Skip to content

[Okta] Add event categories and types #15860

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[Okta] Add event categories and types #15860

wants to merge 3 commits into from
+6,967 −148

Conversation

@moxarth-rathod
Copy link
Contributor

@moxarth-rathod moxarth-rathod commented Nov 4, 2025
edited
Loading

Proposed commit message

okta: add missing event categories

[git-generate]
MAPPINGS=https://gist.github.com/moxarth-rathod/a0f59f128a207deb162ab31b64eb19d4#file-okta_event_categories_with_ecs-json
SCRIPT=https://gist.github.com/moxarth-rathod/a0f59f128a207deb162ab31b64eb19d4#file-main-go
curl -o okta_event_categories_with_ecs.json $MAPPINGS
curl -o main.go $SCRIPT
go run main.go > /packages/okta/data_stream/system/elasticsearch/ingest_pipeline/ecs_category_type.yml
rm -i main.go okta_event_categories_with_ecs.json go.mod go.sum

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/okta directory.
  • Run the following command to run tests.

elastic-package test -v

Related issues

@moxarth-rathod moxarth-rathod self-assigned this Nov 4, 2025
@moxarth-rathod moxarth-rathod added the enhancement New feature or request label Nov 4, 2025
@moxarth-rathod moxarth-rathod requested a review from a team as a code owner November 4, 2025 10:46
@moxarth-rathod moxarth-rathod added Integration:okta Okta Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Nov 4, 2025
@elasticmachine
Copy link

elasticmachine commented Nov 4, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Nov 4, 2025
ShourieG
ShourieG reviewed Nov 5, 2025
View reviewed changes
@ShourieG
Copy link
Contributor

ShourieG commented Nov 6, 2025
edited
Loading

@moxarth-rathod, looks good, majority of the pipeline was autogenerated so looks fine, please fix the PR no. and i'll approve.

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Nov 7, 2025

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

elasticmachine commented Nov 7, 2025

💚 Build Succeeded

History

cc @moxarth-rathod

@moxarth-rathod
Copy link
Contributor Author

moxarth-rathod commented Nov 7, 2025

@terrancedejesus @ShourieG @efd6 fyi, I had to adjust some of the suggested mappings because certain event categories contained invalid event types. For example, the access.request.cancel event category was set to iam with event types access and deletion, but iam only allows the following event types: admin, change, creation, deletion, group, info, and user. Therefore, I removed access to align with the allowed values.

@efd6
Copy link
Contributor

efd6 commented Nov 7, 2025
edited
Loading

Can you confirm that you have used the generator shown in #15235 (comment) with the definitions in #15235 (comment)?

@moxarth-rathod
Copy link
Contributor Author

moxarth-rathod commented Nov 7, 2025

Can you confirm that you have used the generator shown in #15235 (comment) with the definitions in #15235 (comment)?

Yes, but I made a few changes during testing, including adding null handling. Also, some event types were invalid for their respective categories, so I've updated those definitions accordingly.

andrewkroh
andrewkroh reviewed Nov 7, 2025
View reviewed changes
packages/okta/data_stream/system/elasticsearch/ingest_pipeline/ecs_category_type.yml
@@ -0,0 +1,6527 @@
---
description: |-
Code generated by dispear; DO NOT EDIT.
Copy link
Member

@andrewkroh andrewkroh Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please share the exact code used to produce this in a gist for me to replicate and validate .

Copy link
Contributor

@efd6 efd6 Nov 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My preferred approach would be to have something like (until we can commit this kind of data) (exact text depends on how the definition data is ingested by the generator and will require some additions to handle dep modules):

informative commit message title

[git-generate]
MAPPINGS=<link to git or other stable location for the JSON definitions>
curl -o okta_event_categories_with_ecs.json $MAPPINGS
cat >main.go <<END
package main
…
END
go run main.go > packages/okta/…
rm -i main.go okta_event_categories_with_ecs.json

Copy link
Contributor Author

@moxarth-rathod moxarth-rathod Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@andrewkroh i've prepared a gist for the script to generate a pipeline. I'll also update the commit message with gist and proper steps to run it.

Copy link
Member

@andrewkroh andrewkroh Nov 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. And how is the Okta JSON file created? It looks like it is a conversion of the CSV given at the link below to JSON, and then some categories were assigned?

It would be good to be able to easily identify when our pipeline is no longer in sync with the Okta event types (i.e. there are new event types that need to be added and manually categorized). So it might be better if the inputs to the Go script were the raw CSV from okta.com plus a table of event types to ECS categories. And the script fails when there are uncategorized event types.

For an example, we already need to update that Okta JSON content because there are new events types in the 2025.10 okta release.

https://developer.okta.com/docs/reference/api/event-types/
https://developer.okta.com/docs/okta-event-types.csv

@terrancedejesus
Copy link
Contributor

terrancedejesus commented Nov 10, 2025
edited
Loading

@terrancedejesus @ShourieG @efd6 fyi, I had to adjust some of the suggested mappings because certain event categories contained invalid event types. For example, the access.request.cancel event category was set to iam with event types access and deletion, but iam only allows the following event types: admin, change, creation, deletion, group, info, and user. Therefore, I removed access to align with the allowed values.

Thank you for doing so and sharing why. I reviewed the docs briefly this morning. I am surprised iam does not allow at least allowed and denied event types? For example:

  • OAuth request for token (IAM) - access was allowed to this resource
  • SAML request for access (IAM) - access was denied to this resource

Especially when we consider IAM covering behavior such as token issuance. Are these boundaries set within the elasticsearch codebase or at an integration level? Understandably it is out-of-scope for this PR but I can carry the conversation forward to the appropriate team.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewkroh andrewkroh andrewkroh left review comments

@ShourieG ShourieG Awaiting requested review from ShourieG

@terrancedejesus terrancedejesus Awaiting requested review from terrancedejesus

@efd6 efd6 Awaiting requested review from efd6

At least 1 approving review is required to merge this pull request.

Assignees

@moxarth-rathod moxarth-rathod

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:okta Okta Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Okta] Add Missing Event Categories

6 participants

@moxarth-rathod @elasticmachine @ShourieG @efd6 @terrancedejesus @andrewkroh