diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 86b3e3078f28..8794a9aed260 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -203,6 +203,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff] - Allow user configuration of timezone offset in Cisco ASA and FTD modules. {pull}34436[34436] - Allow user configuration of timezone offset in Checkpoint module. {pull}34472[34472] - Add support for Okta debug attributes, `risk_reasons`, `risk_behaviors` and `factor`. {issue}33677[33677] {pull}34508[34508] +- Fill okta.request.ip_chain.* as a flattened object in Okta module. {pull}34621[34621] *Auditbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 4722bdc440ca..4472b0738540 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -112445,93 +112445,13 @@ Fields that let you store information about the request, in the form of list of -[float] -=== ip_chain - -List of ip_chain objects. - - - -*`okta.request.ip_chain.ip`*:: -+ --- -IP address. - - -type: ip - --- - -*`okta.request.ip_chain.version`*:: -+ --- -IP version. Must be one of V4, V6. - - -type: keyword - --- - -*`okta.request.ip_chain.source`*:: -+ --- -Source information. - - -type: keyword - --- - -[float] -=== geographical_context - -Geographical information. - - - -*`okta.request.ip_chain.geographical_context.city`*:: -+ --- -The city. - -type: keyword - --- - -*`okta.request.ip_chain.geographical_context.state`*:: +*`okta.request.ip_chain`*:: + -- -The state. - -type: keyword - --- - -*`okta.request.ip_chain.geographical_context.postal_code`*:: -+ --- -The postal code. - -type: keyword - --- - -*`okta.request.ip_chain.geographical_context.country`*:: -+ --- -The country. - -type: keyword - --- - -*`okta.request.ip_chain.geographical_context.geolocation`*:: -+ --- -Geolocation information. +List of ip_chain objects. -type: geo_point +type: flattened -- diff --git a/x-pack/filebeat/module/okta/fields.go b/x-pack/filebeat/module/okta/fields.go index 6d531541d93d..43d7af8bdd80 100644 --- a/x-pack/filebeat/module/okta/fields.go +++ b/x-pack/filebeat/module/okta/fields.go @@ -19,5 +19,5 @@ func init() { // AssetOkta returns asset data. // This is the base64 encoded zlib format compressed contents of module/okta. func AssetOkta() string { - return "eJzsW0tzq7gS3p9f0XXWTBb3MYssbhXHJhkmjnGBnVRWlAJtWzcYeSThHM+vvyVexiAedvDUXYx34fF9X7ek7laL/AIfeLwH9iHJNwBJZYT34GR/hSgCTveSsvge/vMNAOCZhUmEsGYctiQOIxpvQByFxB1EbCNgzdkuff3uG8CaYhSK+/TFXyAmOyyJ1E8e93gPG86SfX5FQ6h+DynOObb6VfGrHElCw/JiadRqZU8rV8WWcXkPyy1CEtM/EgQaYizpmiIHtga5xZQMZmxjHTCWd5WXW4Sq33WAmS8+8PjJ+El7wzJU7/nq4aZ9KSYsz+9VrFRvFTqusKnv9YEWHJALyuKm/JfGjYr2/K0vyB+AMNACgQfkVB6bJnjNOxUbive+YEQrBDwnQsI7AovTQZpaP1aPBtjzB8eAV9OdG8A4WK7ruFdYHFKxj8jR36EQZKOZetPsAXhuPFCxP0eBHOULbrgAaaCFJJCMN+0ya5dza/J4lNOm76YR8Qpzcii5JRIilHBkCQjJOAKN14zviKxM2n6mZkgFTZys3CoccBYw29zWYwuA3Qh4qeS7LuZaMLuae1mJT/2sJJLIYyLRH8dys8DTBP1+NcUCU3+NoaZYjwqvT0WhIYgoxrK5Bib16+eLgLyzRKYEGUAL3QiLYDDT9Ytgr3F+7WL3HNwi2AsgYchRlAEik9s5ARKB3Cebc0f3kDUGQIFACqILHnUV7Z7q9NVJMyeffovuronbY1XmRE4+SxtOJpwM1DqzUmSKceU4XkVND/c7Z58C+bgCclCNTwZMrj9ZPE6E3WKKNWR26YIcHmgwmpBWDTlPp5RxYn4qoxHtWz1RTs5EBmynqaKc7EZXOXMeewcHzJzyRuFYg351COZIxNkm4Eujk6EVDm3o1PKLJJLj8Su0On+tWL8HbzWZWJ5nwINpz1auZYD3ZC8W1tQAczZzXg2YWvM3Aya/mbOZNX+0DFjNn+bO67xjmknCN6jJ58v69UqJHlGRqU2fEReU5B1vZv5bR0RKjDH8uy79uy69pC6VnMSCBFLbNFhqb14RJTlGRGJYZbtBtOxh+b/bvWl13nKtVPtMFe56e+P7q/XjuwHff3d+fO+YOiG+Jxs/YLHEn5pIOFW3YdK4fWWSTdkgZ7tRqm3luHrqZD4KSdmVHThMmRL13ohbiqx089c03iDfczr2tqICXEzxjmrxpGtd7w+NoSXr5iQCw7SlQxK5VesvIK3LrVqm/JGgkPUk8WVRzSSRMw3Uk3A68kYwA4aVa/dIkFuORPoiEXsMJI7qGIUMJXKfL6j48N9xSw6U8ZE3ogLTiVuiZ5FDxQNO3xOJIBmQVAEQIVCIXf9mOdUb4QGjkYdOqUhxlRa6iVXiY+mkUn8BjUGVhLv9IIFZKT+yO3PQsqWqmHrEJHxkN63cWV/00ZTO0FlYD6QO2G4focRKEgD2/l8M+kZELQUaUJYIX2Xow/mZx0D2EwgUIHmWyE76ZEeWac8zPZkGejs10DOkA6yDWtdGxfgWj0LjcC9oOnNESQodPrfIMVuImjGQjH3APiKtWVGjmSWx5LeUnRGMr7yRQEcUnTKAPR0upj6Voa0LfZEOe1Ek84rT8NCeGZrKIiKpTEJs1beOGKkXaxdILPDHH+CIxZvbSi8IxtcuJJHtur88P1P48VVXNm5/wfKqsF2y1Bo71ltIO+6HeK1xWDGiEMcrl372kU6aWbuHnAVBwgclLEl3KCTZtYetUD+BB6ov8ZURn1uMi4ZRRaheadlOO9tUtbcCzLPnxukJnHPfsDHQT3R1d6Dmvz1nBxrWSqaRDnFOTY6aPQVpowvkPC1N31wtf7PmS3tiLm1n7i9c58WeWq4B5mRpv1j+1HatydJx3wyYTc2FAQ/W1HLThw3wnIltzgx4MNUj5cvdHdpzlwiJ2lPjWOKm5qhed9QMV9CdUgKO6X6dRH/ByJzIekZk4lpTNSLmrDIarmca4L09m/OlNTHg0XEeZ5YB05VjwNvqh/1kvQ01dcxmY6eZafxumLhcGOA9ewYsTM97ddypAabnWW42o+xX0wDr2bRnBjhqbv7DgN9flwZM1BMPappaBixcy/d+M11r6ntvz8/W0rUn/pP1ZuQenNnWfOl7lueloFPrxZ5Y/mrakuDKNrAQyaVzTr8EMyRdZ49wTs4L/UGdvds3quqStTI0af+LQqqfRXZIKKuPn+l5TOQLFEJTIX1hLueIhWtOnik4T0+sgcTH7qkUS+RrMuZ5fQ6Y7YYB7zZ3BjiJjBj7MMBZr2mA//z13wZ8iiVPhGxP6gKDhFN5bE/nXv7EOIm84LthCu+iuD55C83gNTsmQ9ISi9lOFYlZFXl3+fqPk917y0cxulQ5aOmZXg7b9zUQ35CY/klqp4RdPhnEX8XNhpl9xiJdchppA5xVcVf9wBV69wS9NXVDsiLpySe60uaq5W+r5R+jBA/5gQYIi6KG6BIQsh2ho30NkqENMVuVUz+PGt53xiIk8XDe1y3KLXKgEqgAAikwMA4x6/pGKD/2aEY2t3HjytPKxrnOqOeUOboBNNuzqWdUOio+E6F7P9gSOtLpdw42fFRmNRl511uMeJTZaNi19PF6lu3pa9KeINf8vwr4WnFjLwrMRg388i8DXn7tOyNgCQ9GLLa8FK8633oEbJBtONlvaUAiTakwgPKxgqAnrlp1xVlEubvR9fwvCPdFZ7+1Z1MOirajeCFTCtJLtWdCpo7XtF4vJMygQEH10rYdRVzqzQyml26DLGKBrrQYkJEfTy93Ta9ygiHz94zG8tv/AgAA//97X4Xo" + return "eJzsW0tzq7gS3p9f0XXWTBb3MYssbhXHJhkmjnGBnVRWlAJtWzcYeSThHM+vvyVexiAedvDUXYx34fF9X7ek7laL/AIfeLwH9iHJNwBJZYT34GR/hSgCTveSsvge/vMNAOCZhUmEsGYctiQOIxpvQByFxB1EbCNgzdkuff3uG8CaYhSK+/TFXyAmOyyJ1E8e93gPG86SfX5FQ6h+DynOObb6VfGrHElCw/JiadRqZU8rV8WWcXkPyy1CEtM/EgQaYizpmiIHtga5xZQMZmxjHTCWd5WXW4Sq33WAmS8+8PjJ+El7wzJU7/nq4aZ9KSYsz+9VrFRvFTqusKnv9YEWHJALyuKm/JfGjYr2/K0vyB+AMNACgQfkVB6bJnjNOxUbive+YEQrBDwnQsI7AovTQZpaP1aPBtjzB8eAV9OdG8A4WK7ruFdYHFKxj8jR36EQZKOZetPsAXhuPFCxP0eBHOULbrgAaaCFJJCMN+0ya5dza/J4lNOm76YR8Qpzcii5JRIilHBkCQjJOAKN14zviKxM2n6mZkgFTZys3CoccBYw29zWYwuA3Qh4qeS7LuZaMLuae1mJT/2sJJLIYyLRH8dys8DTBP1+NcUCU3+NoaZYjwqvT0WhIYgoxrK5Bib16+eLgLyzRKYEGUAL3QiLYDDT9Ytgr3F+7WL3HNwi2AsgYchRlAEik9s5ARKB3Cebc0f3kDUGQIFACqILHnUV7Z7q9NVJMyeffovuronbY1XmRE4+SxtOJpwM1DqzUmSKceU4XkVND/c7Z58C+bgCclCNTwZMrj9ZPE6E3WKKNWR26YIcHmgwmpBWDTlPp5RxYn4qoxHtWz1RTs5EBmynqaKc7EZXOXMeewcHzJzyRuFYg351COZIxNkm4Eujk6EVDm3o1PKLJJLj8Su0On+tWL8HbzWZWJ5nwINpz1auZYD3ZC8W1tQAczZzXg2YWvM3Aya/mbOZNX+0DFjNn+bO67xjmknCN6jJ58v69UqJHlGRqU2fEReU5B1vZv5bR0RKjDH8uy79uy69pC6VnMSCBFLbNFhqb14RJTlGRGJYZbtBtOxh+b/bvWl13nKtVPtMFe56e+P7q/XjuwHff3d+fO+YOiG+Jxs/YLHEn5pIOFW3YdK4fWWSTdkgZ7tRqm3luHrqZD4KSdmVHThMmRL13ohbiqx089c03iDfczr2tqICXEzxjmrxpGtd7w+NoSXr5iQCw7SlQxK5VesvIK3LrVqm/JGgkPUk8WVRzSSRMw3Uk3A68kYwA4aVa/dIkFuORPoiEXsMJI7qGIUMJXKfL6j48N9xSw6U8ZE3ogLTiVuiZ5FDxQNO3xOJIBmQVAEQIVCIXf9mOdUb4QGjkYdOqUhxlRa6iVXiY+mkUn8BjUGVhLv9IIFZKT+yO3PQsqWqmHrEJHxkN63cWV/00ZTO0FlYD6QO2G4focRKEgD2/l8M+kZELQUaUJYIX2Xow/mZx0D2EwgUIHmWyE76ZEeWac8zPZkGejs10DOkA6yDWtdGxfgWj0LjcC9oOnNESQodPrfIMVuImjGQjH3APiKtWVGjmSWx5LeUnRGMr7yRQEcUnTKAPR0upj6Voa0LfZEOe1Ek84rT8NCeGZrKIiKpTEJs1beOGKkXaxdILPDHH+CIxZvbSi8IxtcuJJHtur88P1P48VVXNm5/wfKqsF2y1Bo71ltIO+6HeK1xWDGiEMcrl372kU6aWbuHnAVBwgclLEl3KCTZtYetUD+BB6ov8ZURn1uMi4ZRRaheadlOO9tUtbcCzLPnxukJnHPfsDHQT3R1d6Dmvz1nBxrWSqaRDnFOTY6aPQVpowvkPC1N31wtf7PmS3tiLm1n7i9c58WeWq4B5mRpv1j+1HatydJx3wyYTc2FAQ/W1HLThw3wnIltzgx4MNUj5cvdHdpzlwiJ2lPjWOKm5qhed9QMV9CdUgKO6X6dRH/ByJzIekZk4lpTNSLmrDIarmca4L09m/OlNTHg0XEeZ5YB05VjwNvqh/1kvQ01dcxmY6eZafxumLhcGOA9ewYsTM97ddypAabnWW42o+xX0wDr2bRnBjhqbv7DgN9flwZM1BMPappaBixcy/d+M11r6ntvz8/W0rUn/pP1ZuQenNnWfOl7lueloFPrxZ5Y/mrakuDKNrAQyaVzTr8EMyRdZ49wTs4L/UGdvds3quqStTI0af+LQqqfRXZIKKuPn+l5TOQLFEJTIX1hLueIhWtOnik4T0+sgcTH7qkUS+RrMuZ5fQ6Y7YYB7zZ3BjiJjBj7MMBZr2mA//z13wZ8iiVPhGxP6gKDhFN5bE/nXv7EOIm84LthCu+iuD55C83gNTsmQ9ISi9lOFYlZFXl3+fqPk917y0cxulQ5aOmZXg7b9zUQ35CY/klqp4RdPhnEX8XNhpl9xiJdchppA5xVcVf9wBV69wS9NXVDsiLpySe60uaq5W+r5R+jBA/5gQYIi6KG6BIQsh2ho30NkqENMVuVUz+PGt53xiIk8XDe1y3KLXKgEqgAAikwMA4x6/pGKD/2aEY2t3HjytPKxrnOqOeUOboBNNuzqWdUOio+E6F7P9gSOtLpdw42fFRmNRl511voCh59f31Y0VMPKi29vJ6le/qitCfQNf+3Ar5W4NiLArNRB7/8y4CXX/vOCVjCgxELLi/Fq865HgEbZBtO9lsakEhTLgygfKwg6ImrVl1xHlHucHR9/wtCftHdb+3blIOi7SpeyJSC9FLtmZCp4zXt1wsJMyhQUL20bccRl3ozg+ml2yCLWKArLwZk5cfTy13Tq5xgyPw9o7H89r8AAAD//0RTh3I=" } diff --git a/x-pack/filebeat/module/okta/system/_meta/fields.yml b/x-pack/filebeat/module/okta/system/_meta/fields.yml index 19ab19d9aec8..1d57552e5e77 100644 --- a/x-pack/filebeat/module/okta/system/_meta/fields.yml +++ b/x-pack/filebeat/module/okta/system/_meta/fields.yml @@ -414,7 +414,7 @@ - name: ip_chain description: > List of ip_chain objects. - type: group + type: flattened fields: - name: ip diff --git a/x-pack/filebeat/module/okta/system/ingest/pipeline.yml b/x-pack/filebeat/module/okta/system/ingest/pipeline.yml index 33b03597af1d..4dae3bc59c32 100644 --- a/x-pack/filebeat/module/okta/system/ingest/pipeline.yml +++ b/x-pack/filebeat/module/okta/system/ingest/pipeline.yml @@ -485,6 +485,29 @@ processors: target_field: okta.security_context.isp ignore_missing: true ignore_failure: true + - rename: + field: json.request.ipChain + target_field: okta.request.ip_chain + ignore_missing: true + ignore_failure: true + - foreach: + field: okta.request.ip_chain + processor: + rename: + field: _ingest._value.geographicalContext + target_field: _ingest._value.geographical_context + ignore_missing: true + ignore_failure: true + ignore_missing: true + - foreach: + field: okta.request.ip_chain + processor: + rename: + field: _ingest._value.geographical_context.postalCode + target_field: _ingest._value.geographical_context.postal_code + ignore_missing: true + ignore_failure: true + ignore_missing: true - convert: field: okta.client.user_agent.raw_user_agent target_field: user_agent.original diff --git a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json index a2d873f061bc..c497dc359281 100644 --- a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json +++ b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json @@ -51,6 +51,22 @@ "okta.display_message": "User logout from Okta", "okta.event_type": "user.session.end", "okta.outcome.result": "SUCCESS", + "okta.request.ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "67.43.156.12", + "version": "V4" + } + ], "okta.transaction.id": "XkccyyMli2Uay2I93ZgRzQAAB0c", "okta.transaction.type": "WEB", "okta.uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd", @@ -138,6 +154,22 @@ "okta.display_message": "User login to Okta", "okta.event_type": "user.session.start", "okta.outcome.result": "SUCCESS", + "okta.request.ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "67.43.156.12", + "version": "V4" + } + ], "okta.transaction.id": "XkcAsWb8WjwDP76xh@1v8wAABp0", "okta.transaction.type": "WEB", "okta.uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546", @@ -223,6 +255,22 @@ "okta.event_type": "policy.evaluate_sign_on", "okta.outcome.reason": "Sign-on policy evaluation resulted in ALLOW", "okta.outcome.result": "ALLOW", + "okta.request.ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "67.43.156.12", + "version": "V4" + } + ], "okta.target": [ { "alternate_id": "unknown", @@ -346,6 +394,22 @@ "okta.event_type": "policy.evaluate_sign_on", "okta.outcome.reason": "Sign-on policy evaluation resulted in ALLOW", "okta.outcome.result": "ALLOW", + "okta.request.ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "67.43.156.12", + "version": "V4" + } + ], "okta.target": [ { "alternate_id": "unknown", @@ -459,6 +523,22 @@ "okta.display_message": "User report suspicious activity", "okta.event_type": "user.account.report_suspicious_activity_by_enduser", "okta.outcome.result": "SUCCESS", + "okta.request.ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "67.43.156.12", + "version": "V4" + } + ], "okta.security_context.as.number": 7018, "okta.security_context.as.organization.name": "AT&T Services, Inc.", "okta.security_context.domain": "att.com", @@ -576,6 +656,22 @@ "okta.display_message": "User login to Okta", "okta.event_type": "user.session.start", "okta.outcome.result": "SUCCESS", + "okta.request.ip_chain": [ + { + "geographical_context": { + "city": "Ashburn", + "country": "United States", + "geolocation": { + "lat": 39.1469, + "lon": -77.5903 + }, + "postal_code": "20149", + "state": "Virginia" + }, + "ip": "81.2.69.144", + "version": "V4" + } + ], "okta.security_context.as.number": 14618, "okta.security_context.as.organization.name": "amazon data services nova", "okta.security_context.domain": "amazonaws.com", @@ -670,6 +766,22 @@ "okta.display_message": "Verify user identity", "okta.event_type": "user.authentication.verify", "okta.outcome.result": "SUCCESS", + "okta.request.ip_chain": [ + { + "geographical_context": { + "city": "Purcellville", + "country": "United States", + "geolocation": { + "lat": 39.64, + "lon": -77.8346 + }, + "postal_code": "20132", + "state": "Virginia" + }, + "ip": "67.43.156.14", + "version": "V4" + } + ], "okta.security_context.as.number": 7922, "okta.security_context.as.organization.name": "comcast", "okta.security_context.domain": "comcast.net", @@ -776,6 +888,22 @@ "okta.display_message": "Verify user identity", "okta.event_type": "user.authentication.verify", "okta.outcome.result": "SUCCESS", + "okta.request.ip_chain": [ + { + "geographical_context": { + "city": "City", + "country": "Country", + "geolocation": { + "lat": 0, + "lon": 0 + }, + "postal_code": "00000", + "state": "State" + }, + "ip": "81.2.69.144", + "version": "V4" + } + ], "okta.security_context.as.number": 1828, "okta.security_context.as.organization.name": "org", "okta.security_context.domain": "domain.com", @@ -873,6 +1001,22 @@ "okta.display_message": "Authentication of user via MFA", "okta.event_type": "user.authentication.auth_via_mfa", "okta.outcome.result": "SUCCESS", + "okta.request.ip_chain": [ + { + "geographical_context": { + "city": "Lucerne", + "country": "Switzerland", + "geolocation": { + "lat": 47.0511, + "lon": 8.3056 + }, + "postal_code": "6007", + "state": "Lucerne" + }, + "ip": "127.0.0.1", + "version": "V4" + } + ], "okta.security_context.as.number": 3303, "okta.security_context.as.organization.name": "bluewin is an lir and isp in switzerland.", "okta.security_context.domain": "swisscom.ch", @@ -981,6 +1125,22 @@ "okta.display_message": "Authentication of user via MFA", "okta.event_type": "user.authentication.auth_via_mfa", "okta.outcome.result": "SUCCESS", + "okta.request.ip_chain": [ + { + "geographical_context": { + "city": "Bredstedt", + "country": "Germany", + "geolocation": { + "lat": 54.6208, + "lon": 8.9631 + }, + "postal_code": "25821", + "state": "Schleswig-Holstein" + }, + "ip": "127.0.0.1", + "version": "V4" + } + ], "okta.security_context.as.number": 62336, "okta.security_context.as.organization.name": "customer access", "okta.security_context.domain": "german-local.net",