.account.update_secondary_email: + category: + - iam + tags: + - accountend-user-visibleuseruser-config + type: + - change + - user + user.account.update_user_type: + category: + - iam + tags: + - accountuseruser-config + type: + - change + - user + user.account.use_token: + category: + - iam + type: + - user + user.authentication.auth: + category: + - authentication + tags: + - user + type: + - info + user.authentication.auth_unconfigured_identifier: + category: + - authentication + type: + - info + user.authentication.auth_via_AD_agent: + category: + - authentication + type: + - info + user.authentication.auth_via_IDP: + category: + - authentication + tags: + - event-hook-eligibleuser + type: + - info + user.authentication.auth_via_LDAP_agent: + category: + - authentication + type: + - info + user.authentication.auth_via_inbound_SAML: + category: + - authentication + tags: + - user + type: + - info + user.authentication.auth_via_inbound_delauth: + category: + - authentication + tags: + - user + type: + - info + user.authentication.auth_via_iwa: + category: + - authentication + tags: + - user + type: + - info + user.authentication.auth_via_mfa: + category: + - authentication + tags: + - event-hook-eligiblemfa + type: + - info + user.authentication.auth_via_radius: + category: + - authentication + type: + - info + user.authentication.auth_via_richclient: + category: + - authentication + tags: + - user + type: + - info + user.authentication.auth_via_social: + category: + - authentication + tags: + - event-hook-eligibleuser + type: + - info + user.authentication.authenticate: + category: + - authentication + tags: + - device-trust-authenticationevent-hook-eligibleuser + type: + - info + user.authentication.dsso_via_non_priority_source: + category: + - authentication + type: + - info + user.authentication.slo: + category: + - authentication + tags: + - user + type: + - info + user.authentication.sso: + category: + - authentication + tags: + - event-hook-eligibleuser + type: + - info + user.authentication.universal_logout: + category: + - authentication + tags: + - event-hook-eligiblesessionuser + type: + - end + user.authentication.universal_logout.scheduled: + category: + - authentication + tags: + - event-hook-eligiblesessionuser + type: + - end + user.authentication.verify: + category: + - authentication + tags: + - end-user-visibleuser + type: + - info + user.behavior.profile.reset: + category: + - iam + tags: + - behavior-profile + - event-hook-eligible + type: + - admin + - change + - user + user.credential.enroll: + category: + - authentication + tags: + - device-trust-cert-distribution-and-bindingevent-hook-eligibleuser + type: + - info + user.identity_snapshot.attestation.create: + category: + - iam + type: + - admin + - creation + - user + user.identity_verification: + category: + - authentication + tags: + - event-hook-eligiblepolicysessionuser + type: + - info + user.identity_verification.start: + category: + - authentication + tags: + - event-hook-eligiblepolicysessionuser + type: + - start + user.import.password: + category: + - authentication + tags: + - credentialevent-hook-eligibleimportuser + type: + - info + user.lifecycle.activate: + category: + - iam + tags: + - event-hook-eligibleuser + type: + - user + user.lifecycle.create: + category: + - iam + tags: + - event-hook-eligibleuser + type: + - creation + - user + user.lifecycle.deactivate: + category: + - iam + tags: + - event-hook-eligibleuser + type: + - user + user.lifecycle.delete.completed: + category: + - iam + tags: + - user + type: + - deletion + - user + user.lifecycle.delete.initiated: + category: + - iam + tags: + - event-hook-eligibleuser + type: + - deletion + - user + user.lifecycle.jit.error.read_only: + category: + - iam + tags: + - user + type: + - user + user.lifecycle.password_mass_expiry: + category: + - authentication + tags: + - user + type: + - info + user.lifecycle.reactivate: + category: + - iam + tags: + - event-hook-eligibleuser + type: + - user + user.lifecycle.suspend: + category: + - iam + tags: + - event-hook-eligibleuser + type: + - user + user.lifecycle.unsuspend: + category: + - iam + tags: + - event-hook-eligibleuser + type: + - user + user.mfa.attempt_bypass: + category: + - authentication + type: + - info + user.mfa.factor.activate: + category: + - authentication + tags: + - end-user-visibleevent-hook-eligiblemfa + type: + - info + - start + user.mfa.factor.deactivate: + category: + - authentication + tags: + - end-user-visibleevent-hook-eligiblemfa + type: + - end + - info + user.mfa.factor.reset_all: + category: + - authentication + tags: + - event-hook-eligiblemfa + type: + - info + user.mfa.factor.suspend: + category: + - authentication + tags: + - event-hook-eligiblemfaoie-only + type: + - info + user.mfa.factor.unsuspend: + category: + - authentication + tags: + - event-hook-eligiblemfaoie-only + type: + - info + user.mfa.factor.update: + category: + - authentication + tags: + - event-hook-eligiblemfa + type: + - info + user.mfa.okta_verify: + category: + - authentication + type: + - info + user.mfa.okta_verify.deny_push: + category: + - authentication + type: + - info + user.mfa.okta_verify.deny_push_upgrade_needed: + category: + - authentication + type: + - info + user.risk.change: + category: + - iam + tags: + - event-hook-eligiblerisksecurity + type: + - change + - user + user.risk.detect: + category: + - iam + tags: + - event-hook-eligiblerisksecurity + type: + - user + user.session.access_admin_app: + category: + - session + type: + - info + user.session.clear: + category: + - session + tags: + - event-hook-eligiblesessionuser + type: + - info + user.session.context.change: + category: + - session + tags: + - event-hook-eligiblesessionuser + type: + - info + user.session.end: + category: + - session + tags: + - event-hook-eligiblesessionuser + type: + - end + user.session.expire: + category: + - session + type: + - end + user.session.impersonation.end: + category: + - session + type: + - end + user.session.impersonation.extend: + category: + - session + type: + - info + user.session.impersonation.grant: + category: + - session + type: + - info + user.session.impersonation.initiate: + category: + - session + type: + - start + user.session.impersonation.revoke: + category: + - session + type: + - info + user.session.start: + category: + - session + tags: + - end-user-visibleevent-hook-eligiblesessionuser + type: + - start + workflows.user.connection.create: + category: + - iam + type: + - creation + - info + - user + workflows.user.connection.delete: + category: + - iam + type: + - deletion + - info + - user + workflows.user.connection.reauthorize: + category: + - authentication + type: + - info + workflows.user.connection.revoke: + category: + - iam + type: + - deletion + - info + - user + workflows.user.delegatedflow.run: + category: + - iam + type: + - info + - user + workflows.user.execution_log_stream_connection.activate: + category: + - iam + type: + - user + workflows.user.execution_log_stream_connection.deactivate: + category: + - iam + type: + - user + workflows.user.execution_log_stream_connection.update: + category: + - iam + type: + - change + - user + workflows.user.flow.activate: + category: + - iam + type: + - user + workflows.user.flow.create: + category: + - iam + type: + - creation + - user + workflows.user.flow.deactivate: + category: + - iam + type: + - user + workflows.user.flow.delete: + category: + - iam + type: + - deletion + - user + workflows.user.flow.execution.cancel: + category: + - iam + type: + - deletion + - user + workflows.user.flow.execution_history.activate: + category: + - iam + type: + - user + workflows.user.flow.execution_history.deactivate: + category: + - iam + type: + - user + workflows.user.flow.execution_history.delete: + category: + - iam + type: + - deletion + - user + workflows.user.flow.execution_log_stream.activate: + category: + - iam + type: + - user + workflows.user.flow.execution_log_stream.deactivate: + category: + - iam + type: + - user + workflows.user.flow.export: + category: + - iam + type: + - user + workflows.user.flow.import: + category: + - iam + type: + - user + workflows.user.flow.move: + category: + - iam + type: + - info + - user + workflows.user.flow.save: + category: + - iam + type: + - user + workflows.user.folder.create: + category: + - iam + type: + - creation + - info + - user + workflows.user.folder.delete: + category: + - iam + type: + - deletion + - info + - user + workflows.user.folder.duplicate: + category: + - iam + type: + - user + workflows.user.folder.export: + category: + - iam + type: + - info + - user + workflows.user.folder.import: + category: + - iam + type: + - info + - user + workflows.user.folder.move: + category: + - iam + type: + - info + - user + workflows.user.folder.rename: + category: + - iam + type: + - info + - user + workflows.user.role.group.add: + category: + - iam + type: + - creation + - group + - info + - user + workflows.user.role.group.remove: + category: + - iam + type: + - deletion + - group + - info + - user + workflows.user.role.user.add: + category: + - iam + type: + - creation + - info + - user + workflows.user.role.user.remove: + category: + - iam + type: + - deletion + - info + - user + workflows.user.table.create: + category: + - iam + type: + - creation + - info + - user + workflows.user.table.delete: + category: + - iam + type: + - deletion + - info + - user + workflows.user.table.export: + category: + - iam + type: + - info + - user + workflows.user.table.import: + category: + - iam + type: + - info + - user + workflows.user.table.move: + category: + - iam + type: + - info + - user + workflows.user.table.schema.export: + category: + - iam + type: + - info + - user + workflows.user.table.schema.import: + category: + - iam + type: + - info + - user + workflows.user.table.update: + category: + - iam + type: + - change + - info + - user + workflows.user.table.view: + category: + - iam + type: + - info + - user + zone.activate: + category: + - configuration + tags: + - network-zone + type: + - info + zone.create: + category: + - configuration + tags: + - network-zone + type: + - creation + zone.deactivate: + category: + - configuration + tags: + - network-zone + type: + - info + zone.delete: + category: + - configuration + tags: + - network-zone + type: + - deletion + zone.make_blacklist: + category: + - configuration + tags: + - network-zone + type: + - info + zone.remove_blacklist: + category: + - configuration + tags: + - network-zone + type: + - deletion + zone.update: + category: + - configuration + tags: + - network-zone + type: + - change + source: |- + def addUnique(List dst, List src) { + src = src ?: []; + if (src.length == 0) { + return dst ?: []; + } + HashSet s = new HashSet(dst ?: []); + s.addAll(src); + return new ArrayList(s); + } + def p = params[ctx.okta.event_type]; + ctx.event.type = addUnique(ctx.event.type, p.type); + ctx.event.category = addUnique(ctx.event.category, p.category); + ctx.tags = addUnique(ctx.tags, p.tags); +on_failure: + - set: + tag: set_event_pipeline + field: event.pipeline + value: pipeline_error + - append: + tag: append_event_message + field: event.message + value: Processor '{{{ _ingest.on_failure_processor_type }}}' {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - append: + tag: append_tags + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/okta/data_stream/system/sample_event.json b/packages/okta/data_stream/system/sample_event.json index 3b46136b424..cb166200469 100644 --- a/packages/okta/data_stream/system/sample_event.json +++ b/packages/okta/data_stream/system/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2020-02-14T20:18:57.718Z", "agent": { - "ephemeral_id": "f0fa8393-26a1-453e-96fe-212743206a30", - "id": "da1b4fd1-cf45-42bc-8036-09da5b16e085", - "name": "elastic-agent-91674", + "ephemeral_id": "17826ab1-c754-40b9-a2b1-1bbcb077f77d", + "id": "06c1e269-fbb9-440d-afe3-93a103f05588", + "name": "elastic-agent-69614", "type": "filebeat", - "version": "8.18.1" + "version": "8.18.0" }, "client": { "geo": { @@ -27,28 +27,28 @@ }, "data_stream": { "dataset": "okta.system", - "namespace": "58099", + "namespace": "15921", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "da1b4fd1-cf45-42bc-8036-09da5b16e085", + "id": "06c1e269-fbb9-440d-afe3-93a103f05588", "snapshot": false, - "version": "8.18.1" + "version": "8.18.0" }, "event": { "action": "user.session.start", "agent_id_status": "verified", "category": [ - "authentication", - "session" + "session", + "authentication" ], - "created": "2025-06-04T15:16:49.436Z", + "created": "2025-11-03T10:28:50.791Z", "dataset": "okta.system", "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", - "ingested": "2025-06-04T15:16:50Z", + "ingested": "2025-11-03T10:28:51Z", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", "outcome": "success", @@ -148,9 +148,10 @@ } }, "tags": [ + "okta-system", "preserve_original_event", "forwarded", - "okta-system" + "end-user-visibleevent-hook-eligiblesessionuser" ], "user": { "email": "xxxxxx@elastic.co", diff --git a/packages/okta/docs/README.md b/packages/okta/docs/README.md index 63b0daaa3e3..c050efa4599 100644 --- a/packages/okta/docs/README.md +++ b/packages/okta/docs/README.md @@ -58,11 +58,11 @@ An example event for `system` looks as following: { "@timestamp": "2020-02-14T20:18:57.718Z", "agent": { - "ephemeral_id": "f0fa8393-26a1-453e-96fe-212743206a30", - "id": "da1b4fd1-cf45-42bc-8036-09da5b16e085", - "name": "elastic-agent-91674", + "ephemeral_id": "17826ab1-c754-40b9-a2b1-1bbcb077f77d", + "id": "06c1e269-fbb9-440d-afe3-93a103f05588", + "name": "elastic-agent-69614", "type": "filebeat", - "version": "8.18.1" + "version": "8.18.0" }, "client": { "geo": { @@ -84,28 +84,28 @@ An example event for `system` looks as following: }, "data_stream": { "dataset": "okta.system", - "namespace": "58099", + "namespace": "15921", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "da1b4fd1-cf45-42bc-8036-09da5b16e085", + "id": "06c1e269-fbb9-440d-afe3-93a103f05588", "snapshot": false, - "version": "8.18.1" + "version": "8.18.0" }, "event": { "action": "user.session.start", "agent_id_status": "verified", "category": [ - "authentication", - "session" + "session", + "authentication" ], - "created": "2025-06-04T15:16:49.436Z", + "created": "2025-11-03T10:28:50.791Z", "dataset": "okta.system", "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", - "ingested": "2025-06-04T15:16:50Z", + "ingested": "2025-11-03T10:28:51Z", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", "outcome": "success", @@ -205,9 +205,10 @@ An example event for `system` looks as following: } }, "tags": [ + "okta-system", "preserve_original_event", "forwarded", - "okta-system" + "end-user-visibleevent-hook-eligiblesessionuser" ], "user": { "email": "xxxxxx@elastic.co", diff --git a/packages/okta/manifest.yml b/packages/okta/manifest.yml index 62144745750..b095e53d0c5 100644 --- a/packages/okta/manifest.yml +++ b/packages/okta/manifest.yml @@ -1,6 +1,6 @@ name: okta title: Okta -version: "3.11.0" +version: "3.12.0" description: Collect and parse event logs from Okta API with Elastic Agent. type: integration format_version: "3.2.3"