Okta fields

edit

Module for handling system logs from Okta.

okta

edit

Fields from Okta.

okta.uuid

The unique identifier of the Okta LogEvent.

type: keyword

okta.event_type

The type of the LogEvent.

type: keyword

okta.version

The version of the LogEvent.

type: keyword

okta.severity

The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR.

type: keyword

okta.display_message

The display message of the LogEvent.

type: keyword

actor

edit

Fields that let you store information of the actor for the LogEvent.

okta.actor.id

Identifier of the actor.

type: keyword

okta.actor.type

Type of the actor.

type: keyword

okta.actor.alternate_id

Alternate identifier of the actor.

type: keyword

okta.actor.display_name

Display name of the actor.

type: keyword

client

edit

Fields that let you store information about the client of the actor.

okta.client.ip

The IP address of the client.

type: ip

user_agent

edit

Fields about the user agent information of the client.

okta.client.user_agent.raw_user_agent

The raw informaton of the user agent.

type: keyword

okta.client.user_agent.os

The OS informaton.

type: keyword

okta.client.user_agent.browser

The browser informaton of the client.

type: keyword

okta.client.zone

The zone information of the client.

type: keyword

okta.client.device

The information of the client device.

type: keyword

okta.client.id

The identifier of the client.

type: keyword

outcome

edit

Fields that let you store information about the outcome.

okta.outcome.reason

The reason of the outcome.

type: keyword

okta.outcome.result

The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.

type: keyword

okta.target

The list of targets.

type: flattened

transaction

edit

Fields that let you store information about related transaction.

okta.transaction.id

Identifier of the transaction.

type: keyword

okta.transaction.type

The type of transaction. Must be one of "WEB", "JOB".

type: keyword

debug_context

edit

Fields that let you store information about the debug context.

debug_data

edit

The debug data.

okta.debug_context.debug_data.device_fingerprint

The fingerprint of the device.

type: keyword

okta.debug_context.debug_data.request_id

The identifier of the request.

type: keyword

okta.debug_context.debug_data.request_uri

The request URI.

type: keyword

okta.debug_context.debug_data.threat_suspected

Threat suspected.

type: keyword

okta.debug_context.debug_data.url

The URL.

type: keyword

suspicious_activity

edit

The suspicious activity fields from the debug data.

okta.debug_context.debug_data.suspicious_activity.browser

The browser used.

type: keyword

okta.debug_context.debug_data.suspicious_activity.event_city

The city where the suspicious activity took place.

type: keyword

okta.debug_context.debug_data.suspicious_activity.event_country

The country where the suspicious activity took place.

type: keyword

okta.debug_context.debug_data.suspicious_activity.event_id

The event ID.

type: keyword

okta.debug_context.debug_data.suspicious_activity.event_ip

The IP of the suspicious event.

type: ip

okta.debug_context.debug_data.suspicious_activity.event_latitude

The latitude where the suspicious activity took place.

type: float

okta.debug_context.debug_data.suspicious_activity.event_longitude

The longitude where the suspicious activity took place.

type: float

okta.debug_context.debug_data.suspicious_activity.event_state

The state where the suspicious activity took place.

type: keyword

okta.debug_context.debug_data.suspicious_activity.event_transaction_id

The event transaction ID.

type: keyword

okta.debug_context.debug_data.suspicious_activity.event_type

The event type.

type: keyword

okta.debug_context.debug_data.suspicious_activity.os

The OS of the system from where the suspicious activity occured.

type: keyword

okta.debug_context.debug_data.suspicious_activity.timestamp

The timestamp of when the activity occurred.

type: date

authentication_context

edit

Fields that let you store information about authentication context.

okta.authentication_context.authentication_provider

The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER.

type: keyword

okta.authentication_context.authentication_step

The authentication step.

type: integer

okta.authentication_context.credential_provider

The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY.

type: keyword

okta.authentication_context.credential_type

The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID.

type: keyword

okta.authentication_context.issuer

The information about the issuer.

type: array

okta.authentication_context.external_session_id

The session identifer of the external session if any.

type: keyword

okta.authentication_context.interface

The interface used. e.g., Outlook, Office365, wsTrust

type: keyword

security_context

edit

Fields that let you store information about security context.

The autonomous system.

okta.security_context.as.number

The AS number.

type: integer

organization

edit

The organization that owns the AS number.

okta.security_context.as.organization.name

The organization name.

type: keyword

okta.security_context.isp

The Internet Service Provider.

type: keyword

okta.security_context.domain

The domain name.

type: keyword

okta.security_context.is_proxy

Whether it is a proxy or not.

type: boolean

request

edit

Fields that let you store information about the request, in the form of list of ip_chain.

ip_chain

edit

List of ip_chain objects.

okta.request.ip_chain.ip

IP address.

type: ip

okta.request.ip_chain.version

IP version. Must be one of V4, V6.

type: keyword

okta.request.ip_chain.source

Source information.

type: keyword

geographical_context

edit

Geographical information.

okta.request.ip_chain.geographical_context.city

The city.

type: keyword

okta.request.ip_chain.geographical_context.state

The state.

type: keyword

okta.request.ip_chain.geographical_context.postal_code

The postal code.

type: keyword

okta.request.ip_chain.geographical_context.country

The country.

type: keyword

okta.request.ip_chain.geographical_context.geolocation

Geolocation information.

type: geo_point