Okta Integration

edit

Okta Integration

edit

Version

3.2.0 (View all)

Compatible Kibana version(s)

8.15.0 or higher

Supported Serverless project types
What’s this?

Security
Observability

Subscription level
What’s this?

Basic

Level of support
What’s this?

Elastic

The Okta integration collects events from the Okta API, specifically reading from the Okta System Log API.

Logs

edit
System
edit

The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. This module is implemented using the httpjson input and is configured to paginate through the logs while honoring any rate-limiting headers sent by Okta.

Types Of Authentication

edit
API Key
edit

In this type of authentication, we only require an API Key for authenticating the client and polling for Okta System Logs.

Oauth2
edit

In this type of authentication, we require the following information:

  1. Your Okta domain URL. [ Example: https://dev-123456.okta.com ]
  2. Your Okta service app Client ID.
  3. Your Okta service app JWK Private Key
  4. The Okta scope that is required for OAuth2. [ By default this is set to okta.logs.read which should suffice for most use cases ]

Steps to acquire Okta Oauth2 credentials:

  1. Acquire an Okta dev or user account with privileges to mint tokens with the okta.* scopes.
  2. Log into your Okta account, navigate to Applications on the left-hand side, click on the Create App Integration button and create an API Services application.
  3. Click on the created app, note down the Client ID and select the option for Public key/Private key.
  4. Generate your own Private/Public key pair in the JWK format (PEM is not supported at the moment) and save it in a credentials JSON file or copy it to use directly in the config.
Okta Integration Network (OIN)
edit

The Okta Integration Network provides a simple integration authentication based on OAuth2, but using an API key. In this type of authentication, we only require an API Key for authenticating the client and polling for Okta System Logs.

  1. Your Okta domain URL. [ Example: https://dev-123456.okta.com ]
  2. Your Okta service app Client ID.
  3. Your Okta service app Client Secret.

Steps to configure Okta OIN authenticaton:

  1. Log into your Okta account, navigate to Applications on the left-hand side, click on the Browse App Catalog button and search for "Elastic".
  2. Click on the Elastic app card and then click Add Integration, and then Install & Authorize.
  3. Copy the Client Secret.
  4. Navigate to the Fleet integration configuration page for the integration.
  5. Set the "Okta System Log API URL" field from the value of the Okta app with the URL path "/api/v1/logs" added as shown in the UI documentation
  6. Set the "Okta Domain URL" field from the value of the Okta app
  7. Set the "Client ID" field with the Client ID provided by the Okta app
  8. Set the "API Key" field to the Client Secret provided by the Okta app
  9. Set the "Use OIN Authentication" toggle to true

NOTE: Tokens with okta.* Scopes are generally minted from the Okta Org Auth server and not the default/custom authorization server. The standard Okta Org Auth server endpoint to mint tokens is https://<your_okta_org>.okta.com/oauth2/v1/token

Example

An example event for system looks as following:

{
    "@timestamp": "2020-02-14T20:18:57.718Z",
    "agent": {
        "ephemeral_id": "6ac1caae-4aba-4b61-8408-14b46e15b668",
        "id": "c3650180-e3d1-4dad-9094-89c988e721d7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "client": {
        "geo": {
            "city_name": "Dublin",
            "country_name": "United States",
            "location": {
                "lat": 37.7201,
                "lon": -121.919
            },
            "region_name": "California"
        },
        "ip": "108.255.197.247",
        "user": {
            "full_name": "xxxxxx",
            "id": "00u1abvz4pYqdM8ms4x6",
            "name": "xxxxxx"
        }
    },
    "data_stream": {
        "dataset": "okta.system",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "c3650180-e3d1-4dad-9094-89c988e721d7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "action": "user.session.start",
        "agent_id_status": "verified",
        "category": [
            "authentication",
            "session"
        ],
        "created": "2024-05-17T05:51:14.737Z",
        "dataset": "okta.system",
        "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546",
        "ingested": "2024-05-17T05:51:24Z",
        "kind": "event",
        "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}",
        "outcome": "success",
        "type": [
            "start",
            "info"
        ]
    },
    "input": {
        "type": "httpjson"
    },
    "okta": {
        "actor": {
            "alternate_id": "xxxxxx@elastic.co",
            "display_name": "xxxxxx",
            "id": "00u1abvz4pYqdM8ms4x6",
            "type": "User"
        },
        "authentication_context": {
            "authentication_step": 0,
            "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ"
        },
        "client": {
            "device": "Computer",
            "ip": "108.255.197.247",
            "user_agent": {
                "browser": "FIREFOX",
                "os": "Mac OS X",
                "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"
            },
            "zone": "null"
        },
        "debug_context": {
            "debug_data": {
                "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0",
                "flattened": {
                    "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0",
                    "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0",
                    "requestUri": "/api/v1/authn",
                    "threatSuspected": "false",
                    "url": "/api/v1/authn?"
                },
                "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0",
                "request_uri": "/api/v1/authn",
                "threat_suspected": "false",
                "url": "/api/v1/authn?"
            }
        },
        "display_message": "User login to Okta",
        "event_type": "user.session.start",
        "outcome": {
            "result": "SUCCESS"
        },
        "request": {
            "ip_chain": [
                {
                    "geographical_context": {
                        "city": "Dublin",
                        "country": "United States",
                        "geolocation": {
                            "lat": 37.7201,
                            "lon": -121.919
                        },
                        "postal_code": "94568",
                        "state": "California"
                    },
                    "ip": "108.255.197.247",
                    "version": "V4"
                }
            ]
        },
        "transaction": {
            "id": "XkcAsWb8WjwDP76xh@1v8wAABp0",
            "type": "WEB"
        },
        "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546"
    },
    "related": {
        "ip": [
            "108.255.197.247"
        ],
        "user": [
            "xxxxxx"
        ]
    },
    "source": {
        "ip": "108.255.197.247",
        "user": {
            "full_name": "xxxxxx",
            "id": "00u1abvz4pYqdM8ms4x6",
            "name": "xxxxxx"
        }
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "okta-system"
    ],
    "user": {
        "full_name": "xxxxxx",
        "name": "xxxxxx"
    },
    "user_agent": {
        "device": {
            "name": "Mac"
        },
        "name": "Firefox",
        "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0",
        "os": {
            "full": "Mac OS X 10.15",
            "name": "Mac OS X",
            "version": "10.15"
        },
        "version": "72.0."
    }
}
Exported fields
Field Description Type

@timestamp

Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.

date

cloud.image.id

Image ID for the cloud instance.

keyword

data_stream.dataset

The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.namespace

A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.type

An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.

constant_keyword

event.dataset

Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It’s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.

constant_keyword

event.module

Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module.

constant_keyword

host.containerized

If the host is a container.

boolean

host.os.build

OS build information.

keyword

host.os.codename

OS codename, if any.

keyword

input.type

Type of Filebeat input.

keyword

log.flags

Flags for the log file.

keyword

log.offset

Offset of the entry in the log file.

long

okta.actor.alternate_id

Alternate identifier of the actor.

keyword

okta.actor.display_name

Display name of the actor.

keyword

okta.actor.id

Identifier of the actor.

keyword

okta.actor.type

Type of the actor.

keyword

okta.authentication_context.authentication_provider

The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER.

keyword

okta.authentication_context.authentication_step

The authentication step.

integer

okta.authentication_context.credential_provider

The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY.

keyword

okta.authentication_context.credential_type

The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID.

keyword

okta.authentication_context.external_session_id

The session identifer of the external session if any.

keyword

okta.authentication_context.interface

The interface used. e.g., Outlook, Office365, wsTrust

keyword

okta.authentication_context.issuer.id

The identifier of the issuer.

keyword

okta.authentication_context.issuer.type

The type of the issuer.

keyword

okta.client.device

The information of the client device.

keyword

okta.client.id

The identifier of the client.

keyword

okta.client.ip

The IP address of the client.

ip

okta.client.user_agent.browser

The browser informaton of the client.

keyword

okta.client.user_agent.os

The OS informaton.

keyword

okta.client.user_agent.raw_user_agent

The raw informaton of the user agent.

keyword

okta.client.zone

The zone information of the client.

keyword

okta.debug_context.debug_data

object

okta.debug_context.debug_data.authnRequestId

The authorization request ID.

keyword

okta.debug_context.debug_data.behaviors

keyword

okta.debug_context.debug_data.behaviors.New_City

keyword

okta.debug_context.debug_data.behaviors.New_Country

keyword

okta.debug_context.debug_data.behaviors.New_Device

keyword

okta.debug_context.debug_data.behaviors.New_Geo_Location

keyword

okta.debug_context.debug_data.behaviors.New_IP

keyword

okta.debug_context.debug_data.behaviors.New_State

keyword

okta.debug_context.debug_data.behaviors.Velocity

keyword

okta.debug_context.debug_data.behaviors.Velocity_Behavior

keyword

okta.debug_context.debug_data.client_secret

keyword

okta.debug_context.debug_data.device_fingerprint

The fingerprint of the device.

keyword

okta.debug_context.debug_data.dt_hash

The device token hash

keyword

okta.debug_context.debug_data.factor

The factor used for authentication.

keyword

okta.debug_context.debug_data.flattened

The complete debug_data object.

flattened

okta.debug_context.debug_data.grant_type

keyword

okta.debug_context.debug_data.granted_scopes

keyword

okta.debug_context.debug_data.logOnlySecurityData

keyword

okta.debug_context.debug_data.logOnlySecurityData.behaviors

keyword

okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_City

keyword

okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_Country

keyword

okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_Device

keyword

okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_Geo_Location

keyword

okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_IP

keyword

okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_State

keyword

okta.debug_context.debug_data.logOnlySecurityData.behaviors.Velocity

keyword

okta.debug_context.debug_data.logOnlySecurityData.risk

keyword

okta.debug_context.debug_data.logOnlySecurityData.risk.level

keyword

okta.debug_context.debug_data.logOnlySecurityData.risk.reasons

keyword

okta.debug_context.debug_data.originalPrincipal

keyword

okta.debug_context.debug_data.originalPrincipal.alternateId

keyword

okta.debug_context.debug_data.originalPrincipal.displayName

keyword

okta.debug_context.debug_data.originalPrincipal.id

keyword

okta.debug_context.debug_data.originalPrincipal.type

keyword

okta.debug_context.debug_data.promptingPolicyTypes

keyword

okta.debug_context.debug_data.request_id

The identifier of the request.

keyword

okta.debug_context.debug_data.request_uri

The request URI.

keyword

okta.debug_context.debug_data.requested_scopes

keyword

okta.debug_context.debug_data.risk

keyword

okta.debug_context.debug_data.risk.level

keyword

okta.debug_context.debug_data.risk.reasons

keyword

okta.debug_context.debug_data.risk_behaviors

The set of behaviors that contribute to a risk assessment.

keyword

okta.debug_context.debug_data.risk_level

The risk level assigned to the sign in attempt.

keyword

okta.debug_context.debug_data.risk_object

keyword

okta.debug_context.debug_data.risk_reasons

The reasons for the risk.

keyword

okta.debug_context.debug_data.threat_suspected

Threat suspected.

keyword

okta.debug_context.debug_data.tunnels

object

okta.debug_context.debug_data.url

The URL.

keyword

okta.device.device_integrator

flattened

okta.device.disk_encryption_type

The value of the device profile’s disk encryption type. One of "NONE", "FULL", "USER", "ALL_INTERNAL_VOLUMES" or "SYSTEM_VOLUME".

keyword

okta.device.id

Identifier of the device.

keyword

okta.device.managed

Whether the device is managed.

boolean

okta.device.name

The name of the device.

keyword

okta.device.os_platform

The OS of the device.

keyword

okta.device.os_version

The device’s OS version.

keyword

okta.device.registered

Whether the device is registered.

boolean

okta.device.screen_lock_type

The mechanism for locking the device’s screen. One of "NONE", "PASSCODE" or "BIOMETRIC".

keyword

okta.device.secure_hardware_present

Whether there is secure hardware present on the device. This is a checks for chip presence: trusted platform module (TPM) or secure enclave. It does not mark whether there are tokens on the secure hardware.

boolean

okta.display_message

The display message of the LogEvent.

keyword

okta.event_type

The type of the LogEvent.

keyword

okta.outcome.reason

The reason of the outcome.

keyword

okta.outcome.result

The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.

keyword

okta.request.ip_chain

flattened

okta.security_context.as.number

The AS number.

integer

okta.security_context.as.organization.name

The organization name.

keyword

okta.security_context.domain

The domain name.

keyword

okta.security_context.is_proxy

Whether it is a proxy or not.

boolean

okta.security_context.isp

The Internet Service Provider.

keyword

okta.severity

The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR.

keyword

okta.target.alternate_id

The alternate ID of the target.

keyword

okta.target.changeDetails.from.*

object

okta.target.changeDetails.to.*

object

okta.target.detailEntry.*

object

okta.target.display_name

The display name of the target.

keyword

okta.target.id

The ID of the target.

keyword

okta.target.type

The type of target.

keyword

okta.transaction.detail.request_api_token_id

ID of the API token used in a request.

keyword

okta.transaction.id

Identifier of the transaction.

keyword

okta.transaction.type

The type of transaction. Must be one of "WEB", "JOB".

keyword

okta.uuid

The unique identifier of the Okta LogEvent.

keyword

okta.version

The version of the LogEvent.

keyword

Changelog

edit
Changelog
Version Details Kibana version(s)

3.2.0

Enhancement (View pull request)
Parse JSON string in okta.debug_context.debug_data.tunnels.

8.15.0 or higher

3.1.0

Enhancement (View pull request)
Add support for deleting request trace files.

8.15.0 or higher

3.0.0

Enhancement (View pull request)
Make okta.target use dynamic objects instead of flattened.

8.15.0 or higher

2.13.0

Enhancement (View pull request)
Include grantedScopes, grantType, clientSecret and requestedScopes fields from debug data.

8.15.0 or higher

2.12.2

Bug fix (View pull request)
Use triple-brace Mustache templating when referencing variables in ingest pipelines.

8.15.0 or higher

2.12.1

Bug fix (View pull request)
Use triple-brace Mustache templating when referencing variables in ingest pipelines.

8.15.0 or higher

2.12.0

Enhancement (View pull request)
Allow user configuration of debug_data flattened use.

8.15.0 or higher

2.11.0

Enhancement (View pull request)
Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

2.10.0

Enhancement (View pull request)
Support OIN service application authentication.

8.13.0 or higher

2.9.0

Enhancement (View pull request)
Allow private key to be supplied as a PEM block.

8.13.0 or higher

2.8.0

Enhancement (View pull request)
Set sensitive values as secret.

8.12.0 or higher

2.7.1

Enhancement (View pull request)
Changed owners

8.10.1 or higher

2.7.0

Enhancement (View pull request)
Add okta.transaction.detail.request_api_token_id field.

8.10.1 or higher

2.6.0

Enhancement (View pull request)
Limit request tracer log count to five.

8.10.1 or higher

2.5.0

Enhancement (View pull request)
ECS version updated to 8.11.0.

8.10.1 or higher

2.4.0

Enhancement (View pull request)
Improve event.original check to avoid errors if set.

8.10.1 or higher

2.3.1-next

Bug fix (View pull request)
Fix mapping of group fields

2.3.0

Enhancement (View pull request)
Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

8.10.1 or higher

2.2.0

Enhancement (View pull request)
Update the package format_version to 3.0.0.

8.10.1 or higher

2.1.0

Enhancement (View pull request)
Update package to ECS 8.10.0, align ECS categorization fields, and updated stack version to ^8.10.1 per security fix.

8.10.1 or higher

2.0.0

Enhancement (View pull request)
Added Okta Oauth2 support, refactored the UI accordingly & updated stack version to ^8.10.0.

8.10.0 or higher

1.28.0

Enhancement (View pull request)
Retain okta.debug_context.debug_data.dt_hash field.

8.7.1 or higher

1.27.0

Enhancement (View pull request)
Update package-spec 2.9.0.

8.7.1 or higher

1.26.0

Enhancement (View pull request)
Update package to ECS 8.9.0.

8.7.1 or higher

1.25.0

Enhancement (View pull request)
Document duration units.

8.7.1 or higher

1.24.0

Enhancement (View pull request)
Convert visualizations to lens.

8.7.1 or higher

1.23.0

Enhancement (View pull request)
Document valid duration units.

8.7.1 or higher

1.22.1

Bug fix (View pull request)
Fix a concurrent modification exception that occurred while modifying okta.target[].detailEntry.

8.7.1 or higher

1.22.0

Enhancement (View pull request)
Update package to ECS 8.8.0.

8.7.1 or higher

1.21.0

Enhancement (View pull request)
Add support for okta.device field group.

Enhancement (View pull request)
Retain okta.target.detailEntry.methodTypeUsed and okta.target.detailEntry.methodUsedVerifiedProperties.

8.7.1 or higher

1.20.0

Enhancement (View pull request)
Add a new flag to enable request tracing

8.7.1 or higher

1.19.1

Enhancement (View pull request)
Remove redundant rename processors.

8.6.0 or higher

1.19.0

Enhancement (View pull request)
Retain target information.

8.6.0 or higher

1.18.0

Enhancement (View pull request)
Update package to ECS 8.7.0.

8.6.0 or higher

1.17.0

Enhancement (View pull request)
Extract username from email

8.6.0 or higher

1.16.1

Enhancement (View pull request)
Added categories and/or subcategories.

8.6.0 or higher

1.16.0

Enhancement (View pull request)
Allow configuration of HTTP keep-alive to allow for connection reuse.

8.6.0 or higher

1.15.1

Bug fix (View pull request)
Fix documentation typo.

8.1.0 or higher

1.15.0

Enhancement (View pull request)
Make debug_data risk factors and behaviors visible to search.

8.1.0 or higher

1.14.0

Enhancement (View pull request)
Update package to ECS 8.6.0.

8.1.0 or higher

1.13.0

Enhancement (View pull request)
Make debug_data risk reasons visible to search.

8.1.0 or higher

1.12.1

Bug fix (View pull request)
Make extra efforts to extract risk information from debug_data.

8.1.0 or higher

1.12.0

Enhancement (View pull request)
Handle already set event.original more robustly.

8.1.0 or higher

1.11.2

Enhancement (View pull request)
Migrate the visualizations to by value in dashboards to minimize the saved object clutter and reduce time to load

8.1.0 or higher

1.11.1

Bug fix (View pull request)
Remove duplicate fields.

7.14.0 or higher
8.0.0 or higher

1.11.0

Enhancement (View pull request)
Update package to ECS 8.5.0.

7.14.0 or higher
8.0.0 or higher

1.10.3

Bug fix (View pull request)
Mark url config option as a required field

7.14.0 or higher
8.0.0 or higher

1.10.2

Enhancement (View pull request)
Use ECS geo.location definition.

7.14.0 or higher
8.0.0 or higher

1.10.1

Bug fix (View pull request)
Mark api_key config option as a required field

7.14.0 or higher
8.0.0 or higher

1.10.0

Enhancement (View pull request)
Update package to ECS 8.4.0

7.14.0 or higher
8.0.0 or higher

1.9.2

Bug fix (View pull request)
Fix proxy URL documentation rendering.

7.14.0 or higher
8.0.0 or higher

1.9.1

Enhancement (View pull request)
Update package name and description to align with standard wording

7.14.0 or higher
8.0.0 or higher

1.9.0

Enhancement (View pull request)
Update package to ECS 8.3.0.

7.14.0 or higher
8.0.0 or higher

1.8.0

Enhancement (View pull request)
Add okta.debug_context.debug_data.risk_level field

Enhancement (View pull request)
Add flattened okta.debug_context.debug_data.flattened.log_only_security_data.* fields

Bug fix (View pull request)
Fix mapping type for client.as.number

7.14.0 or higher
8.0.0 or higher

1.7.0

Enhancement (View pull request)
Add flattened okta.request.ip_chain.* fields

7.14.0 or higher
8.0.0 or higher

1.6.0

Enhancement (View pull request)
Update to ECS 8.2

7.14.0 or higher
8.0.0 or higher

1.5.2

Bug fix (View pull request)
Handle invalid values in client.ipAddress

7.14.0 or higher
8.0.0 or higher

1.5.1

Enhancement (View pull request)
Add documentation for multi-fields

7.14.0 or higher
8.0.0 or higher

1.5.0

Enhancement (View pull request)
Increase the limit for the number of results in an API response.

7.14.0 or higher
8.0.0 or higher

1.4.1

Enhancement (View pull request)
Add missing field mapping for event.created.

1.4.0

Enhancement (View pull request)
Update to ECS 8.0

7.14.0 or higher
8.0.0 or higher

1.3.2

Bug fix (View pull request)
Regenerate test files using the new GeoIP database

7.14.0 or higher
8.0.0 or higher

1.3.1

Bug fix (View pull request)
Change test public IPs to the supported subset

1.3.0

Enhancement (View pull request)
Add 8.0.0 version constraint

7.14.0 or higher
8.0.0 or higher

1.2.3

Enhancement (View pull request)
Uniform with guidelines

7.14.0 or higher

1.2.2

Enhancement (View pull request)
Update Title and Description.

1.2.1

Bug fix (View pull request)
Fix logic that checks for the forwarded tag

1.2.0

Enhancement (View pull request)
Update to ECS 1.12.0

7.14.0 or higher

1.1.3

Enhancement (View pull request)
Add proxy config

1.1.2

Enhancement (View pull request)
Convert to generated ECS fields

1.1.1

Enhancement (View pull request)
update to ECS 1.11.0

1.1.0

Enhancement (View pull request)
Update integration description

7.14.0 or higher

1.0.1

Bug fix (View pull request)
add missing initial_interval option to the manifest

1.0.0

Enhancement (View pull request)
make GA

Enhancement (View pull request)
Set "event.module" and "event.dataset"

7.14.0 or higher

0.6.0

Enhancement (View pull request)
Update to ECS 1.10.0 and add event.original options

0.5.2

Enhancement (View pull request)
Add httpjson system tests and remove log input.

0.5.1

Enhancement (View pull request)
Make event.original optional

0.5.0

Enhancement (View pull request)
change okta.target to flattened type

0.4.2

Bug fix (View pull request)
add fail_on_template_error on pagination

0.4.1

Enhancement (View pull request)
update to ECS 1.9.0

0.4.0

Enhancement (View pull request)
Moves edge processing to ingest pipeline

0.3.1

Bug fix (View pull request)
Change kibana.version constraint to be more conservative.

0.1.0

Enhancement (View pull request)
initial release