From da30bc6fbb6ac158a81182247666c711b08e27d4 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Fri, 30 Aug 2024 07:28:07 +0930 Subject: [PATCH] okta: allow user configuration of debug_data flattened use (#9868) --- packages/okta/changelog.yml | 5 + .../test-okta-system-no-flattened-events.log | 24 + ...-system-no-flattened-events.log-config.yml | 6 + ...stem-no-flattened-events.log-expected.json | 3645 ++++++++++++++++ .../test-okta-system-yes-flattened-events.log | 24 + ...system-yes-flattened-events.log-config.yml | 6 + ...tem-yes-flattened-events.log-expected.json | 3788 +++++++++++++++++ .../test-api-key-no-flattened-config.yml | 14 + .../_dev/test/system/test-oauth2-config.yml | 1 + .../system/agent/stream/httpjson.yml.hbs | 4 + .../elasticsearch/ingest_pipeline/default.yml | 149 +- .../no_use_flattened_debug.yml | 181 + .../ingest_pipeline/use_flattened_debug.yml | 153 + .../okta/data_stream/system/fields/agent.yml | 7 - .../data_stream/system/fields/base-fields.yml | 16 +- .../okta/data_stream/system/fields/fields.yml | 175 +- packages/okta/data_stream/system/manifest.yml | 8 + .../okta/data_stream/system/sample_event.json | 16 +- packages/okta/docs/README.md | 60 +- packages/okta/manifest.yml | 6 +- packages/okta/validation.yml | 1 + 21 files changed, 8047 insertions(+), 242 deletions(-) create mode 100644 packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-no-flattened-events.log create mode 100644 packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-no-flattened-events.log-config.yml create mode 100644 packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-no-flattened-events.log-expected.json create mode 100644 packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-yes-flattened-events.log create mode 100644 packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-yes-flattened-events.log-config.yml create mode 100644 packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-yes-flattened-events.log-expected.json create mode 100644 packages/okta/data_stream/system/_dev/test/system/test-api-key-no-flattened-config.yml create mode 100644 packages/okta/data_stream/system/elasticsearch/ingest_pipeline/no_use_flattened_debug.yml create mode 100644 packages/okta/data_stream/system/elasticsearch/ingest_pipeline/use_flattened_debug.yml diff --git a/packages/okta/changelog.yml b/packages/okta/changelog.yml index 7fc0e0c447a..e113d1143a7 100644 --- a/packages/okta/changelog.yml +++ b/packages/okta/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.12.0" + changes: + - description: Allow user configuration of debug_data flattened use. + type: enhancement + link: https://github.com/elastic/integrations/pull/9868 - version: "2.11.0" changes: - description: Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-no-flattened-events.log b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-no-flattened-events.log new file mode 100644 index 00000000000..6dbd47a1088 --- /dev/null +++ b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-no-flattened-events.log @@ -0,0 +1,24 @@ +{"actor":{"alternateId":"username@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102nZHzd6OHSfGG51vsoc22gw","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/login/signout","threatSuspected":"false","url":"/login/signout?message=login_page_messages.session_has_expired"}},"displayMessage":"User logout from Okta","eventType":"user.session.end","legacyEventType":"core.user_auth.logout_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T22:18:51.843Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkccyyMli2Uay2I93ZgRzQAAB0c","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T20:18:57.718Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3aeede38-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","legacyEventType":null,"outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"published":"2020-02-14T20:18:57.762Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":[{"alternateId":"unknown","detailEntry":{"policyType":"OktaSignOn"},"displayName":"Default Policy","id":"00p1abvweGGDW10Ur4x6","type":"PolicyEntity"},{"alternateId":"00p1abvweGGDW10Ur4x6","detailEntry":null,"displayName":"Default Rule","id":"0pr1abvwfqGFI4n064x6","type":"PolicyRule"}],"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3af594f9-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"someusername@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102nZHzd6OHSfGG51vsoc22gw","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/login/signout","threatSuspected":"false","url":"/login/signout?message=login_page_messages.session_has_expired"}},"displayMessage":"User logout from Okta","eventType":"user.session.end","legacyEventType":"core.user_auth.logout_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T22:18:51.843Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkccyyMli2Uay2I93ZgRzQAAB0c","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T20:18:57.718Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3aeede38-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","legacyEventType":null,"outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"published":"2020-02-14T20:18:57.762Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":[{"alternateId":"unknown","detailEntry":{"policyType":"OktaSignOn"},"displayName":"Default Policy","id":"00p1abvweGGDW10Ur4x6","type":"PolicyEntity"},{"alternateId":"00p1abvweGGDW10Ur4x6","detailEntry":null,"displayName":"Default Rule","id":"0pr1abvwfqGFI4n064x6","type":"PolicyRule"}],"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3af594f9-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102nZHzd6OHSfGG51vsoc22gw","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/login/signout","threatSuspected":"false","url":"/login/signout?message=login_page_messages.session_has_expired"}},"displayMessage":"User logout from Okta","eventType":"user.session.end","legacyEventType":"core.user_auth.logout_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T22:18:51.843Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkccyyMli2Uay2I93ZgRzQAAB0c","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T20:18:57.718Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3aeede38-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","legacyEventType":null,"outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"published":"2020-02-14T20:18:57.762Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":[{"alternateId":"unknown","detailEntry":{"policyType":"OktaSignOn"},"displayName":"Default Policy","id":"00p1abvweGGDW10Ur4x6","type":"PolicyEntity"},{"alternateId":"00p1abvweGGDW10Ur4x6","detailEntry":null,"displayName":"Default Rule","id":"0pr1abvwfqGFI4n064x6","type":"PolicyRule"}],"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3af594f9-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102nZHzd6OHSfGG51vsoc22gw","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"null","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/login/signout","threatSuspected":"false","url":"/login/signout?message=login_page_messages.session_has_expired"}},"displayMessage":"User logout from Okta","eventType":"user.session.end","legacyEventType":"core.user_auth.logout_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T22:18:51.843Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkccyyMli2Uay2I93ZgRzQAAB0c","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"null","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T20:18:57.718Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3aeede38-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"null","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","legacyEventType":null,"outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"published":"2020-02-14T20:18:57.762Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":[{"alternateId":"unknown","detailEntry":{"policyType":"OktaSignOn"},"displayName":"Default Policy","id":"00p1abvweGGDW10Ur4x6","type":"PolicyEntity"},{"alternateId":"00p1abvweGGDW10Ur4x6","detailEntry":null,"displayName":"Default Rule","id":"0pr1abvwfqGFI4n064x6","type":"PolicyRule"}],"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3af594f9-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"test@test.com","detailEntry":null,"displayName":"test@test.com","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"xxxxxx","interface":null,"issuer":null},"client":{"device":"Unknown","geographicalContext":{"city":"Ashburn","country":"United States","geolocation":{"lat":39.1469,"lon":-77.5903},"postalCode":"20149","state":"Virginia"},"id":null,"ipAddress":"81.2.69.144","userAgent":{"browser":"UNKNOWN","os":"Unknown","rawUserAgent":"blah"},"zone":"null"},"debugContext":{"debugData":{"logOnlySecurityData":"{\"risk\":{\"reasons\":\"Anomalous Location, Anomalous Device\",\"level\":\"HIGH\"},\"behaviors\":{\"New Geo-Location\":\"POSITIVE\",\"New Device\":\"BAD_REQUEST\",\"New IP\":\"POSITIVE\",\"New State\":\"POSITIVE\",\"New Country\":\"POSITIVE\",\"Velocity\":\"NEGATIVE\",\"New City\":\"POSITIVE\"}}","originalPrincipal":{"alternateId":"test@test.com","detailEntry":null,"displayName":"Test","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"device":null,"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2022-05-11T09:25:18.716Z","request":{"ipChain":[{"geographicalContext":{"city":"Ashburn","country":"United States","geolocation":{"lat":39.1469,"lon":-77.5903},"postalCode":"20149","state":"Virginia"},"ip":"81.2.69.144","source":null,"version":"V4"}]},"securityContext":{"asNumber":14618,"asOrg":"amazon data services nova","domain":"amazonaws.com","isProxy":false,"isp":"amazon.com inc."},"severity":"INFO","target":null,"transaction":{"detail":{"requestApiTokenId":"MDU0ZTEyM2QwYjc2N2FiZDI2YzViZDRiODVkNGNhZDFkZjg4YjU2ZiAgLQo="},"id":"00u1abvz4pYqdM8ms4x6","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"} +{"actor":{"alternateId":"test1@test.com","detailEntry":null,"displayName":"None","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102nZHzd6OHSfGG51vsoc22gw","interface":null,"issuer":null},"client":{"device":"Mobile","geographicalContext":{"city":"Purcellville","country":"United States","geolocation":{"lat":39.64,"lon":-77.8346},"postalCode":"20132","state":"Virginia"},"id":null,"ipAddress":"67.43.156.14","userAgent":{"browser":"SAFARI","os":"Mac OS X (iPhone)","rawUserAgent":"Mozilla/5.0 (iPhone; CPU iPhone OS 15_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Safari"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","behaviors":"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, New City=NEGATIVE}","deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify","risk":"{level=LOW}","threatSuspected":"false","url":"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify?autoPush=false\u0026rememberDevice=false"}},"device":null,"displayMessage":"Verify user identity","eventType":"user.authentication.verify","legacyEventType":null,"outcome":{"reason":null,"result":"SUCCESS"},"published":"2022-05-11T09:27:08.708Z","request":{"ipChain":[{"geographicalContext":{"city":"Purcellville","country":"United States","geolocation":{"lat":39.64,"lon":-77.8346},"postalCode":"20132","state":"Virginia"},"ip":"67.43.156.14","source":null,"version":"V4"}]},"securityContext":{"asNumber":7922,"asOrg":"comcast","domain":"comcast.net","isProxy":false,"isp":"comcast"},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"00u1abvz4pYqdM8ms4x6","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"} +{"actor":{"alternateId":"Snipped_User@domain.com","detailEntry":null,"displayName":"Last_name, First_Name","id":"user_id","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102qmxOh1EdTHqn1_86CB9fzA","interface":null,"issuer":null},"client":{"device":"unknown","geographicalContext":{"city":"City","country":"Country","geolocation":{"lat":0.00,"lon":0.00},"postalCode":"00000","state":"State"},"id":null,"ipAddress":"81.2.69.144","userAgent":{"browser":"unknown","os":"unknown","rawUserAgent":"unknown"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"Y5elHFMngoYoVKvakwnp2wAAAKo","behaviors":"{New Geo-Location=NEGATIVE, New Device=POSITIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, Velocity=POSITIVE, New City=NEGATIVE}","dtHash":"751b157a5a24ed83129433243e8d42307434b047120c32d7a7f5a5d2d91726fa","requestId":"Y5elHFMngoYoVKvakwnp2wAAAKo","requestUri":"/api/v1/authn","risk":"{reasons=Anomalous Device, Anomalous Location, level=HIGH}","threatSuspected":"false","url":"/api/v1/authn?"}},"device":null,"displayMessage":"Verify user identity","eventType":"user.authentication.verify","legacyEventType":null,"outcome":{"reason":null,"result":"SUCCESS"},"published":"2022-12-12T22:03:08.791Z","request":{"ipChain":[{"geographicalContext":{"city":"City","country":"Country","geolocation":{"lat":0.00,"lon":0.00},"postalCode":"00000","state":"State"},"ip":"81.2.69.144","source":null,"version":"V4"}]},"securityContext":{"asNumber":1828,"asOrg":"org","domain":"domain.com","isProxy":false,"isp":"isp"},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"Y5elHFMngoYoVKvakwnp2wAAAKo","type":"WEB"},"uuid":"c32ae8ec-7a68-11ed-b8a7-9134a086ef85","version":"0"} +{"actor":{"alternateId":"user@domain.com","detailEntry":null,"displayName":"first last","id":"id","type":"User"},"authenticationContext":{"authenticationProvider":"FACTOR_PROVIDER","authenticationStep":0,"credentialProvider":"OKTA_CREDENTIAL_PROVIDER","credentialType":null,"externalSessionId":"uuid","interface":null,"issuer":null},"client":{"device":"Mobile","geographicalContext":{"city":"Lucerne","country":"Switzerland","geolocation":{"lat":47.0511,"lon":8.3056},"postalCode":"6007","state":"Lucerne"},"id":null,"ipAddress":"127.0.0.1","userAgent":{"browser":"UNKNOWN","os":"Unknown mobile","rawUserAgent":"B7FdsdB65BN.com.okta.mobile/7.12.0 OktaVerify/7.12.0 iOS/16.1.2 Apple/iPhone14,2 6C743C36-ewew-400D-8FB9-A5F049A745CF"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"uuid","behaviors":"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=NEGATIVE}","factor":"OKTA_VERIFY_PUSH","requestId":"uuid","requestUri":"/api/v1/authn/factors/id/transactions/id/verify","risk":"{level=LOW}","threatSuspected":"false","url":"/api/v1/authn/factors/id/transactions/id/verify?"}},"device":null,"displayMessage":"Authentication of user via MFA","eventType":"user.authentication.auth_via_mfa","legacyEventType":"core.user.factor.attempt_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2023-02-06T08:56:36.909Z","request":{"ipChain":[{"geographicalContext":{"city":"Lucerne","country":"Switzerland","geolocation":{"lat":47.0511,"lon":8.3056},"postalCode":"6007","state":"Lucerne"},"ip":"127.0.0.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":3303,"asOrg":"bluewin is an lir and isp in switzerland.","domain":"swisscom.ch","isProxy":false,"isp":"swisscom (schweiz) ag"},"severity":"INFO","target":[{"alternateId":"user@domain.com","detailEntry":null,"displayName":"first last","id":"id","type":"User"}],"transaction":{"detail":{},"id":"uuid","type":"WEB"},"uuid":"uuid","version":"0"} +{"actor":{"alternateId":"name@domain.com","detailEntry":null,"displayName":"first last","id":"id","type":"User"},"authenticationContext":{"authenticationProvider":"FACTOR_PROVIDER","authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"id","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Bredstedt","country":"Germany","geolocation":{"lat":54.6208,"lon":8.9631},"postalCode":"25821","state":"Schleswig-Holstein"},"id":null,"ipAddress":"127.0.0.1","userAgent":{"browser":"FIREFOX","os":"Linux","rawUserAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"id","behaviors":"{New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=POSITIVE}","deviceFingerprint":"id","dtHash":"hash","factor":"FIDO_WEBAUTHN","promptingPolicyTypes":"[OKTA_SIGN_ON]","requestId":"id","requestUri":"/api/v1/authn/factors/webauthn/verify","risk":"{level=LOW}","threatSuspected":"false","url":"/api/v1/authn/factors/webauthn/verify?rememberDevice=false"}},"device":null,"displayMessage":"Authentication of user via MFA","eventType":"user.authentication.auth_via_mfa","legacyEventType":"core.user.factor.attempt_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2023-02-06T08:58:37.110Z","request":{"ipChain":[{"geographicalContext":{"city":"Bredstedt","country":"Germany","geolocation":{"lat":54.6208,"lon":8.9631},"postalCode":"25821","state":"Schleswig-Holstein"},"ip":"127.0.0.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":62336,"asOrg":"customer access","domain":"german-local.net","isProxy":false,"isp":"purtel.com gmbh"},"severity":"INFO","target":[{"alternateId":"name@domain.com","detailEntry":null,"displayName":"first last","id":"id","type":"User"}],"transaction":{"detail":{},"id":"id","type":"WEB"},"uuid":"uuid","version":"0"} +{"actor":{"alternateId":"name@domain.com","detailEntry":null,"displayName":"first last","id":"id","type":"User"},"authenticationContext":{"authenticationProvider":"FACTOR_PROVIDER","authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"id","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Bredstedt","country":"Germany","geolocation":{"lat":54.6208,"lon":8.9631},"postalCode":"25821","state":"Schleswig-Holstein"},"id":null,"ipAddress":"127.0.0.1","userAgent":{"browser":"FIREFOX","os":"Linux","rawUserAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"id","behaviors":"{New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=POSITIVE}","deviceFingerprint":"id","dtHash":"hash","factor":"FIDO_WEBAUTHN","promptingPolicyTypes":"[OKTA_SIGN_ON]","requestId":"id","requestUri":"/api/v1/authn/factors/webauthn/verify","risk":"{level=LOW}","threatSuspected":"false","url":"/api/v1/authn/factors/webauthn/verify?rememberDevice=false"}},"device":null,"displayMessage":"Authentication of user via MFA","eventType":"user.authentication.auth_via_mfa","legacyEventType":"core.user.factor.attempt_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2023-02-06T08:58:37.110Z","request":{"ipChain":[{"geographicalContext":{"city":"Bredstedt","country":"Germany","geolocation":{"lat":54.6208,"lon":8.9631},"postalCode":"25821","state":"Schleswig-Holstein"},"ip":"127.0.0.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":62336,"asOrg":"customer access","domain":"german-local.net","isProxy":false,"isp":"purtel.com gmbh"},"severity":"INFO","target":[{"alternateId":"target_user@blah.co","detailEntry":null,"displayName":"Test Target User","id":"00udfsat7","type":"User"},{"alternateId":"unknown","detailEntry":null,"displayName":"software-users","id":"00gofdasfdsat7","type":"UserGroup"}],"transaction":{"detail":{},"id":"id","type":"WEB"},"uuid":"uuid","version":"0"} +{"actor":{"alternateId":"actor.user@test.com","detailEntry":null,"displayName":"Test Actor User","id":"randomidhere","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"602deqxi8mycjkwk3sth4ci6cxxtr9rr","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"San Francisco","country":"United States","geolocation":{"lat":37.7642,"lon":-122.3993},"postalCode":"94107","state":"California"},"id":null,"ipAddress":"192.168.7.19","userAgent":{"browser":"CHROME","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36"},"zone":"null"},"debugContext":{"debugData":{"dtHash":"veqflnui3t7ql7k6v0nptw9lipilzybr","requestId":"3bsdgs8tyatf74aufwsvkt7lv1i9x0o9","requestUri":"/admin/group/h23gdxfk7jc8kf5fb923xc1lt5ojey93/addUser","url":"/admin/group/h23gdxfk7jc8kf5fb923xc1lt5ojey93/addUser?"}},"device":null,"displayMessage":"Add user to group membership","eventType":"group.user_membership.add","legacyEventType":"core.user_group_member.user_add","outcome":{"reason":null,"result":"SUCCESS"},"published":"2023-04-26T16:25:06.297Z","request":{"ipChain":[{"geographicalContext":{"city":"San Francisco","country":"United States","geolocation":{"lat":37.7642,"lon":-122.3993},"postalCode":"94107","state":"California"},"ip":"192.168.7.19","source":null,"version":"V4"}]},"securityContext":{"asNumber":6461,"asOrg":"elasticsearch inc","domain":"thisisadomain.com","isProxy":false,"isp":"bandwidth"},"severity":"INFO","target":[{"alternateId":"target.user@test.com","detailEntry":null,"displayName":"Target User Test Name","id":"7cexsxmg5m671po4lmyb29a0knaqpaqg","type":"User"},{"alternateId":"unknown","detailEntry":null,"displayName":"Sales","id":"h23gdxfk7jc8kf5fb923xc1lt5ojey93","type":"UserGroup"}],"transaction":{"detail":{},"id":"448ahm88tkkxo0npwiu28ws20oj38nya","type":"WEB"},"uuid":"B96ED4D1-D013-4A13-AEFE-A67FA32C5747","version":"0"} +{"actor":{"alternateId":"system@okta.com","detailEntry":null,"displayName":"Okta System","id":"spr294puarJOdUsWD1t7","type":"SystemPrincipal"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"4ivdy6m56cqo8s6w57o6cvq5fbb409wr","interface":null,"issuer":null},"client":{"device":null,"geographicalContext":null,"id":null,"ipAddress":null,"userAgent":null,"zone":null},"debugContext":{"debugData":{}},"device":null,"displayMessage":"Successfully imported new member to an app group","eventType":"app.user_management","legacyEventType":"app.user_management.app_group_member_import.insert_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2023-04-27T00:56:17.750Z","request":{"ipChain":[]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":[{"alternateId":"domain.user@test.com","detailEntry":null,"displayName":"domain.user@test.com","id":"ew1qskfvt7mvqipcx6hxt3j95pqi01p8","type":"AppUser"},{"alternateId":"group_email@test.com","detailEntry":null,"displayName":"Payable","id":"l2l6h6p946io0fwyd3jw7jzgy8sq6a61","type":"AppGroup"},{"alternateId":"domain.user@test.com","detailEntry":null,"displayName":"Domain User","id":"9uuw5t9im68f03w5b9a3x72i18gugbqn","type":"User"},{"alternateId":"G Suite","detailEntry":null,"displayName":"Google Workspace","id":"1a45g3hf19hvzgggw2ybn7e5q7xh0v4a","type":"AppInstance"}],"transaction":{"detail":{},"id":"37r7dugr7fswsjdzv4r97layultdf19r","type":"JOB"},"uuid":"23A8F6AA-0E52-45F7-A2FB-FEF6E0B38FC7","version":"0"} +{"actor":{"alternateId":"test.user@test.com","detailEntry":null,"displayName":"Test User","id":"00uk123456abct7","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"idxabcdefg123zA","interface":null,"issuer":null},"client":{},"debugContext":{},"device":{"device_integrator":null,"disk_encryption_type":"ALL_INTERNAL_VOLUMES","id":"abcdefghijklmnop","jailbreak":null,"managed":false,"name":"MacBookPro14,2","os_platform":"OSX","os_version":"12.6.6","registered":true,"screen_lock_type":"PASSCODE","secure_hardware_present":true},"displayMessage":"User single sign on to app","eventType":"user.authentication.sso","legacyEventType":"app.auth.sso","outcome":{"reason":null,"result":"SUCCESS"},"published":"2023-05-23T19:39:49.513Z","request":{"ipChain":[{"geographicalContext":{"city":"Lawn Park","country":"United States","geolocation":{"lat":47.8907,"lon":-87.7908},"postalCode":"999999","state":"California"},"ip":"192.168.1.10","source":null,"version":"V4"}]},"securityContext":{"asNumber":7018,"asOrg":"at&t corp.","domain":"sbcglobal.net","isProxy":false,"isp":"att services inc"},"severity":"INFO","target":[{"alternateId":"Wiki","detailEntry":{"signOnModeType":"SAML_2_0"},"displayName":"An App Server","id":"0o123456abcdef1t7","type":"AppInstance"},{"alternateId":"test.user@test.com","detailEntry":null,"displayName":"Test User","id":"0ustyhdhurhjtdrhh1t7","type":"AppUser"}],"transaction":{"detail":{},"id":"ZGmw","type":"WEB"},"uuid":"2D6FC3CC-3BFB-4AC1-8259-016CF6A5976C","version":"0"} +{"actor":{"alternateId":"test.user@test.com","detailEntry":null,"displayName":"Test User","id":"00uk123456abct7","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"idxabcdefg123zA","interface":null,"issuer":null},"client":{},"debugContext":{},"device":{"device_integrator":"{\"WSC\":{},\"CROWDSTRIKE\":{}}","disk_encryption_type":"ALL_INTERNAL_VOLUMES","id":"V9YPwc5tnhWcaLs3","jailbreak":null,"managed":false,"name":"MacBookPro18,2","os_platform":"OSX","os_version":"13.3.1","registered":true,"screen_lock_type":"BIOMETRIC","secure_hardware_present":true},"displayMessage":"User single sign on to app","eventType":"user.authentication.sso","legacyEventType":"app.auth.sso","outcome":{"reason":null,"result":"SUCCESS"},"published":"2023-05-23T19:39:49.513Z","request":{"ipChain":[{"geographicalContext":{"city":"Lawn Park","country":"United States","geolocation":{"lat":47.8907,"lon":-87.7908},"postalCode":"999999","state":"California"},"ip":"192.168.1.10","source":null,"version":"V4"}]},"securityContext":{"asNumber":7018,"asOrg":"at&t corp.","domain":"sbcglobal.net","isProxy":false,"isp":"att services inc"},"severity":"INFO","target":[{"alternateId":"Wiki","detailEntry":{"signOnModeType":"SAML_2_0"},"displayName":"An App Server","id":"0o123456abcdef1t7","type":"AppInstance"},{"alternateId":"test.user@test.com","detailEntry":null,"displayName":"Test User","id":"0ustyhdhurhjtdrhh1t7","type":"AppUser"}],"transaction":{"detail":{},"id":"ZGmw","type":"WEB"},"uuid":"2D6FC3CC-3BFB-4AC1-8259-016CF6A5976C","version":"0"} +{"actor":{"alternateId":"test.user@domain.com","detailEntry":null,"displayName":"Test User","id":"00ua123456abcat7","type":"User"},"authenticationContext":{"authenticationProvider":"FACTOR_PROVIDER","authenticationStep":0,"credentialProvider":"OKTA_CREDENTIAL_PROVIDER","credentialType":null,"externalSessionId":"idx123456asdsajA","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Palezieux","country":"Switzerland","geolocation":{"lat":46.5379,"lon":6.8409},"postalCode":"1607","state":"Vaud"},"id":null,"ipAddress":"192.168.1.10","userAgent":{"browser":"UNKNOWN","os":"Mac OS X","rawUserAgent":"B7F62B65BN.com.okta.mobile/3.13.4 OktaDeviceSDK/0.0.1 macOS/13.3.1 Apple/MacBookPro18,2 UUID123"},"zone":"null"},"debugContext":{"debugData":{"dtHash":"abc123456abc","factor":"SIGNED_NONCE","requestId":"123456abcdefghij","requestUri":"/idp/authenticators/123456abcdefghij/transactions/123456abcdefghij/verify","url":"/idp/authenticators/123456abcdefghij/transactions/123456abcdefghij/verify?"}},"device":null,"displayMessage":"Authentication of user via MFA","eventType":"user.authentication.auth_via_mfa","legacyEventType":"core.user.factor.attempt_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2023-05-22T12:11:48.092Z","request":{"ipChain":[{"geographicalContext":{"city":"Palezieux","country":"Switzerland","geolocation":{"lat":46.5379,"lon":6.8409},"postalCode":"1607","state":"Vaud"},"ip":"192.168.1.10","source":null,"version":"V4"}]},"securityContext":{"asNumber":39544,"asOrg":"vo energies catv customers - region of oron/vd","domain":"voenergies.net","isProxy":false,"isp":"vo energies multimedia sa"},"severity":"INFO","target":[{"alternateId":"test.user@domain.com","detailEntry":null,"displayName":"Test User","id":"00ua123456abcat7","type":"User"},{"alternateId":"unknown","detailEntry":{"methodTypeUsed":"Use Okta FastPass","methodUsedVerifiedProperties":"[DEVICE_BOUND, PHISHING_RESISTANT, USER_VERIFYING, USER_PRESENCE, HARDWARE_PROTECTED]"},"displayName":"Okta Verify","id":"00ua123456abcat7","type":"AuthenticatorEnrollment"}],"transaction":{"detail":{},"id":"00ua123456abcat7","type":"WEB"},"uuid":"150A5E5C-C236-426A-A0D1-B79F1E391A6B","version":"0"} +{"actor":{"alternateId":"john.doe@elastic.co","detailEntry":null,"displayName":"John Doe","id":"00aabbccddeeffaaaaaa","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"abcdefghijklM-NopQrsTUvWx","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Bay Shore","country":"United States","geolocation":{"lat":40.7051,"lon":-73.243},"postalCode":"11706","state":"New York"},"id":null,"ipAddress":"192.168.1.10","userAgent":{"browser":"UNKNOWN","os":"Mac OS X","rawUserAgent":"FAKEFAKEFAKE.com.okta.mobile/8.1.1 OktaDeviceSDK/0.0.1 macOS/13.4.0 Apple/MacBookPro16,2 RANDOM-AAAA-BBBB-CCCC-DDDDDDDDDDDD"},"zone":"null"},"debugContext":{"debugData":{"requestId":"XXXXXXXXXXXXXXXXXX","requestUri":"/idp/authenticators","url":"/idp/authenticators?"}},"device":null,"displayMessage":"Add device to user","eventType":"device.user.add","legacyEventType":null,"outcome":{"reason":null,"result":"SUCCESS"},"published":"2023-06-07T15:49:45.109Z","request":{"ipChain":[{"geographicalContext":{"city":"Bay Shore","country":"United States","geolocation":{"lat":40.7051,"lon":-73.243},"postalCode":"11706","state":"New York"},"ip":"175.16.199.18","source":null,"version":"V4"}]},"securityContext":{"asNumber":701,"asOrg":"verizon","domain":"verizon.net","isProxy":false,"isp":"verizon"},"severity":"INFO","target":[{"alternateId":"unknown","detailEntry":{"deviceStatus":"CREATED","managed":"false","oktaDeviceId":"xxxxxxxxxxxxxxxxx","osPlatform":"MACOS","osVersion":"13.4.0","serialNumber":"XXXXXXXX","tpmPresent":"false","uuid":"AAAAAAAA-CCCC-DDDD-EEEE-BBBBBBBBBBBB"},"displayName":"John's MacBook Pro","id":"fakefakefakefake","type":"UDDevice"}],"transaction":{"detail":{"requestApiTokenId":"aa.aa.bbbbbbbbbbbbbbbbbbbbbbb_wwwwwwwwwwwwwwww"},"id":"ABCDEFCGALKDJDLK","type":"WEB"},"uuid":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa","version":"0"} diff --git a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-no-flattened-events.log-config.yml b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-no-flattened-events.log-config.yml new file mode 100644 index 00000000000..8e6e5ee8ea5 --- /dev/null +++ b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-no-flattened-events.log-config.yml @@ -0,0 +1,6 @@ +fields: + "@timestamp": "2020-04-28T11:07:58.223Z" + tags: + - preserve_original_event + _conf: + remove_flattened_debug: true diff --git a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-no-flattened-events.log-expected.json b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-no-flattened-events.log-expected.json new file mode 100644 index 00000000000..8eb787f40c1 --- /dev/null +++ b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-no-flattened-events.log-expected.json @@ -0,0 +1,3645 @@ +{ + "expected": [ + { + "@timestamp": "2020-02-14T22:18:51.843Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "username" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.session.end", + "category": [ + "authentication", + "session" + ], + "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"username@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "end", + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "username@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102nZHzd6OHSfGG51vsoc22gw" + }, + "client": { + "device": "Computer", + "ip": "175.16.199.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "authnRequestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "request_uri": "/login/signout", + "threat_suspected": "false", + "url": "/login/signout?message=login_page_messages.session_has_expired" + } + }, + "display_message": "User logout from Okta", + "event_type": "user.session.end", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "transaction": { + "id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "type": "WEB" + }, + "uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd" + }, + "related": { + "ip": [ + "175.16.199.1" + ], + "user": [ + "xxxxxx", + "username" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "username" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "username" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T20:18:57.718Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.session.start", + "category": [ + "authentication", + "session" + ], + "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "start", + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "ip": "175.16.199.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "User login to Okta", + "event_type": "user.session.start", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "ip": [ + "175.16.199.1" + ], + "user": [ + "xxxxxx" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T20:18:57.762Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "policy.evaluate_sign_on", + "category": [ + "authentication" + ], + "id": "3af594f9-4f67-11ea-abd3-1f5d113f2546", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "ip": "175.16.199.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "Evaluation of sign-on policy", + "event_type": "policy.evaluate_sign_on", + "outcome": { + "reason": "Sign-on policy evaluation resulted in ALLOW", + "result": "ALLOW" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "target": [ + { + "alternate_id": "unknown", + "display_name": "Default Policy", + "id": "00p1abvweGGDW10Ur4x6", + "type": "PolicyEntity" + }, + { + "alternate_id": "00p1abvweGGDW10Ur4x6", + "display_name": "Default Rule", + "id": "0pr1abvwfqGFI4n064x6", + "type": "PolicyRule" + } + ], + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3af594f9-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "ip": [ + "175.16.199.1" + ], + "user": [ + "xxxxxx" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T22:18:51.843Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "someusername" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.session.end", + "category": [ + "authentication", + "session" + ], + "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"someusername@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "end", + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "someusername@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102nZHzd6OHSfGG51vsoc22gw" + }, + "client": { + "device": "Computer", + "ip": "175.16.199.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "authnRequestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "request_uri": "/login/signout", + "threat_suspected": "false", + "url": "/login/signout?message=login_page_messages.session_has_expired" + } + }, + "display_message": "User logout from Okta", + "event_type": "user.session.end", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "transaction": { + "id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "type": "WEB" + }, + "uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd" + }, + "related": { + "ip": [ + "175.16.199.1" + ], + "user": [ + "xxxxxx", + "someusername" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "someusername" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "someusername" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T20:18:57.718Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.session.start", + "category": [ + "authentication", + "session" + ], + "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "start", + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "ip": "175.16.199.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "User login to Okta", + "event_type": "user.session.start", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "ip": [ + "175.16.199.1" + ], + "user": [ + "xxxxxx" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T20:18:57.762Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "policy.evaluate_sign_on", + "category": [ + "authentication" + ], + "id": "3af594f9-4f67-11ea-abd3-1f5d113f2546", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "ip": "175.16.199.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "Evaluation of sign-on policy", + "event_type": "policy.evaluate_sign_on", + "outcome": { + "reason": "Sign-on policy evaluation resulted in ALLOW", + "result": "ALLOW" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "target": [ + { + "alternate_id": "unknown", + "display_name": "Default Policy", + "id": "00p1abvweGGDW10Ur4x6", + "type": "PolicyEntity" + }, + { + "alternate_id": "00p1abvweGGDW10Ur4x6", + "display_name": "Default Rule", + "id": "0pr1abvwfqGFI4n064x6", + "type": "PolicyRule" + } + ], + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3af594f9-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "ip": [ + "175.16.199.1" + ], + "user": [ + "xxxxxx" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T22:18:51.843Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.session.end", + "category": [ + "authentication", + "session" + ], + "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "end", + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102nZHzd6OHSfGG51vsoc22gw" + }, + "client": { + "device": "Computer", + "ip": "175.16.199.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "authnRequestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "request_uri": "/login/signout", + "threat_suspected": "false", + "url": "/login/signout?message=login_page_messages.session_has_expired" + } + }, + "display_message": "User logout from Okta", + "event_type": "user.session.end", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "transaction": { + "id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "type": "WEB" + }, + "uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd" + }, + "related": { + "ip": [ + "175.16.199.1" + ], + "user": [ + "xxxxxx" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T20:18:57.718Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.session.start", + "category": [ + "authentication", + "session" + ], + "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "start", + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "ip": "175.16.199.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "User login to Okta", + "event_type": "user.session.start", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "ip": [ + "175.16.199.1" + ], + "user": [ + "xxxxxx" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T20:18:57.762Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "policy.evaluate_sign_on", + "category": [ + "authentication" + ], + "id": "3af594f9-4f67-11ea-abd3-1f5d113f2546", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "ip": "175.16.199.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "Evaluation of sign-on policy", + "event_type": "policy.evaluate_sign_on", + "outcome": { + "reason": "Sign-on policy evaluation resulted in ALLOW", + "result": "ALLOW" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "target": [ + { + "alternate_id": "unknown", + "display_name": "Default Policy", + "id": "00p1abvweGGDW10Ur4x6", + "type": "PolicyEntity" + }, + { + "alternate_id": "00p1abvweGGDW10Ur4x6", + "display_name": "Default Rule", + "id": "0pr1abvwfqGFI4n064x6", + "type": "PolicyRule" + } + ], + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3af594f9-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "ip": [ + "175.16.199.1" + ], + "user": [ + "xxxxxx" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T22:18:51.843Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.session.end", + "category": [ + "authentication", + "session" + ], + "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"null\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "end", + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102nZHzd6OHSfGG51vsoc22gw" + }, + "client": { + "device": "Computer", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "authnRequestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "request_uri": "/login/signout", + "threat_suspected": "false", + "url": "/login/signout?message=login_page_messages.session_has_expired" + } + }, + "display_message": "User logout from Okta", + "event_type": "user.session.end", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "transaction": { + "id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "type": "WEB" + }, + "uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd" + }, + "related": { + "user": [ + "xxxxxx" + ] + }, + "source": { + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T20:18:57.718Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.session.start", + "category": [ + "authentication", + "session" + ], + "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"null\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "start", + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "User login to Okta", + "event_type": "user.session.start", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "user": [ + "xxxxxx" + ] + }, + "source": { + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T20:18:57.762Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "policy.evaluate_sign_on", + "category": [ + "authentication" + ], + "id": "3af594f9-4f67-11ea-abd3-1f5d113f2546", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"null\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "Evaluation of sign-on policy", + "event_type": "policy.evaluate_sign_on", + "outcome": { + "reason": "Sign-on policy evaluation resulted in ALLOW", + "result": "ALLOW" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "target": [ + { + "alternate_id": "unknown", + "display_name": "Default Policy", + "id": "00p1abvweGGDW10Ur4x6", + "type": "PolicyEntity" + }, + { + "alternate_id": "00p1abvweGGDW10Ur4x6", + "display_name": "Default Rule", + "id": "0pr1abvwfqGFI4n064x6", + "type": "PolicyRule" + } + ], + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3af594f9-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "user": [ + "xxxxxx" + ] + }, + "source": { + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2022-05-11T09:25:18.716Z", + "client": { + "as": { + "organization": { + "name": "amazon data services nova" + } + }, + "domain": "amazonaws.com", + "geo": { + "city_name": "Ashburn", + "country_name": "United States", + "location": { + "lat": 39.1469, + "lon": -77.5903 + }, + "region_name": "Virginia" + }, + "ip": "81.2.69.144", + "user": { + "full_name": "test@test.com", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "test" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.session.start", + "category": [ + "authentication", + "session" + ], + "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"test@test.com\",\"detailEntry\":null,\"displayName\":\"test@test.com\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"xxxxxx\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Unknown\",\"geographicalContext\":{\"city\":\"Ashburn\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.1469,\"lon\":-77.5903},\"postalCode\":\"20149\",\"state\":\"Virginia\"},\"id\":null,\"ipAddress\":\"81.2.69.144\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Unknown\",\"rawUserAgent\":\"blah\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"logOnlySecurityData\":\"{\\\"risk\\\":{\\\"reasons\\\":\\\"Anomalous Location, Anomalous Device\\\",\\\"level\\\":\\\"HIGH\\\"},\\\"behaviors\\\":{\\\"New Geo-Location\\\":\\\"POSITIVE\\\",\\\"New Device\\\":\\\"BAD_REQUEST\\\",\\\"New IP\\\":\\\"POSITIVE\\\",\\\"New State\\\":\\\"POSITIVE\\\",\\\"New Country\\\":\\\"POSITIVE\\\",\\\"Velocity\\\":\\\"NEGATIVE\\\",\\\"New City\\\":\\\"POSITIVE\\\"}}\",\"originalPrincipal\":{\"alternateId\":\"test@test.com\",\"detailEntry\":null,\"displayName\":\"Test\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"device\":null,\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2022-05-11T09:25:18.716Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Ashburn\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.1469,\"lon\":-77.5903},\"postalCode\":\"20149\",\"state\":\"Virginia\"},\"ip\":\"81.2.69.144\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":14618,\"asOrg\":\"amazon data services nova\",\"domain\":\"amazonaws.com\",\"isProxy\":false,\"isp\":\"amazon.com inc.\"},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{\"requestApiTokenId\":\"MDU0ZTEyM2QwYjc2N2FiZDI2YzViZDRiODVkNGNhZDFkZjg4YjU2ZiAgLQo=\"},\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "start", + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "test@test.com", + "display_name": "test@test.com", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "xxxxxx" + }, + "client": { + "device": "Unknown", + "ip": "81.2.69.144", + "user_agent": { + "browser": "UNKNOWN", + "os": "Unknown", + "raw_user_agent": "blah" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "logOnlySecurityData": { + "behaviors": { + "New_City": "POSITIVE", + "New_Country": "POSITIVE", + "New_Device": "BAD_REQUEST", + "New_Geo_Location": "POSITIVE", + "New_IP": "POSITIVE", + "New_State": "POSITIVE", + "Velocity": "NEGATIVE" + }, + "risk": { + "level": "HIGH", + "reasons": "Anomalous Location, Anomalous Device" + } + }, + "originalPrincipal": { + "alternateId": "test@test.com", + "displayName": "Test", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "request_uri": "/api/v1/authn", + "risk_level": "HIGH", + "risk_reasons": [ + "Anomalous Location", + "Anomalous Device" + ], + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "User login to Okta", + "event_type": "user.session.start", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Ashburn", + "country": "United States", + "geolocation": { + "lat": 39.1469, + "lon": -77.5903 + }, + "postal_code": "20149", + "state": "Virginia" + }, + "ip": "81.2.69.144", + "version": "V4" + } + ] + }, + "security_context": { + "as": { + "number": 14618, + "organization": { + "name": "amazon data services nova" + } + }, + "domain": "amazonaws.com", + "is_proxy": false, + "isp": "amazon.com inc." + }, + "transaction": { + "detail": { + "request_api_token_id": "MDU0ZTEyM2QwYjc2N2FiZDI2YzViZDRiODVkNGNhZDFkZjg4YjU2ZiAgLQo=" + }, + "id": "00u1abvz4pYqdM8ms4x6", + "type": "WEB" + }, + "uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd" + }, + "related": { + "ip": [ + "81.2.69.144" + ], + "user": [ + "test@test.com", + "test" + ] + }, + "source": { + "domain": "amazonaws.com", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "user": { + "full_name": "test@test.com", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "test" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "test@test.com", + "name": "test" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "blah" + } + }, + { + "@timestamp": "2022-05-11T09:27:08.708Z", + "client": { + "as": { + "organization": { + "name": "comcast" + } + }, + "domain": "comcast.net", + "geo": { + "city_name": "Purcellville", + "country_name": "United States", + "location": { + "lat": 39.64, + "lon": -77.8346 + }, + "region_name": "Virginia" + }, + "ip": "67.43.156.14", + "user": { + "full_name": "None", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "test1" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.authentication.verify", + "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"test1@test.com\",\"detailEntry\":null,\"displayName\":\"None\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Mobile\",\"geographicalContext\":{\"city\":\"Purcellville\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.64,\"lon\":-77.8346},\"postalCode\":\"20132\",\"state\":\"Virginia\"},\"id\":null,\"ipAddress\":\"67.43.156.14\",\"userAgent\":{\"browser\":\"SAFARI\",\"os\":\"Mac OS X (iPhone)\",\"rawUserAgent\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 15_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Safari\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"behaviors\":\"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, New City=NEGATIVE}\",\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify?autoPush=false\\u0026rememberDevice=false\"}},\"device\":null,\"displayMessage\":\"Verify user identity\",\"eventType\":\"user.authentication.verify\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2022-05-11T09:27:08.708Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Purcellville\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.64,\"lon\":-77.8346},\"postalCode\":\"20132\",\"state\":\"Virginia\"},\"ip\":\"67.43.156.14\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":7922,\"asOrg\":\"comcast\",\"domain\":\"comcast.net\",\"isProxy\":false,\"isp\":\"comcast\"},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", + "outcome": "success" + }, + "okta": { + "actor": { + "alternate_id": "test1@test.com", + "display_name": "None", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102nZHzd6OHSfGG51vsoc22gw" + }, + "client": { + "device": "Mobile", + "ip": "67.43.156.14", + "user_agent": { + "browser": "SAFARI", + "os": "Mac OS X (iPhone)", + "raw_user_agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 15_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Safari" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "authnRequestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "behaviors": { + "New_City": "NEGATIVE", + "New_Country": "NEGATIVE", + "New_Device": "NEGATIVE", + "New_Geo_Location": "NEGATIVE", + "New_IP": "NEGATIVE", + "New_State": "NEGATIVE" + }, + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "request_uri": "/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify", + "risk": { + "level": "LOW" + }, + "risk_level": "LOW", + "threat_suspected": "false", + "url": "/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify?autoPush=false&rememberDevice=false" + } + }, + "display_message": "Verify user identity", + "event_type": "user.authentication.verify", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Purcellville", + "country": "United States", + "geolocation": { + "lat": 39.64, + "lon": -77.8346 + }, + "postal_code": "20132", + "state": "Virginia" + }, + "ip": "67.43.156.14", + "version": "V4" + } + ] + }, + "security_context": { + "as": { + "number": 7922, + "organization": { + "name": "comcast" + } + }, + "domain": "comcast.net", + "is_proxy": false, + "isp": "comcast" + }, + "transaction": { + "id": "00u1abvz4pYqdM8ms4x6", + "type": "WEB" + }, + "uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd" + }, + "related": { + "ip": [ + "67.43.156.14" + ], + "user": [ + "None", + "test1" + ] + }, + "source": { + "as": { + "number": 35908 + }, + "domain": "comcast.net", + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.14", + "user": { + "full_name": "None", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "test1" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "None", + "name": "test1" + }, + "user_agent": { + "device": { + "name": "iPhone" + }, + "name": "Mobile Safari", + "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 15_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Safari", + "os": { + "full": "iOS 15.4.1", + "name": "iOS", + "version": "15.4.1" + } + } + }, + { + "@timestamp": "2022-12-12T22:03:08.791Z", + "client": { + "as": { + "organization": { + "name": "org" + } + }, + "domain": "domain.com", + "geo": { + "city_name": "City", + "country_name": "Country", + "location": { + "lat": 0.0, + "lon": 0.0 + }, + "region_name": "State" + }, + "ip": "81.2.69.144", + "user": { + "full_name": "Last_name, First_Name", + "id": "user_id", + "name": "Snipped_User" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.authentication.verify", + "id": "c32ae8ec-7a68-11ed-b8a7-9134a086ef85", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"Snipped_User@domain.com\",\"detailEntry\":null,\"displayName\":\"Last_name, First_Name\",\"id\":\"user_id\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102qmxOh1EdTHqn1_86CB9fzA\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"unknown\",\"geographicalContext\":{\"city\":\"City\",\"country\":\"Country\",\"geolocation\":{\"lat\":0.00,\"lon\":0.00},\"postalCode\":\"00000\",\"state\":\"State\"},\"id\":null,\"ipAddress\":\"81.2.69.144\",\"userAgent\":{\"browser\":\"unknown\",\"os\":\"unknown\",\"rawUserAgent\":\"unknown\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"Y5elHFMngoYoVKvakwnp2wAAAKo\",\"behaviors\":\"{New Geo-Location=NEGATIVE, New Device=POSITIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, Velocity=POSITIVE, New City=NEGATIVE}\",\"dtHash\":\"751b157a5a24ed83129433243e8d42307434b047120c32d7a7f5a5d2d91726fa\",\"requestId\":\"Y5elHFMngoYoVKvakwnp2wAAAKo\",\"requestUri\":\"/api/v1/authn\",\"risk\":\"{reasons=Anomalous Device, Anomalous Location, level=HIGH}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"device\":null,\"displayMessage\":\"Verify user identity\",\"eventType\":\"user.authentication.verify\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2022-12-12T22:03:08.791Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"City\",\"country\":\"Country\",\"geolocation\":{\"lat\":0.00,\"lon\":0.00},\"postalCode\":\"00000\",\"state\":\"State\"},\"ip\":\"81.2.69.144\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":1828,\"asOrg\":\"org\",\"domain\":\"domain.com\",\"isProxy\":false,\"isp\":\"isp\"},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"Y5elHFMngoYoVKvakwnp2wAAAKo\",\"type\":\"WEB\"},\"uuid\":\"c32ae8ec-7a68-11ed-b8a7-9134a086ef85\",\"version\":\"0\"}", + "outcome": "success" + }, + "okta": { + "actor": { + "alternate_id": "Snipped_User@domain.com", + "display_name": "Last_name, First_Name", + "id": "user_id", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102qmxOh1EdTHqn1_86CB9fzA" + }, + "client": { + "device": "unknown", + "ip": "81.2.69.144", + "user_agent": { + "browser": "unknown", + "os": "unknown", + "raw_user_agent": "unknown" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "authnRequestId": "Y5elHFMngoYoVKvakwnp2wAAAKo", + "behaviors": { + "New_City": "NEGATIVE", + "New_Country": "NEGATIVE", + "New_Device": "POSITIVE", + "New_Geo_Location": "NEGATIVE", + "New_IP": "NEGATIVE", + "New_State": "NEGATIVE", + "Velocity": "POSITIVE" + }, + "dt_hash": "751b157a5a24ed83129433243e8d42307434b047120c32d7a7f5a5d2d91726fa", + "request_id": "Y5elHFMngoYoVKvakwnp2wAAAKo", + "request_uri": "/api/v1/authn", + "risk": { + "level": "HIGH", + "reasons": "Anomalous Device, Anomalous Location" + }, + "risk_behaviors": [ + "New Device", + "Velocity" + ], + "risk_level": "HIGH", + "risk_object": "{reasons=Anomalous Device, Anomalous Location, level=HIGH}", + "risk_reasons": [ + "Anomalous Device", + "Anomalous Location" + ], + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "Verify user identity", + "event_type": "user.authentication.verify", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "City", + "country": "Country", + "geolocation": { + "lat": 0.0, + "lon": 0.0 + }, + "postal_code": "00000", + "state": "State" + }, + "ip": "81.2.69.144", + "version": "V4" + } + ] + }, + "security_context": { + "as": { + "number": 1828, + "organization": { + "name": "org" + } + }, + "domain": "domain.com", + "is_proxy": false, + "isp": "isp" + }, + "transaction": { + "id": "Y5elHFMngoYoVKvakwnp2wAAAKo", + "type": "WEB" + }, + "uuid": "c32ae8ec-7a68-11ed-b8a7-9134a086ef85" + }, + "related": { + "ip": [ + "81.2.69.144" + ], + "user": [ + "Last_name, First_Name", + "Snipped_User" + ] + }, + "source": { + "domain": "domain.com", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "user": { + "full_name": "Last_name, First_Name", + "id": "user_id", + "name": "Snipped_User" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "Last_name, First_Name", + "name": "Snipped_User" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "unknown" + } + }, + { + "@timestamp": "2023-02-06T08:56:36.909Z", + "client": { + "as": { + "organization": { + "name": "bluewin is an lir and isp in switzerland." + } + }, + "domain": "swisscom.ch", + "geo": { + "city_name": "Lucerne", + "country_name": "Switzerland", + "location": { + "lat": 47.0511, + "lon": 8.3056 + }, + "region_name": "Lucerne" + }, + "ip": "127.0.0.1", + "user": { + "full_name": "first last", + "id": "id", + "name": "user" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.authentication.auth_via_mfa", + "id": "uuid", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"user@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":\"FACTOR_PROVIDER\",\"authenticationStep\":0,\"credentialProvider\":\"OKTA_CREDENTIAL_PROVIDER\",\"credentialType\":null,\"externalSessionId\":\"uuid\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Mobile\",\"geographicalContext\":{\"city\":\"Lucerne\",\"country\":\"Switzerland\",\"geolocation\":{\"lat\":47.0511,\"lon\":8.3056},\"postalCode\":\"6007\",\"state\":\"Lucerne\"},\"id\":null,\"ipAddress\":\"127.0.0.1\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Unknown mobile\",\"rawUserAgent\":\"B7FdsdB65BN.com.okta.mobile/7.12.0 OktaVerify/7.12.0 iOS/16.1.2 Apple/iPhone14,2 6C743C36-ewew-400D-8FB9-A5F049A745CF\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"uuid\",\"behaviors\":\"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=NEGATIVE}\",\"factor\":\"OKTA_VERIFY_PUSH\",\"requestId\":\"uuid\",\"requestUri\":\"/api/v1/authn/factors/id/transactions/id/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/id/transactions/id/verify?\"}},\"device\":null,\"displayMessage\":\"Authentication of user via MFA\",\"eventType\":\"user.authentication.auth_via_mfa\",\"legacyEventType\":\"core.user.factor.attempt_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-02-06T08:56:36.909Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Lucerne\",\"country\":\"Switzerland\",\"geolocation\":{\"lat\":47.0511,\"lon\":8.3056},\"postalCode\":\"6007\",\"state\":\"Lucerne\"},\"ip\":\"127.0.0.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":3303,\"asOrg\":\"bluewin is an lir and isp in switzerland.\",\"domain\":\"swisscom.ch\",\"isProxy\":false,\"isp\":\"swisscom (schweiz) ag\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"user@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"}],\"transaction\":{\"detail\":{},\"id\":\"uuid\",\"type\":\"WEB\"},\"uuid\":\"uuid\",\"version\":\"0\"}", + "outcome": "success" + }, + "okta": { + "actor": { + "alternate_id": "user@domain.com", + "display_name": "first last", + "id": "id", + "type": "User" + }, + "authentication_context": { + "authentication_provider": "FACTOR_PROVIDER", + "authentication_step": 0, + "credential_provider": "OKTA_CREDENTIAL_PROVIDER", + "external_session_id": "uuid" + }, + "client": { + "device": "Mobile", + "ip": "127.0.0.1", + "user_agent": { + "browser": "UNKNOWN", + "os": "Unknown mobile", + "raw_user_agent": "B7FdsdB65BN.com.okta.mobile/7.12.0 OktaVerify/7.12.0 iOS/16.1.2 Apple/iPhone14,2 6C743C36-ewew-400D-8FB9-A5F049A745CF" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "authnRequestId": "uuid", + "behaviors": { + "New_City": "NEGATIVE", + "New_Country": "NEGATIVE", + "New_Device": "NEGATIVE", + "New_Geo_Location": "NEGATIVE", + "New_IP": "NEGATIVE", + "New_State": "NEGATIVE", + "Velocity_Behavior": "NEGATIVE" + }, + "factor": "OKTA_VERIFY_PUSH", + "request_id": "uuid", + "request_uri": "/api/v1/authn/factors/id/transactions/id/verify", + "risk": { + "level": "LOW" + }, + "risk_level": "LOW", + "threat_suspected": "false", + "url": "/api/v1/authn/factors/id/transactions/id/verify?" + } + }, + "display_message": "Authentication of user via MFA", + "event_type": "user.authentication.auth_via_mfa", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Lucerne", + "country": "Switzerland", + "geolocation": { + "lat": 47.0511, + "lon": 8.3056 + }, + "postal_code": "6007", + "state": "Lucerne" + }, + "ip": "127.0.0.1", + "version": "V4" + } + ] + }, + "security_context": { + "as": { + "number": 3303, + "organization": { + "name": "bluewin is an lir and isp in switzerland." + } + }, + "domain": "swisscom.ch", + "is_proxy": false, + "isp": "swisscom (schweiz) ag" + }, + "target": [ + { + "alternate_id": "user@domain.com", + "display_name": "first last", + "id": "id", + "type": "User" + } + ], + "transaction": { + "id": "uuid", + "type": "WEB" + }, + "uuid": "uuid" + }, + "related": { + "ip": [ + "127.0.0.1" + ], + "user": [ + "first last", + "user" + ] + }, + "source": { + "domain": "swisscom.ch", + "ip": "127.0.0.1", + "user": { + "full_name": "first last", + "id": "id", + "name": "user" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "first last", + "name": "user", + "target": { + "full_name": "first last", + "id": "id" + } + }, + "user_agent": { + "device": { + "name": "iPhone" + }, + "name": "Mobile Safari UI/WKWebView", + "original": "B7FdsdB65BN.com.okta.mobile/7.12.0 OktaVerify/7.12.0 iOS/16.1.2 Apple/iPhone14,2 6C743C36-ewew-400D-8FB9-A5F049A745CF", + "os": { + "full": "iOS 16.1.2", + "name": "iOS", + "version": "16.1.2" + } + } + }, + { + "@timestamp": "2023-02-06T08:58:37.110Z", + "client": { + "as": { + "organization": { + "name": "customer access" + } + }, + "domain": "german-local.net", + "geo": { + "city_name": "Bredstedt", + "country_name": "Germany", + "location": { + "lat": 54.6208, + "lon": 8.9631 + }, + "region_name": "Schleswig-Holstein" + }, + "ip": "127.0.0.1", + "user": { + "full_name": "first last", + "id": "id", + "name": "name" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.authentication.auth_via_mfa", + "id": "uuid", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"name@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":\"FACTOR_PROVIDER\",\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"id\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Bredstedt\",\"country\":\"Germany\",\"geolocation\":{\"lat\":54.6208,\"lon\":8.9631},\"postalCode\":\"25821\",\"state\":\"Schleswig-Holstein\"},\"id\":null,\"ipAddress\":\"127.0.0.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Linux\",\"rawUserAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"id\",\"behaviors\":\"{New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=POSITIVE}\",\"deviceFingerprint\":\"id\",\"dtHash\":\"hash\",\"factor\":\"FIDO_WEBAUTHN\",\"promptingPolicyTypes\":\"[OKTA_SIGN_ON]\",\"requestId\":\"id\",\"requestUri\":\"/api/v1/authn/factors/webauthn/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/webauthn/verify?rememberDevice=false\"}},\"device\":null,\"displayMessage\":\"Authentication of user via MFA\",\"eventType\":\"user.authentication.auth_via_mfa\",\"legacyEventType\":\"core.user.factor.attempt_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-02-06T08:58:37.110Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Bredstedt\",\"country\":\"Germany\",\"geolocation\":{\"lat\":54.6208,\"lon\":8.9631},\"postalCode\":\"25821\",\"state\":\"Schleswig-Holstein\"},\"ip\":\"127.0.0.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":62336,\"asOrg\":\"customer access\",\"domain\":\"german-local.net\",\"isProxy\":false,\"isp\":\"purtel.com gmbh\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"name@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"}],\"transaction\":{\"detail\":{},\"id\":\"id\",\"type\":\"WEB\"},\"uuid\":\"uuid\",\"version\":\"0\"}", + "outcome": "success" + }, + "okta": { + "actor": { + "alternate_id": "name@domain.com", + "display_name": "first last", + "id": "id", + "type": "User" + }, + "authentication_context": { + "authentication_provider": "FACTOR_PROVIDER", + "authentication_step": 0, + "external_session_id": "id" + }, + "client": { + "device": "Computer", + "ip": "127.0.0.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Linux", + "raw_user_agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "authnRequestId": "id", + "behaviors": { + "New_City": "POSITIVE", + "New_Country": "NEGATIVE", + "New_Device": "NEGATIVE", + "New_Geo_Location": "POSITIVE", + "New_IP": "POSITIVE", + "New_State": "NEGATIVE", + "Velocity_Behavior": "NEGATIVE" + }, + "device_fingerprint": "id", + "dt_hash": "hash", + "factor": "FIDO_WEBAUTHN", + "promptingPolicyTypes": "[OKTA_SIGN_ON]", + "request_id": "id", + "request_uri": "/api/v1/authn/factors/webauthn/verify", + "risk": { + "level": "LOW" + }, + "risk_behaviors": [ + "New Geo-Location", + "New IP", + "New City" + ], + "risk_level": "LOW", + "threat_suspected": "false", + "url": "/api/v1/authn/factors/webauthn/verify?rememberDevice=false" + } + }, + "display_message": "Authentication of user via MFA", + "event_type": "user.authentication.auth_via_mfa", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Bredstedt", + "country": "Germany", + "geolocation": { + "lat": 54.6208, + "lon": 8.9631 + }, + "postal_code": "25821", + "state": "Schleswig-Holstein" + }, + "ip": "127.0.0.1", + "version": "V4" + } + ] + }, + "security_context": { + "as": { + "number": 62336, + "organization": { + "name": "customer access" + } + }, + "domain": "german-local.net", + "is_proxy": false, + "isp": "purtel.com gmbh" + }, + "target": [ + { + "alternate_id": "name@domain.com", + "display_name": "first last", + "id": "id", + "type": "User" + } + ], + "transaction": { + "id": "id", + "type": "WEB" + }, + "uuid": "uuid" + }, + "related": { + "ip": [ + "127.0.0.1" + ], + "user": [ + "first last", + "name" + ] + }, + "source": { + "domain": "german-local.net", + "ip": "127.0.0.1", + "user": { + "full_name": "first last", + "id": "id", + "name": "name" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "first last", + "name": "name", + "target": { + "full_name": "first last", + "id": "id" + } + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0", + "os": { + "name": "Linux" + }, + "version": "109.0." + } + }, + { + "@timestamp": "2023-02-06T08:58:37.110Z", + "client": { + "as": { + "organization": { + "name": "customer access" + } + }, + "domain": "german-local.net", + "geo": { + "city_name": "Bredstedt", + "country_name": "Germany", + "location": { + "lat": 54.6208, + "lon": 8.9631 + }, + "region_name": "Schleswig-Holstein" + }, + "ip": "127.0.0.1", + "user": { + "full_name": "first last", + "id": "id", + "name": "name" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.authentication.auth_via_mfa", + "id": "uuid", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"name@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":\"FACTOR_PROVIDER\",\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"id\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Bredstedt\",\"country\":\"Germany\",\"geolocation\":{\"lat\":54.6208,\"lon\":8.9631},\"postalCode\":\"25821\",\"state\":\"Schleswig-Holstein\"},\"id\":null,\"ipAddress\":\"127.0.0.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Linux\",\"rawUserAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"id\",\"behaviors\":\"{New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=POSITIVE}\",\"deviceFingerprint\":\"id\",\"dtHash\":\"hash\",\"factor\":\"FIDO_WEBAUTHN\",\"promptingPolicyTypes\":\"[OKTA_SIGN_ON]\",\"requestId\":\"id\",\"requestUri\":\"/api/v1/authn/factors/webauthn/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/webauthn/verify?rememberDevice=false\"}},\"device\":null,\"displayMessage\":\"Authentication of user via MFA\",\"eventType\":\"user.authentication.auth_via_mfa\",\"legacyEventType\":\"core.user.factor.attempt_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-02-06T08:58:37.110Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Bredstedt\",\"country\":\"Germany\",\"geolocation\":{\"lat\":54.6208,\"lon\":8.9631},\"postalCode\":\"25821\",\"state\":\"Schleswig-Holstein\"},\"ip\":\"127.0.0.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":62336,\"asOrg\":\"customer access\",\"domain\":\"german-local.net\",\"isProxy\":false,\"isp\":\"purtel.com gmbh\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"target_user@blah.co\",\"detailEntry\":null,\"displayName\":\"Test Target User\",\"id\":\"00udfsat7\",\"type\":\"User\"},{\"alternateId\":\"unknown\",\"detailEntry\":null,\"displayName\":\"software-users\",\"id\":\"00gofdasfdsat7\",\"type\":\"UserGroup\"}],\"transaction\":{\"detail\":{},\"id\":\"id\",\"type\":\"WEB\"},\"uuid\":\"uuid\",\"version\":\"0\"}", + "outcome": "success" + }, + "okta": { + "actor": { + "alternate_id": "name@domain.com", + "display_name": "first last", + "id": "id", + "type": "User" + }, + "authentication_context": { + "authentication_provider": "FACTOR_PROVIDER", + "authentication_step": 0, + "external_session_id": "id" + }, + "client": { + "device": "Computer", + "ip": "127.0.0.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Linux", + "raw_user_agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "authnRequestId": "id", + "behaviors": { + "New_City": "POSITIVE", + "New_Country": "NEGATIVE", + "New_Device": "NEGATIVE", + "New_Geo_Location": "POSITIVE", + "New_IP": "POSITIVE", + "New_State": "NEGATIVE", + "Velocity_Behavior": "NEGATIVE" + }, + "device_fingerprint": "id", + "dt_hash": "hash", + "factor": "FIDO_WEBAUTHN", + "promptingPolicyTypes": "[OKTA_SIGN_ON]", + "request_id": "id", + "request_uri": "/api/v1/authn/factors/webauthn/verify", + "risk": { + "level": "LOW" + }, + "risk_behaviors": [ + "New Geo-Location", + "New IP", + "New City" + ], + "risk_level": "LOW", + "threat_suspected": "false", + "url": "/api/v1/authn/factors/webauthn/verify?rememberDevice=false" + } + }, + "display_message": "Authentication of user via MFA", + "event_type": "user.authentication.auth_via_mfa", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Bredstedt", + "country": "Germany", + "geolocation": { + "lat": 54.6208, + "lon": 8.9631 + }, + "postal_code": "25821", + "state": "Schleswig-Holstein" + }, + "ip": "127.0.0.1", + "version": "V4" + } + ] + }, + "security_context": { + "as": { + "number": 62336, + "organization": { + "name": "customer access" + } + }, + "domain": "german-local.net", + "is_proxy": false, + "isp": "purtel.com gmbh" + }, + "target": [ + { + "alternate_id": "target_user@blah.co", + "display_name": "Test Target User", + "id": "00udfsat7", + "type": "User" + }, + { + "alternate_id": "unknown", + "display_name": "software-users", + "id": "00gofdasfdsat7", + "type": "UserGroup" + } + ], + "transaction": { + "id": "id", + "type": "WEB" + }, + "uuid": "uuid" + }, + "related": { + "ip": [ + "127.0.0.1" + ], + "user": [ + "first last", + "Test Target User", + "name" + ] + }, + "source": { + "domain": "german-local.net", + "ip": "127.0.0.1", + "user": { + "full_name": "first last", + "id": "id", + "name": "name" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "first last", + "name": "name", + "target": { + "full_name": "Test Target User", + "group": { + "id": "00gofdasfdsat7", + "name": "software-users" + }, + "id": "00udfsat7" + } + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0", + "os": { + "name": "Linux" + }, + "version": "109.0." + } + }, + { + "@timestamp": "2023-04-26T16:25:06.297Z", + "client": { + "as": { + "organization": { + "name": "elasticsearch inc" + } + }, + "domain": "thisisadomain.com", + "geo": { + "city_name": "San Francisco", + "country_name": "United States", + "location": { + "lat": 37.7642, + "lon": -122.3993 + }, + "region_name": "California" + }, + "ip": "192.168.7.19", + "user": { + "full_name": "Test Actor User", + "id": "randomidhere", + "name": "actor.user" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "group.user_membership.add", + "category": [ + "iam" + ], + "id": "B96ED4D1-D013-4A13-AEFE-A67FA32C5747", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"actor.user@test.com\",\"detailEntry\":null,\"displayName\":\"Test Actor User\",\"id\":\"randomidhere\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"602deqxi8mycjkwk3sth4ci6cxxtr9rr\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"San Francisco\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7642,\"lon\":-122.3993},\"postalCode\":\"94107\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"192.168.7.19\",\"userAgent\":{\"browser\":\"CHROME\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"dtHash\":\"veqflnui3t7ql7k6v0nptw9lipilzybr\",\"requestId\":\"3bsdgs8tyatf74aufwsvkt7lv1i9x0o9\",\"requestUri\":\"/admin/group/h23gdxfk7jc8kf5fb923xc1lt5ojey93/addUser\",\"url\":\"/admin/group/h23gdxfk7jc8kf5fb923xc1lt5ojey93/addUser?\"}},\"device\":null,\"displayMessage\":\"Add user to group membership\",\"eventType\":\"group.user_membership.add\",\"legacyEventType\":\"core.user_group_member.user_add\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-04-26T16:25:06.297Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"San Francisco\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7642,\"lon\":-122.3993},\"postalCode\":\"94107\",\"state\":\"California\"},\"ip\":\"192.168.7.19\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":6461,\"asOrg\":\"elasticsearch inc\",\"domain\":\"thisisadomain.com\",\"isProxy\":false,\"isp\":\"bandwidth\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"target.user@test.com\",\"detailEntry\":null,\"displayName\":\"Target User Test Name\",\"id\":\"7cexsxmg5m671po4lmyb29a0knaqpaqg\",\"type\":\"User\"},{\"alternateId\":\"unknown\",\"detailEntry\":null,\"displayName\":\"Sales\",\"id\":\"h23gdxfk7jc8kf5fb923xc1lt5ojey93\",\"type\":\"UserGroup\"}],\"transaction\":{\"detail\":{},\"id\":\"448ahm88tkkxo0npwiu28ws20oj38nya\",\"type\":\"WEB\"},\"uuid\":\"B96ED4D1-D013-4A13-AEFE-A67FA32C5747\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "group", + "change" + ] + }, + "okta": { + "actor": { + "alternate_id": "actor.user@test.com", + "display_name": "Test Actor User", + "id": "randomidhere", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "602deqxi8mycjkwk3sth4ci6cxxtr9rr" + }, + "client": { + "device": "Computer", + "ip": "192.168.7.19", + "user_agent": { + "browser": "CHROME", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "dt_hash": "veqflnui3t7ql7k6v0nptw9lipilzybr", + "request_id": "3bsdgs8tyatf74aufwsvkt7lv1i9x0o9", + "request_uri": "/admin/group/h23gdxfk7jc8kf5fb923xc1lt5ojey93/addUser", + "url": "/admin/group/h23gdxfk7jc8kf5fb923xc1lt5ojey93/addUser?" + } + }, + "display_message": "Add user to group membership", + "event_type": "group.user_membership.add", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "San Francisco", + "country": "United States", + "geolocation": { + "lat": 37.7642, + "lon": -122.3993 + }, + "postal_code": "94107", + "state": "California" + }, + "ip": "192.168.7.19", + "version": "V4" + } + ] + }, + "security_context": { + "as": { + "number": 6461, + "organization": { + "name": "elasticsearch inc" + } + }, + "domain": "thisisadomain.com", + "is_proxy": false, + "isp": "bandwidth" + }, + "target": [ + { + "alternate_id": "target.user@test.com", + "display_name": "Target User Test Name", + "id": "7cexsxmg5m671po4lmyb29a0knaqpaqg", + "type": "User" + }, + { + "alternate_id": "unknown", + "display_name": "Sales", + "id": "h23gdxfk7jc8kf5fb923xc1lt5ojey93", + "type": "UserGroup" + } + ], + "transaction": { + "id": "448ahm88tkkxo0npwiu28ws20oj38nya", + "type": "WEB" + }, + "uuid": "B96ED4D1-D013-4A13-AEFE-A67FA32C5747" + }, + "related": { + "ip": [ + "192.168.7.19" + ], + "user": [ + "Test Actor User", + "Target User Test Name", + "actor.user" + ] + }, + "source": { + "domain": "thisisadomain.com", + "ip": "192.168.7.19", + "user": { + "full_name": "Test Actor User", + "id": "randomidhere", + "name": "actor.user" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "Test Actor User", + "name": "actor.user", + "target": { + "full_name": "Target User Test Name", + "group": { + "id": "h23gdxfk7jc8kf5fb923xc1lt5ojey93", + "name": "Sales" + }, + "id": "7cexsxmg5m671po4lmyb29a0knaqpaqg" + } + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", + "os": { + "full": "Mac OS X 10.15.7", + "name": "Mac OS X", + "version": "10.15.7" + }, + "version": "112.0.0.0" + } + }, + { + "@timestamp": "2023-04-27T00:56:17.750Z", + "client": { + "user": { + "full_name": "Okta System", + "id": "spr294puarJOdUsWD1t7", + "name": "system" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "app.user_management", + "id": "23A8F6AA-0E52-45F7-A2FB-FEF6E0B38FC7", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"system@okta.com\",\"detailEntry\":null,\"displayName\":\"Okta System\",\"id\":\"spr294puarJOdUsWD1t7\",\"type\":\"SystemPrincipal\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"4ivdy6m56cqo8s6w57o6cvq5fbb409wr\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":null,\"geographicalContext\":null,\"id\":null,\"ipAddress\":null,\"userAgent\":null,\"zone\":null},\"debugContext\":{\"debugData\":{}},\"device\":null,\"displayMessage\":\"Successfully imported new member to an app group\",\"eventType\":\"app.user_management\",\"legacyEventType\":\"app.user_management.app_group_member_import.insert_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-04-27T00:56:17.750Z\",\"request\":{\"ipChain\":[]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"domain.user@test.com\",\"detailEntry\":null,\"displayName\":\"domain.user@test.com\",\"id\":\"ew1qskfvt7mvqipcx6hxt3j95pqi01p8\",\"type\":\"AppUser\"},{\"alternateId\":\"group_email@test.com\",\"detailEntry\":null,\"displayName\":\"Payable\",\"id\":\"l2l6h6p946io0fwyd3jw7jzgy8sq6a61\",\"type\":\"AppGroup\"},{\"alternateId\":\"domain.user@test.com\",\"detailEntry\":null,\"displayName\":\"Domain User\",\"id\":\"9uuw5t9im68f03w5b9a3x72i18gugbqn\",\"type\":\"User\"},{\"alternateId\":\"G Suite\",\"detailEntry\":null,\"displayName\":\"Google Workspace\",\"id\":\"1a45g3hf19hvzgggw2ybn7e5q7xh0v4a\",\"type\":\"AppInstance\"}],\"transaction\":{\"detail\":{},\"id\":\"37r7dugr7fswsjdzv4r97layultdf19r\",\"type\":\"JOB\"},\"uuid\":\"23A8F6AA-0E52-45F7-A2FB-FEF6E0B38FC7\",\"version\":\"0\"}", + "outcome": "success" + }, + "okta": { + "actor": { + "alternate_id": "system@okta.com", + "display_name": "Okta System", + "id": "spr294puarJOdUsWD1t7", + "type": "SystemPrincipal" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "4ivdy6m56cqo8s6w57o6cvq5fbb409wr" + }, + "display_message": "Successfully imported new member to an app group", + "event_type": "app.user_management", + "outcome": { + "result": "SUCCESS" + }, + "target": [ + { + "alternate_id": "domain.user@test.com", + "display_name": "domain.user@test.com", + "id": "ew1qskfvt7mvqipcx6hxt3j95pqi01p8", + "type": "AppUser" + }, + { + "alternate_id": "group_email@test.com", + "display_name": "Payable", + "id": "l2l6h6p946io0fwyd3jw7jzgy8sq6a61", + "type": "AppGroup" + }, + { + "alternate_id": "domain.user@test.com", + "display_name": "Domain User", + "id": "9uuw5t9im68f03w5b9a3x72i18gugbqn", + "type": "User" + }, + { + "alternate_id": "G Suite", + "display_name": "Google Workspace", + "id": "1a45g3hf19hvzgggw2ybn7e5q7xh0v4a", + "type": "AppInstance" + } + ], + "transaction": { + "id": "37r7dugr7fswsjdzv4r97layultdf19r", + "type": "JOB" + }, + "uuid": "23A8F6AA-0E52-45F7-A2FB-FEF6E0B38FC7" + }, + "related": { + "user": [ + "Okta System", + "Domain User", + "system" + ] + }, + "source": { + "user": { + "full_name": "Okta System", + "id": "spr294puarJOdUsWD1t7", + "name": "system" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "Okta System", + "name": "system", + "target": { + "full_name": "Domain User", + "id": "9uuw5t9im68f03w5b9a3x72i18gugbqn" + } + } + }, + { + "@timestamp": "2023-05-23T19:39:49.513Z", + "client": { + "as": { + "organization": { + "name": "at&t corp." + } + }, + "domain": "sbcglobal.net", + "user": { + "full_name": "Test User", + "id": "00uk123456abct7", + "name": "test.user" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.authentication.sso", + "category": [ + "authentication" + ], + "id": "2D6FC3CC-3BFB-4AC1-8259-016CF6A5976C", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"test.user@test.com\",\"detailEntry\":null,\"displayName\":\"Test User\",\"id\":\"00uk123456abct7\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"idxabcdefg123zA\",\"interface\":null,\"issuer\":null},\"client\":{},\"debugContext\":{},\"device\":{\"device_integrator\":null,\"disk_encryption_type\":\"ALL_INTERNAL_VOLUMES\",\"id\":\"abcdefghijklmnop\",\"jailbreak\":null,\"managed\":false,\"name\":\"MacBookPro14,2\",\"os_platform\":\"OSX\",\"os_version\":\"12.6.6\",\"registered\":true,\"screen_lock_type\":\"PASSCODE\",\"secure_hardware_present\":true},\"displayMessage\":\"User single sign on to app\",\"eventType\":\"user.authentication.sso\",\"legacyEventType\":\"app.auth.sso\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-05-23T19:39:49.513Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Lawn Park\",\"country\":\"United States\",\"geolocation\":{\"lat\":47.8907,\"lon\":-87.7908},\"postalCode\":\"999999\",\"state\":\"California\"},\"ip\":\"192.168.1.10\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":7018,\"asOrg\":\"at&t corp.\",\"domain\":\"sbcglobal.net\",\"isProxy\":false,\"isp\":\"att services inc\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"Wiki\",\"detailEntry\":{\"signOnModeType\":\"SAML_2_0\"},\"displayName\":\"An App Server\",\"id\":\"0o123456abcdef1t7\",\"type\":\"AppInstance\"},{\"alternateId\":\"test.user@test.com\",\"detailEntry\":null,\"displayName\":\"Test User\",\"id\":\"0ustyhdhurhjtdrhh1t7\",\"type\":\"AppUser\"}],\"transaction\":{\"detail\":{},\"id\":\"ZGmw\",\"type\":\"WEB\"},\"uuid\":\"2D6FC3CC-3BFB-4AC1-8259-016CF6A5976C\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "test.user@test.com", + "display_name": "Test User", + "id": "00uk123456abct7", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "idxabcdefg123zA" + }, + "device": { + "disk_encryption_type": "ALL_INTERNAL_VOLUMES", + "id": "abcdefghijklmnop", + "managed": false, + "name": "MacBookPro14,2", + "os_platform": "OSX", + "os_version": "12.6.6", + "registered": true, + "screen_lock_type": "PASSCODE", + "secure_hardware_present": true + }, + "display_message": "User single sign on to app", + "event_type": "user.authentication.sso", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Lawn Park", + "country": "United States", + "geolocation": { + "lat": 47.8907, + "lon": -87.7908 + }, + "postal_code": "999999", + "state": "California" + }, + "ip": "192.168.1.10", + "version": "V4" + } + ] + }, + "security_context": { + "as": { + "number": 7018, + "organization": { + "name": "at&t corp." + } + }, + "domain": "sbcglobal.net", + "is_proxy": false, + "isp": "att services inc" + }, + "target": [ + { + "alternate_id": "Wiki", + "display_name": "An App Server", + "id": "0o123456abcdef1t7", + "type": "AppInstance" + }, + { + "alternate_id": "test.user@test.com", + "display_name": "Test User", + "id": "0ustyhdhurhjtdrhh1t7", + "type": "AppUser" + } + ], + "transaction": { + "id": "ZGmw", + "type": "WEB" + }, + "uuid": "2D6FC3CC-3BFB-4AC1-8259-016CF6A5976C" + }, + "related": { + "user": [ + "Test User", + "test.user" + ] + }, + "source": { + "domain": "sbcglobal.net", + "user": { + "full_name": "Test User", + "id": "00uk123456abct7", + "name": "test.user" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "Test User", + "name": "test.user" + } + }, + { + "@timestamp": "2023-05-23T19:39:49.513Z", + "client": { + "as": { + "organization": { + "name": "at&t corp." + } + }, + "domain": "sbcglobal.net", + "user": { + "full_name": "Test User", + "id": "00uk123456abct7", + "name": "test.user" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.authentication.sso", + "category": [ + "authentication" + ], + "id": "2D6FC3CC-3BFB-4AC1-8259-016CF6A5976C", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"test.user@test.com\",\"detailEntry\":null,\"displayName\":\"Test User\",\"id\":\"00uk123456abct7\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"idxabcdefg123zA\",\"interface\":null,\"issuer\":null},\"client\":{},\"debugContext\":{},\"device\":{\"device_integrator\":\"{\\\"WSC\\\":{},\\\"CROWDSTRIKE\\\":{}}\",\"disk_encryption_type\":\"ALL_INTERNAL_VOLUMES\",\"id\":\"V9YPwc5tnhWcaLs3\",\"jailbreak\":null,\"managed\":false,\"name\":\"MacBookPro18,2\",\"os_platform\":\"OSX\",\"os_version\":\"13.3.1\",\"registered\":true,\"screen_lock_type\":\"BIOMETRIC\",\"secure_hardware_present\":true},\"displayMessage\":\"User single sign on to app\",\"eventType\":\"user.authentication.sso\",\"legacyEventType\":\"app.auth.sso\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-05-23T19:39:49.513Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Lawn Park\",\"country\":\"United States\",\"geolocation\":{\"lat\":47.8907,\"lon\":-87.7908},\"postalCode\":\"999999\",\"state\":\"California\"},\"ip\":\"192.168.1.10\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":7018,\"asOrg\":\"at&t corp.\",\"domain\":\"sbcglobal.net\",\"isProxy\":false,\"isp\":\"att services inc\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"Wiki\",\"detailEntry\":{\"signOnModeType\":\"SAML_2_0\"},\"displayName\":\"An App Server\",\"id\":\"0o123456abcdef1t7\",\"type\":\"AppInstance\"},{\"alternateId\":\"test.user@test.com\",\"detailEntry\":null,\"displayName\":\"Test User\",\"id\":\"0ustyhdhurhjtdrhh1t7\",\"type\":\"AppUser\"}],\"transaction\":{\"detail\":{},\"id\":\"ZGmw\",\"type\":\"WEB\"},\"uuid\":\"2D6FC3CC-3BFB-4AC1-8259-016CF6A5976C\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "test.user@test.com", + "display_name": "Test User", + "id": "00uk123456abct7", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "idxabcdefg123zA" + }, + "device": { + "device_integrator": { + "CROWDSTRIKE": {}, + "WSC": {} + }, + "disk_encryption_type": "ALL_INTERNAL_VOLUMES", + "id": "V9YPwc5tnhWcaLs3", + "managed": false, + "name": "MacBookPro18,2", + "os_platform": "OSX", + "os_version": "13.3.1", + "registered": true, + "screen_lock_type": "BIOMETRIC", + "secure_hardware_present": true + }, + "display_message": "User single sign on to app", + "event_type": "user.authentication.sso", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Lawn Park", + "country": "United States", + "geolocation": { + "lat": 47.8907, + "lon": -87.7908 + }, + "postal_code": "999999", + "state": "California" + }, + "ip": "192.168.1.10", + "version": "V4" + } + ] + }, + "security_context": { + "as": { + "number": 7018, + "organization": { + "name": "at&t corp." + } + }, + "domain": "sbcglobal.net", + "is_proxy": false, + "isp": "att services inc" + }, + "target": [ + { + "alternate_id": "Wiki", + "display_name": "An App Server", + "id": "0o123456abcdef1t7", + "type": "AppInstance" + }, + { + "alternate_id": "test.user@test.com", + "display_name": "Test User", + "id": "0ustyhdhurhjtdrhh1t7", + "type": "AppUser" + } + ], + "transaction": { + "id": "ZGmw", + "type": "WEB" + }, + "uuid": "2D6FC3CC-3BFB-4AC1-8259-016CF6A5976C" + }, + "related": { + "user": [ + "Test User", + "test.user" + ] + }, + "source": { + "domain": "sbcglobal.net", + "user": { + "full_name": "Test User", + "id": "00uk123456abct7", + "name": "test.user" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "Test User", + "name": "test.user" + } + }, + { + "@timestamp": "2023-05-22T12:11:48.092Z", + "client": { + "as": { + "organization": { + "name": "vo energies catv customers - region of oron/vd" + } + }, + "domain": "voenergies.net", + "geo": { + "city_name": "Palezieux", + "country_name": "Switzerland", + "location": { + "lat": 46.5379, + "lon": 6.8409 + }, + "region_name": "Vaud" + }, + "ip": "192.168.1.10", + "user": { + "full_name": "Test User", + "id": "00ua123456abcat7", + "name": "test.user" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.authentication.auth_via_mfa", + "id": "150A5E5C-C236-426A-A0D1-B79F1E391A6B", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"test.user@domain.com\",\"detailEntry\":null,\"displayName\":\"Test User\",\"id\":\"00ua123456abcat7\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":\"FACTOR_PROVIDER\",\"authenticationStep\":0,\"credentialProvider\":\"OKTA_CREDENTIAL_PROVIDER\",\"credentialType\":null,\"externalSessionId\":\"idx123456asdsajA\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Palezieux\",\"country\":\"Switzerland\",\"geolocation\":{\"lat\":46.5379,\"lon\":6.8409},\"postalCode\":\"1607\",\"state\":\"Vaud\"},\"id\":null,\"ipAddress\":\"192.168.1.10\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"B7F62B65BN.com.okta.mobile/3.13.4 OktaDeviceSDK/0.0.1 macOS/13.3.1 Apple/MacBookPro18,2 UUID123\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"dtHash\":\"abc123456abc\",\"factor\":\"SIGNED_NONCE\",\"requestId\":\"123456abcdefghij\",\"requestUri\":\"/idp/authenticators/123456abcdefghij/transactions/123456abcdefghij/verify\",\"url\":\"/idp/authenticators/123456abcdefghij/transactions/123456abcdefghij/verify?\"}},\"device\":null,\"displayMessage\":\"Authentication of user via MFA\",\"eventType\":\"user.authentication.auth_via_mfa\",\"legacyEventType\":\"core.user.factor.attempt_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-05-22T12:11:48.092Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Palezieux\",\"country\":\"Switzerland\",\"geolocation\":{\"lat\":46.5379,\"lon\":6.8409},\"postalCode\":\"1607\",\"state\":\"Vaud\"},\"ip\":\"192.168.1.10\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":39544,\"asOrg\":\"vo energies catv customers - region of oron/vd\",\"domain\":\"voenergies.net\",\"isProxy\":false,\"isp\":\"vo energies multimedia sa\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"test.user@domain.com\",\"detailEntry\":null,\"displayName\":\"Test User\",\"id\":\"00ua123456abcat7\",\"type\":\"User\"},{\"alternateId\":\"unknown\",\"detailEntry\":{\"methodTypeUsed\":\"Use Okta FastPass\",\"methodUsedVerifiedProperties\":\"[DEVICE_BOUND, PHISHING_RESISTANT, USER_VERIFYING, USER_PRESENCE, HARDWARE_PROTECTED]\"},\"displayName\":\"Okta Verify\",\"id\":\"00ua123456abcat7\",\"type\":\"AuthenticatorEnrollment\"}],\"transaction\":{\"detail\":{},\"id\":\"00ua123456abcat7\",\"type\":\"WEB\"},\"uuid\":\"150A5E5C-C236-426A-A0D1-B79F1E391A6B\",\"version\":\"0\"}", + "outcome": "success" + }, + "okta": { + "actor": { + "alternate_id": "test.user@domain.com", + "display_name": "Test User", + "id": "00ua123456abcat7", + "type": "User" + }, + "authentication_context": { + "authentication_provider": "FACTOR_PROVIDER", + "authentication_step": 0, + "credential_provider": "OKTA_CREDENTIAL_PROVIDER", + "external_session_id": "idx123456asdsajA" + }, + "client": { + "device": "Computer", + "ip": "192.168.1.10", + "user_agent": { + "browser": "UNKNOWN", + "os": "Mac OS X", + "raw_user_agent": "B7F62B65BN.com.okta.mobile/3.13.4 OktaDeviceSDK/0.0.1 macOS/13.3.1 Apple/MacBookPro18,2 UUID123" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "dt_hash": "abc123456abc", + "factor": "SIGNED_NONCE", + "request_id": "123456abcdefghij", + "request_uri": "/idp/authenticators/123456abcdefghij/transactions/123456abcdefghij/verify", + "url": "/idp/authenticators/123456abcdefghij/transactions/123456abcdefghij/verify?" + } + }, + "display_message": "Authentication of user via MFA", + "event_type": "user.authentication.auth_via_mfa", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Palezieux", + "country": "Switzerland", + "geolocation": { + "lat": 46.5379, + "lon": 6.8409 + }, + "postal_code": "1607", + "state": "Vaud" + }, + "ip": "192.168.1.10", + "version": "V4" + } + ] + }, + "security_context": { + "as": { + "number": 39544, + "organization": { + "name": "vo energies catv customers - region of oron/vd" + } + }, + "domain": "voenergies.net", + "is_proxy": false, + "isp": "vo energies multimedia sa" + }, + "target": [ + { + "alternate_id": "test.user@domain.com", + "display_name": "Test User", + "id": "00ua123456abcat7", + "type": "User" + }, + { + "alternate_id": "unknown", + "detailEntry": { + "methodTypeUsed": "Use Okta FastPass", + "methodUsedVerifiedProperties": "[DEVICE_BOUND, PHISHING_RESISTANT, USER_VERIFYING, USER_PRESENCE, HARDWARE_PROTECTED]" + }, + "display_name": "Okta Verify", + "id": "00ua123456abcat7", + "type": "AuthenticatorEnrollment" + } + ], + "transaction": { + "id": "00ua123456abcat7", + "type": "WEB" + }, + "uuid": "150A5E5C-C236-426A-A0D1-B79F1E391A6B" + }, + "related": { + "ip": [ + "192.168.1.10" + ], + "user": [ + "Test User", + "test.user" + ] + }, + "source": { + "domain": "voenergies.net", + "ip": "192.168.1.10", + "user": { + "full_name": "Test User", + "id": "00ua123456abcat7", + "name": "test.user" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "Test User", + "name": "test.user", + "target": { + "full_name": "Test User", + "id": "00ua123456abcat7" + } + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "B7F62B65BN.com.okta.mobile/3.13.4 OktaDeviceSDK/0.0.1 macOS/13.3.1 Apple/MacBookPro18,2 UUID123" + } + }, + { + "@timestamp": "2023-06-07T15:49:45.109Z", + "client": { + "as": { + "organization": { + "name": "verizon" + } + }, + "domain": "verizon.net", + "geo": { + "city_name": "Bay Shore", + "country_name": "United States", + "location": { + "lat": 40.7051, + "lon": -73.243 + }, + "region_name": "New York" + }, + "ip": "192.168.1.10", + "user": { + "full_name": "John Doe", + "id": "00aabbccddeeffaaaaaa", + "name": "john.doe" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "device.user.add", + "id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"john.doe@elastic.co\",\"detailEntry\":null,\"displayName\":\"John Doe\",\"id\":\"00aabbccddeeffaaaaaa\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"abcdefghijklM-NopQrsTUvWx\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Bay Shore\",\"country\":\"United States\",\"geolocation\":{\"lat\":40.7051,\"lon\":-73.243},\"postalCode\":\"11706\",\"state\":\"New York\"},\"id\":null,\"ipAddress\":\"192.168.1.10\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"FAKEFAKEFAKE.com.okta.mobile/8.1.1 OktaDeviceSDK/0.0.1 macOS/13.4.0 Apple/MacBookPro16,2 RANDOM-AAAA-BBBB-CCCC-DDDDDDDDDDDD\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"requestId\":\"XXXXXXXXXXXXXXXXXX\",\"requestUri\":\"/idp/authenticators\",\"url\":\"/idp/authenticators?\"}},\"device\":null,\"displayMessage\":\"Add device to user\",\"eventType\":\"device.user.add\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-06-07T15:49:45.109Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Bay Shore\",\"country\":\"United States\",\"geolocation\":{\"lat\":40.7051,\"lon\":-73.243},\"postalCode\":\"11706\",\"state\":\"New York\"},\"ip\":\"175.16.199.18\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":701,\"asOrg\":\"verizon\",\"domain\":\"verizon.net\",\"isProxy\":false,\"isp\":\"verizon\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"deviceStatus\":\"CREATED\",\"managed\":\"false\",\"oktaDeviceId\":\"xxxxxxxxxxxxxxxxx\",\"osPlatform\":\"MACOS\",\"osVersion\":\"13.4.0\",\"serialNumber\":\"XXXXXXXX\",\"tpmPresent\":\"false\",\"uuid\":\"AAAAAAAA-CCCC-DDDD-EEEE-BBBBBBBBBBBB\"},\"displayName\":\"John's MacBook Pro\",\"id\":\"fakefakefakefake\",\"type\":\"UDDevice\"}],\"transaction\":{\"detail\":{\"requestApiTokenId\":\"aa.aa.bbbbbbbbbbbbbbbbbbbbbbb_wwwwwwwwwwwwwwww\"},\"id\":\"ABCDEFCGALKDJDLK\",\"type\":\"WEB\"},\"uuid\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\",\"version\":\"0\"}", + "outcome": "success" + }, + "okta": { + "actor": { + "alternate_id": "john.doe@elastic.co", + "display_name": "John Doe", + "id": "00aabbccddeeffaaaaaa", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "abcdefghijklM-NopQrsTUvWx" + }, + "client": { + "device": "Computer", + "ip": "192.168.1.10", + "user_agent": { + "browser": "UNKNOWN", + "os": "Mac OS X", + "raw_user_agent": "FAKEFAKEFAKE.com.okta.mobile/8.1.1 OktaDeviceSDK/0.0.1 macOS/13.4.0 Apple/MacBookPro16,2 RANDOM-AAAA-BBBB-CCCC-DDDDDDDDDDDD" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "request_id": "XXXXXXXXXXXXXXXXXX", + "request_uri": "/idp/authenticators", + "url": "/idp/authenticators?" + } + }, + "display_message": "Add device to user", + "event_type": "device.user.add", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Bay Shore", + "country": "United States", + "geolocation": { + "lat": 40.7051, + "lon": -73.243 + }, + "postal_code": "11706", + "state": "New York" + }, + "ip": "175.16.199.18", + "version": "V4" + } + ] + }, + "security_context": { + "as": { + "number": 701, + "organization": { + "name": "verizon" + } + }, + "domain": "verizon.net", + "is_proxy": false, + "isp": "verizon" + }, + "target": [ + { + "alternate_id": "unknown", + "display_name": "John's MacBook Pro", + "id": "fakefakefakefake", + "type": "UDDevice" + } + ], + "transaction": { + "detail": { + "request_api_token_id": "aa.aa.bbbbbbbbbbbbbbbbbbbbbbb_wwwwwwwwwwwwwwww" + }, + "id": "ABCDEFCGALKDJDLK", + "type": "WEB" + }, + "uuid": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" + }, + "related": { + "ip": [ + "192.168.1.10" + ], + "user": [ + "John Doe", + "john.doe" + ] + }, + "source": { + "domain": "verizon.net", + "ip": "192.168.1.10", + "user": { + "full_name": "John Doe", + "id": "00aabbccddeeffaaaaaa", + "name": "john.doe" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "John Doe", + "name": "john.doe" + }, + "user_agent": { + "device": { + "name": "Generic Feature Phone" + }, + "name": "Other", + "original": "FAKEFAKEFAKE.com.okta.mobile/8.1.1 OktaDeviceSDK/0.0.1 macOS/13.4.0 Apple/MacBookPro16,2 RANDOM-AAAA-BBBB-CCCC-DDDDDDDDDDDD" + } + } + ] +} \ No newline at end of file diff --git a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-yes-flattened-events.log b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-yes-flattened-events.log new file mode 100644 index 00000000000..6dbd47a1088 --- /dev/null +++ b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-yes-flattened-events.log @@ -0,0 +1,24 @@ +{"actor":{"alternateId":"username@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102nZHzd6OHSfGG51vsoc22gw","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/login/signout","threatSuspected":"false","url":"/login/signout?message=login_page_messages.session_has_expired"}},"displayMessage":"User logout from Okta","eventType":"user.session.end","legacyEventType":"core.user_auth.logout_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T22:18:51.843Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkccyyMli2Uay2I93ZgRzQAAB0c","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T20:18:57.718Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3aeede38-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","legacyEventType":null,"outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"published":"2020-02-14T20:18:57.762Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":[{"alternateId":"unknown","detailEntry":{"policyType":"OktaSignOn"},"displayName":"Default Policy","id":"00p1abvweGGDW10Ur4x6","type":"PolicyEntity"},{"alternateId":"00p1abvweGGDW10Ur4x6","detailEntry":null,"displayName":"Default Rule","id":"0pr1abvwfqGFI4n064x6","type":"PolicyRule"}],"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3af594f9-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"someusername@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102nZHzd6OHSfGG51vsoc22gw","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/login/signout","threatSuspected":"false","url":"/login/signout?message=login_page_messages.session_has_expired"}},"displayMessage":"User logout from Okta","eventType":"user.session.end","legacyEventType":"core.user_auth.logout_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T22:18:51.843Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkccyyMli2Uay2I93ZgRzQAAB0c","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T20:18:57.718Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3aeede38-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","legacyEventType":null,"outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"published":"2020-02-14T20:18:57.762Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":[{"alternateId":"unknown","detailEntry":{"policyType":"OktaSignOn"},"displayName":"Default Policy","id":"00p1abvweGGDW10Ur4x6","type":"PolicyEntity"},{"alternateId":"00p1abvweGGDW10Ur4x6","detailEntry":null,"displayName":"Default Rule","id":"0pr1abvwfqGFI4n064x6","type":"PolicyRule"}],"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3af594f9-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102nZHzd6OHSfGG51vsoc22gw","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/login/signout","threatSuspected":"false","url":"/login/signout?message=login_page_messages.session_has_expired"}},"displayMessage":"User logout from Okta","eventType":"user.session.end","legacyEventType":"core.user_auth.logout_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T22:18:51.843Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkccyyMli2Uay2I93ZgRzQAAB0c","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T20:18:57.718Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3aeede38-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","legacyEventType":null,"outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"published":"2020-02-14T20:18:57.762Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":[{"alternateId":"unknown","detailEntry":{"policyType":"OktaSignOn"},"displayName":"Default Policy","id":"00p1abvweGGDW10Ur4x6","type":"PolicyEntity"},{"alternateId":"00p1abvweGGDW10Ur4x6","detailEntry":null,"displayName":"Default Rule","id":"0pr1abvwfqGFI4n064x6","type":"PolicyRule"}],"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3af594f9-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102nZHzd6OHSfGG51vsoc22gw","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"null","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/login/signout","threatSuspected":"false","url":"/login/signout?message=login_page_messages.session_has_expired"}},"displayMessage":"User logout from Okta","eventType":"user.session.end","legacyEventType":"core.user_auth.logout_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T22:18:51.843Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkccyyMli2Uay2I93ZgRzQAAB0c","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"null","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T20:18:57.718Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3aeede38-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"null","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","legacyEventType":null,"outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"published":"2020-02-14T20:18:57.762Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":[{"alternateId":"unknown","detailEntry":{"policyType":"OktaSignOn"},"displayName":"Default Policy","id":"00p1abvweGGDW10Ur4x6","type":"PolicyEntity"},{"alternateId":"00p1abvweGGDW10Ur4x6","detailEntry":null,"displayName":"Default Rule","id":"0pr1abvwfqGFI4n064x6","type":"PolicyRule"}],"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3af594f9-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"test@test.com","detailEntry":null,"displayName":"test@test.com","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"xxxxxx","interface":null,"issuer":null},"client":{"device":"Unknown","geographicalContext":{"city":"Ashburn","country":"United States","geolocation":{"lat":39.1469,"lon":-77.5903},"postalCode":"20149","state":"Virginia"},"id":null,"ipAddress":"81.2.69.144","userAgent":{"browser":"UNKNOWN","os":"Unknown","rawUserAgent":"blah"},"zone":"null"},"debugContext":{"debugData":{"logOnlySecurityData":"{\"risk\":{\"reasons\":\"Anomalous Location, Anomalous Device\",\"level\":\"HIGH\"},\"behaviors\":{\"New Geo-Location\":\"POSITIVE\",\"New Device\":\"BAD_REQUEST\",\"New IP\":\"POSITIVE\",\"New State\":\"POSITIVE\",\"New Country\":\"POSITIVE\",\"Velocity\":\"NEGATIVE\",\"New City\":\"POSITIVE\"}}","originalPrincipal":{"alternateId":"test@test.com","detailEntry":null,"displayName":"Test","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"device":null,"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2022-05-11T09:25:18.716Z","request":{"ipChain":[{"geographicalContext":{"city":"Ashburn","country":"United States","geolocation":{"lat":39.1469,"lon":-77.5903},"postalCode":"20149","state":"Virginia"},"ip":"81.2.69.144","source":null,"version":"V4"}]},"securityContext":{"asNumber":14618,"asOrg":"amazon data services nova","domain":"amazonaws.com","isProxy":false,"isp":"amazon.com inc."},"severity":"INFO","target":null,"transaction":{"detail":{"requestApiTokenId":"MDU0ZTEyM2QwYjc2N2FiZDI2YzViZDRiODVkNGNhZDFkZjg4YjU2ZiAgLQo="},"id":"00u1abvz4pYqdM8ms4x6","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"} +{"actor":{"alternateId":"test1@test.com","detailEntry":null,"displayName":"None","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102nZHzd6OHSfGG51vsoc22gw","interface":null,"issuer":null},"client":{"device":"Mobile","geographicalContext":{"city":"Purcellville","country":"United States","geolocation":{"lat":39.64,"lon":-77.8346},"postalCode":"20132","state":"Virginia"},"id":null,"ipAddress":"67.43.156.14","userAgent":{"browser":"SAFARI","os":"Mac OS X (iPhone)","rawUserAgent":"Mozilla/5.0 (iPhone; CPU iPhone OS 15_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Safari"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","behaviors":"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, New City=NEGATIVE}","deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify","risk":"{level=LOW}","threatSuspected":"false","url":"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify?autoPush=false\u0026rememberDevice=false"}},"device":null,"displayMessage":"Verify user identity","eventType":"user.authentication.verify","legacyEventType":null,"outcome":{"reason":null,"result":"SUCCESS"},"published":"2022-05-11T09:27:08.708Z","request":{"ipChain":[{"geographicalContext":{"city":"Purcellville","country":"United States","geolocation":{"lat":39.64,"lon":-77.8346},"postalCode":"20132","state":"Virginia"},"ip":"67.43.156.14","source":null,"version":"V4"}]},"securityContext":{"asNumber":7922,"asOrg":"comcast","domain":"comcast.net","isProxy":false,"isp":"comcast"},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"00u1abvz4pYqdM8ms4x6","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"} +{"actor":{"alternateId":"Snipped_User@domain.com","detailEntry":null,"displayName":"Last_name, First_Name","id":"user_id","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102qmxOh1EdTHqn1_86CB9fzA","interface":null,"issuer":null},"client":{"device":"unknown","geographicalContext":{"city":"City","country":"Country","geolocation":{"lat":0.00,"lon":0.00},"postalCode":"00000","state":"State"},"id":null,"ipAddress":"81.2.69.144","userAgent":{"browser":"unknown","os":"unknown","rawUserAgent":"unknown"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"Y5elHFMngoYoVKvakwnp2wAAAKo","behaviors":"{New Geo-Location=NEGATIVE, New Device=POSITIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, Velocity=POSITIVE, New City=NEGATIVE}","dtHash":"751b157a5a24ed83129433243e8d42307434b047120c32d7a7f5a5d2d91726fa","requestId":"Y5elHFMngoYoVKvakwnp2wAAAKo","requestUri":"/api/v1/authn","risk":"{reasons=Anomalous Device, Anomalous Location, level=HIGH}","threatSuspected":"false","url":"/api/v1/authn?"}},"device":null,"displayMessage":"Verify user identity","eventType":"user.authentication.verify","legacyEventType":null,"outcome":{"reason":null,"result":"SUCCESS"},"published":"2022-12-12T22:03:08.791Z","request":{"ipChain":[{"geographicalContext":{"city":"City","country":"Country","geolocation":{"lat":0.00,"lon":0.00},"postalCode":"00000","state":"State"},"ip":"81.2.69.144","source":null,"version":"V4"}]},"securityContext":{"asNumber":1828,"asOrg":"org","domain":"domain.com","isProxy":false,"isp":"isp"},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"Y5elHFMngoYoVKvakwnp2wAAAKo","type":"WEB"},"uuid":"c32ae8ec-7a68-11ed-b8a7-9134a086ef85","version":"0"} +{"actor":{"alternateId":"user@domain.com","detailEntry":null,"displayName":"first last","id":"id","type":"User"},"authenticationContext":{"authenticationProvider":"FACTOR_PROVIDER","authenticationStep":0,"credentialProvider":"OKTA_CREDENTIAL_PROVIDER","credentialType":null,"externalSessionId":"uuid","interface":null,"issuer":null},"client":{"device":"Mobile","geographicalContext":{"city":"Lucerne","country":"Switzerland","geolocation":{"lat":47.0511,"lon":8.3056},"postalCode":"6007","state":"Lucerne"},"id":null,"ipAddress":"127.0.0.1","userAgent":{"browser":"UNKNOWN","os":"Unknown mobile","rawUserAgent":"B7FdsdB65BN.com.okta.mobile/7.12.0 OktaVerify/7.12.0 iOS/16.1.2 Apple/iPhone14,2 6C743C36-ewew-400D-8FB9-A5F049A745CF"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"uuid","behaviors":"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=NEGATIVE}","factor":"OKTA_VERIFY_PUSH","requestId":"uuid","requestUri":"/api/v1/authn/factors/id/transactions/id/verify","risk":"{level=LOW}","threatSuspected":"false","url":"/api/v1/authn/factors/id/transactions/id/verify?"}},"device":null,"displayMessage":"Authentication of user via MFA","eventType":"user.authentication.auth_via_mfa","legacyEventType":"core.user.factor.attempt_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2023-02-06T08:56:36.909Z","request":{"ipChain":[{"geographicalContext":{"city":"Lucerne","country":"Switzerland","geolocation":{"lat":47.0511,"lon":8.3056},"postalCode":"6007","state":"Lucerne"},"ip":"127.0.0.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":3303,"asOrg":"bluewin is an lir and isp in switzerland.","domain":"swisscom.ch","isProxy":false,"isp":"swisscom (schweiz) ag"},"severity":"INFO","target":[{"alternateId":"user@domain.com","detailEntry":null,"displayName":"first last","id":"id","type":"User"}],"transaction":{"detail":{},"id":"uuid","type":"WEB"},"uuid":"uuid","version":"0"} +{"actor":{"alternateId":"name@domain.com","detailEntry":null,"displayName":"first last","id":"id","type":"User"},"authenticationContext":{"authenticationProvider":"FACTOR_PROVIDER","authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"id","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Bredstedt","country":"Germany","geolocation":{"lat":54.6208,"lon":8.9631},"postalCode":"25821","state":"Schleswig-Holstein"},"id":null,"ipAddress":"127.0.0.1","userAgent":{"browser":"FIREFOX","os":"Linux","rawUserAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"id","behaviors":"{New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=POSITIVE}","deviceFingerprint":"id","dtHash":"hash","factor":"FIDO_WEBAUTHN","promptingPolicyTypes":"[OKTA_SIGN_ON]","requestId":"id","requestUri":"/api/v1/authn/factors/webauthn/verify","risk":"{level=LOW}","threatSuspected":"false","url":"/api/v1/authn/factors/webauthn/verify?rememberDevice=false"}},"device":null,"displayMessage":"Authentication of user via MFA","eventType":"user.authentication.auth_via_mfa","legacyEventType":"core.user.factor.attempt_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2023-02-06T08:58:37.110Z","request":{"ipChain":[{"geographicalContext":{"city":"Bredstedt","country":"Germany","geolocation":{"lat":54.6208,"lon":8.9631},"postalCode":"25821","state":"Schleswig-Holstein"},"ip":"127.0.0.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":62336,"asOrg":"customer access","domain":"german-local.net","isProxy":false,"isp":"purtel.com gmbh"},"severity":"INFO","target":[{"alternateId":"name@domain.com","detailEntry":null,"displayName":"first last","id":"id","type":"User"}],"transaction":{"detail":{},"id":"id","type":"WEB"},"uuid":"uuid","version":"0"} +{"actor":{"alternateId":"name@domain.com","detailEntry":null,"displayName":"first last","id":"id","type":"User"},"authenticationContext":{"authenticationProvider":"FACTOR_PROVIDER","authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"id","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Bredstedt","country":"Germany","geolocation":{"lat":54.6208,"lon":8.9631},"postalCode":"25821","state":"Schleswig-Holstein"},"id":null,"ipAddress":"127.0.0.1","userAgent":{"browser":"FIREFOX","os":"Linux","rawUserAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"id","behaviors":"{New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=POSITIVE}","deviceFingerprint":"id","dtHash":"hash","factor":"FIDO_WEBAUTHN","promptingPolicyTypes":"[OKTA_SIGN_ON]","requestId":"id","requestUri":"/api/v1/authn/factors/webauthn/verify","risk":"{level=LOW}","threatSuspected":"false","url":"/api/v1/authn/factors/webauthn/verify?rememberDevice=false"}},"device":null,"displayMessage":"Authentication of user via MFA","eventType":"user.authentication.auth_via_mfa","legacyEventType":"core.user.factor.attempt_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2023-02-06T08:58:37.110Z","request":{"ipChain":[{"geographicalContext":{"city":"Bredstedt","country":"Germany","geolocation":{"lat":54.6208,"lon":8.9631},"postalCode":"25821","state":"Schleswig-Holstein"},"ip":"127.0.0.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":62336,"asOrg":"customer access","domain":"german-local.net","isProxy":false,"isp":"purtel.com gmbh"},"severity":"INFO","target":[{"alternateId":"target_user@blah.co","detailEntry":null,"displayName":"Test Target User","id":"00udfsat7","type":"User"},{"alternateId":"unknown","detailEntry":null,"displayName":"software-users","id":"00gofdasfdsat7","type":"UserGroup"}],"transaction":{"detail":{},"id":"id","type":"WEB"},"uuid":"uuid","version":"0"} +{"actor":{"alternateId":"actor.user@test.com","detailEntry":null,"displayName":"Test Actor User","id":"randomidhere","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"602deqxi8mycjkwk3sth4ci6cxxtr9rr","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"San Francisco","country":"United States","geolocation":{"lat":37.7642,"lon":-122.3993},"postalCode":"94107","state":"California"},"id":null,"ipAddress":"192.168.7.19","userAgent":{"browser":"CHROME","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36"},"zone":"null"},"debugContext":{"debugData":{"dtHash":"veqflnui3t7ql7k6v0nptw9lipilzybr","requestId":"3bsdgs8tyatf74aufwsvkt7lv1i9x0o9","requestUri":"/admin/group/h23gdxfk7jc8kf5fb923xc1lt5ojey93/addUser","url":"/admin/group/h23gdxfk7jc8kf5fb923xc1lt5ojey93/addUser?"}},"device":null,"displayMessage":"Add user to group membership","eventType":"group.user_membership.add","legacyEventType":"core.user_group_member.user_add","outcome":{"reason":null,"result":"SUCCESS"},"published":"2023-04-26T16:25:06.297Z","request":{"ipChain":[{"geographicalContext":{"city":"San Francisco","country":"United States","geolocation":{"lat":37.7642,"lon":-122.3993},"postalCode":"94107","state":"California"},"ip":"192.168.7.19","source":null,"version":"V4"}]},"securityContext":{"asNumber":6461,"asOrg":"elasticsearch inc","domain":"thisisadomain.com","isProxy":false,"isp":"bandwidth"},"severity":"INFO","target":[{"alternateId":"target.user@test.com","detailEntry":null,"displayName":"Target User Test Name","id":"7cexsxmg5m671po4lmyb29a0knaqpaqg","type":"User"},{"alternateId":"unknown","detailEntry":null,"displayName":"Sales","id":"h23gdxfk7jc8kf5fb923xc1lt5ojey93","type":"UserGroup"}],"transaction":{"detail":{},"id":"448ahm88tkkxo0npwiu28ws20oj38nya","type":"WEB"},"uuid":"B96ED4D1-D013-4A13-AEFE-A67FA32C5747","version":"0"} +{"actor":{"alternateId":"system@okta.com","detailEntry":null,"displayName":"Okta System","id":"spr294puarJOdUsWD1t7","type":"SystemPrincipal"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"4ivdy6m56cqo8s6w57o6cvq5fbb409wr","interface":null,"issuer":null},"client":{"device":null,"geographicalContext":null,"id":null,"ipAddress":null,"userAgent":null,"zone":null},"debugContext":{"debugData":{}},"device":null,"displayMessage":"Successfully imported new member to an app group","eventType":"app.user_management","legacyEventType":"app.user_management.app_group_member_import.insert_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2023-04-27T00:56:17.750Z","request":{"ipChain":[]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":[{"alternateId":"domain.user@test.com","detailEntry":null,"displayName":"domain.user@test.com","id":"ew1qskfvt7mvqipcx6hxt3j95pqi01p8","type":"AppUser"},{"alternateId":"group_email@test.com","detailEntry":null,"displayName":"Payable","id":"l2l6h6p946io0fwyd3jw7jzgy8sq6a61","type":"AppGroup"},{"alternateId":"domain.user@test.com","detailEntry":null,"displayName":"Domain User","id":"9uuw5t9im68f03w5b9a3x72i18gugbqn","type":"User"},{"alternateId":"G Suite","detailEntry":null,"displayName":"Google Workspace","id":"1a45g3hf19hvzgggw2ybn7e5q7xh0v4a","type":"AppInstance"}],"transaction":{"detail":{},"id":"37r7dugr7fswsjdzv4r97layultdf19r","type":"JOB"},"uuid":"23A8F6AA-0E52-45F7-A2FB-FEF6E0B38FC7","version":"0"} +{"actor":{"alternateId":"test.user@test.com","detailEntry":null,"displayName":"Test User","id":"00uk123456abct7","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"idxabcdefg123zA","interface":null,"issuer":null},"client":{},"debugContext":{},"device":{"device_integrator":null,"disk_encryption_type":"ALL_INTERNAL_VOLUMES","id":"abcdefghijklmnop","jailbreak":null,"managed":false,"name":"MacBookPro14,2","os_platform":"OSX","os_version":"12.6.6","registered":true,"screen_lock_type":"PASSCODE","secure_hardware_present":true},"displayMessage":"User single sign on to app","eventType":"user.authentication.sso","legacyEventType":"app.auth.sso","outcome":{"reason":null,"result":"SUCCESS"},"published":"2023-05-23T19:39:49.513Z","request":{"ipChain":[{"geographicalContext":{"city":"Lawn Park","country":"United States","geolocation":{"lat":47.8907,"lon":-87.7908},"postalCode":"999999","state":"California"},"ip":"192.168.1.10","source":null,"version":"V4"}]},"securityContext":{"asNumber":7018,"asOrg":"at&t corp.","domain":"sbcglobal.net","isProxy":false,"isp":"att services inc"},"severity":"INFO","target":[{"alternateId":"Wiki","detailEntry":{"signOnModeType":"SAML_2_0"},"displayName":"An App Server","id":"0o123456abcdef1t7","type":"AppInstance"},{"alternateId":"test.user@test.com","detailEntry":null,"displayName":"Test User","id":"0ustyhdhurhjtdrhh1t7","type":"AppUser"}],"transaction":{"detail":{},"id":"ZGmw","type":"WEB"},"uuid":"2D6FC3CC-3BFB-4AC1-8259-016CF6A5976C","version":"0"} +{"actor":{"alternateId":"test.user@test.com","detailEntry":null,"displayName":"Test User","id":"00uk123456abct7","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"idxabcdefg123zA","interface":null,"issuer":null},"client":{},"debugContext":{},"device":{"device_integrator":"{\"WSC\":{},\"CROWDSTRIKE\":{}}","disk_encryption_type":"ALL_INTERNAL_VOLUMES","id":"V9YPwc5tnhWcaLs3","jailbreak":null,"managed":false,"name":"MacBookPro18,2","os_platform":"OSX","os_version":"13.3.1","registered":true,"screen_lock_type":"BIOMETRIC","secure_hardware_present":true},"displayMessage":"User single sign on to app","eventType":"user.authentication.sso","legacyEventType":"app.auth.sso","outcome":{"reason":null,"result":"SUCCESS"},"published":"2023-05-23T19:39:49.513Z","request":{"ipChain":[{"geographicalContext":{"city":"Lawn Park","country":"United States","geolocation":{"lat":47.8907,"lon":-87.7908},"postalCode":"999999","state":"California"},"ip":"192.168.1.10","source":null,"version":"V4"}]},"securityContext":{"asNumber":7018,"asOrg":"at&t corp.","domain":"sbcglobal.net","isProxy":false,"isp":"att services inc"},"severity":"INFO","target":[{"alternateId":"Wiki","detailEntry":{"signOnModeType":"SAML_2_0"},"displayName":"An App Server","id":"0o123456abcdef1t7","type":"AppInstance"},{"alternateId":"test.user@test.com","detailEntry":null,"displayName":"Test User","id":"0ustyhdhurhjtdrhh1t7","type":"AppUser"}],"transaction":{"detail":{},"id":"ZGmw","type":"WEB"},"uuid":"2D6FC3CC-3BFB-4AC1-8259-016CF6A5976C","version":"0"} +{"actor":{"alternateId":"test.user@domain.com","detailEntry":null,"displayName":"Test User","id":"00ua123456abcat7","type":"User"},"authenticationContext":{"authenticationProvider":"FACTOR_PROVIDER","authenticationStep":0,"credentialProvider":"OKTA_CREDENTIAL_PROVIDER","credentialType":null,"externalSessionId":"idx123456asdsajA","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Palezieux","country":"Switzerland","geolocation":{"lat":46.5379,"lon":6.8409},"postalCode":"1607","state":"Vaud"},"id":null,"ipAddress":"192.168.1.10","userAgent":{"browser":"UNKNOWN","os":"Mac OS X","rawUserAgent":"B7F62B65BN.com.okta.mobile/3.13.4 OktaDeviceSDK/0.0.1 macOS/13.3.1 Apple/MacBookPro18,2 UUID123"},"zone":"null"},"debugContext":{"debugData":{"dtHash":"abc123456abc","factor":"SIGNED_NONCE","requestId":"123456abcdefghij","requestUri":"/idp/authenticators/123456abcdefghij/transactions/123456abcdefghij/verify","url":"/idp/authenticators/123456abcdefghij/transactions/123456abcdefghij/verify?"}},"device":null,"displayMessage":"Authentication of user via MFA","eventType":"user.authentication.auth_via_mfa","legacyEventType":"core.user.factor.attempt_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2023-05-22T12:11:48.092Z","request":{"ipChain":[{"geographicalContext":{"city":"Palezieux","country":"Switzerland","geolocation":{"lat":46.5379,"lon":6.8409},"postalCode":"1607","state":"Vaud"},"ip":"192.168.1.10","source":null,"version":"V4"}]},"securityContext":{"asNumber":39544,"asOrg":"vo energies catv customers - region of oron/vd","domain":"voenergies.net","isProxy":false,"isp":"vo energies multimedia sa"},"severity":"INFO","target":[{"alternateId":"test.user@domain.com","detailEntry":null,"displayName":"Test User","id":"00ua123456abcat7","type":"User"},{"alternateId":"unknown","detailEntry":{"methodTypeUsed":"Use Okta FastPass","methodUsedVerifiedProperties":"[DEVICE_BOUND, PHISHING_RESISTANT, USER_VERIFYING, USER_PRESENCE, HARDWARE_PROTECTED]"},"displayName":"Okta Verify","id":"00ua123456abcat7","type":"AuthenticatorEnrollment"}],"transaction":{"detail":{},"id":"00ua123456abcat7","type":"WEB"},"uuid":"150A5E5C-C236-426A-A0D1-B79F1E391A6B","version":"0"} +{"actor":{"alternateId":"john.doe@elastic.co","detailEntry":null,"displayName":"John Doe","id":"00aabbccddeeffaaaaaa","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"abcdefghijklM-NopQrsTUvWx","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Bay Shore","country":"United States","geolocation":{"lat":40.7051,"lon":-73.243},"postalCode":"11706","state":"New York"},"id":null,"ipAddress":"192.168.1.10","userAgent":{"browser":"UNKNOWN","os":"Mac OS X","rawUserAgent":"FAKEFAKEFAKE.com.okta.mobile/8.1.1 OktaDeviceSDK/0.0.1 macOS/13.4.0 Apple/MacBookPro16,2 RANDOM-AAAA-BBBB-CCCC-DDDDDDDDDDDD"},"zone":"null"},"debugContext":{"debugData":{"requestId":"XXXXXXXXXXXXXXXXXX","requestUri":"/idp/authenticators","url":"/idp/authenticators?"}},"device":null,"displayMessage":"Add device to user","eventType":"device.user.add","legacyEventType":null,"outcome":{"reason":null,"result":"SUCCESS"},"published":"2023-06-07T15:49:45.109Z","request":{"ipChain":[{"geographicalContext":{"city":"Bay Shore","country":"United States","geolocation":{"lat":40.7051,"lon":-73.243},"postalCode":"11706","state":"New York"},"ip":"175.16.199.18","source":null,"version":"V4"}]},"securityContext":{"asNumber":701,"asOrg":"verizon","domain":"verizon.net","isProxy":false,"isp":"verizon"},"severity":"INFO","target":[{"alternateId":"unknown","detailEntry":{"deviceStatus":"CREATED","managed":"false","oktaDeviceId":"xxxxxxxxxxxxxxxxx","osPlatform":"MACOS","osVersion":"13.4.0","serialNumber":"XXXXXXXX","tpmPresent":"false","uuid":"AAAAAAAA-CCCC-DDDD-EEEE-BBBBBBBBBBBB"},"displayName":"John's MacBook Pro","id":"fakefakefakefake","type":"UDDevice"}],"transaction":{"detail":{"requestApiTokenId":"aa.aa.bbbbbbbbbbbbbbbbbbbbbbb_wwwwwwwwwwwwwwww"},"id":"ABCDEFCGALKDJDLK","type":"WEB"},"uuid":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa","version":"0"} diff --git a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-yes-flattened-events.log-config.yml b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-yes-flattened-events.log-config.yml new file mode 100644 index 00000000000..69707da1d60 --- /dev/null +++ b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-yes-flattened-events.log-config.yml @@ -0,0 +1,6 @@ +fields: + "@timestamp": "2020-04-28T11:07:58.223Z" + tags: + - preserve_original_event + _conf: + remove_flattened_debug: false diff --git a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-yes-flattened-events.log-expected.json b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-yes-flattened-events.log-expected.json new file mode 100644 index 00000000000..b60c9461228 --- /dev/null +++ b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-yes-flattened-events.log-expected.json @@ -0,0 +1,3788 @@ +{ + "expected": [ + { + "@timestamp": "2020-02-14T22:18:51.843Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "username" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.session.end", + "category": [ + "authentication", + "session" + ], + "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"username@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "end", + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "username@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102nZHzd6OHSfGG51vsoc22gw" + }, + "client": { + "device": "Computer", + "ip": "175.16.199.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "flattened": { + "authnRequestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestId": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "requestUri": "/login/signout", + "threatSuspected": "false", + "url": "/login/signout?message=login_page_messages.session_has_expired" + }, + "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "request_uri": "/login/signout", + "threat_suspected": "false", + "url": "/login/signout?message=login_page_messages.session_has_expired" + } + }, + "display_message": "User logout from Okta", + "event_type": "user.session.end", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "transaction": { + "id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "type": "WEB" + }, + "uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd" + }, + "related": { + "ip": [ + "175.16.199.1" + ], + "user": [ + "xxxxxx", + "username" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "username" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "username" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T20:18:57.718Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.session.start", + "category": [ + "authentication", + "session" + ], + "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "start", + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "ip": "175.16.199.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "flattened": { + "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestUri": "/api/v1/authn", + "threatSuspected": "false", + "url": "/api/v1/authn?" + }, + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "User login to Okta", + "event_type": "user.session.start", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "ip": [ + "175.16.199.1" + ], + "user": [ + "xxxxxx" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T20:18:57.762Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "policy.evaluate_sign_on", + "category": [ + "authentication" + ], + "id": "3af594f9-4f67-11ea-abd3-1f5d113f2546", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "ip": "175.16.199.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "flattened": { + "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestUri": "/api/v1/authn", + "threatSuspected": "false", + "url": "/api/v1/authn?" + }, + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "Evaluation of sign-on policy", + "event_type": "policy.evaluate_sign_on", + "outcome": { + "reason": "Sign-on policy evaluation resulted in ALLOW", + "result": "ALLOW" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "target": [ + { + "alternate_id": "unknown", + "display_name": "Default Policy", + "id": "00p1abvweGGDW10Ur4x6", + "type": "PolicyEntity" + }, + { + "alternate_id": "00p1abvweGGDW10Ur4x6", + "display_name": "Default Rule", + "id": "0pr1abvwfqGFI4n064x6", + "type": "PolicyRule" + } + ], + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3af594f9-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "ip": [ + "175.16.199.1" + ], + "user": [ + "xxxxxx" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T22:18:51.843Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "someusername" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.session.end", + "category": [ + "authentication", + "session" + ], + "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"someusername@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "end", + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "someusername@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102nZHzd6OHSfGG51vsoc22gw" + }, + "client": { + "device": "Computer", + "ip": "175.16.199.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "flattened": { + "authnRequestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestId": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "requestUri": "/login/signout", + "threatSuspected": "false", + "url": "/login/signout?message=login_page_messages.session_has_expired" + }, + "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "request_uri": "/login/signout", + "threat_suspected": "false", + "url": "/login/signout?message=login_page_messages.session_has_expired" + } + }, + "display_message": "User logout from Okta", + "event_type": "user.session.end", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "transaction": { + "id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "type": "WEB" + }, + "uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd" + }, + "related": { + "ip": [ + "175.16.199.1" + ], + "user": [ + "xxxxxx", + "someusername" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "someusername" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "someusername" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T20:18:57.718Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.session.start", + "category": [ + "authentication", + "session" + ], + "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "start", + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "ip": "175.16.199.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "flattened": { + "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestUri": "/api/v1/authn", + "threatSuspected": "false", + "url": "/api/v1/authn?" + }, + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "User login to Okta", + "event_type": "user.session.start", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "ip": [ + "175.16.199.1" + ], + "user": [ + "xxxxxx" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T20:18:57.762Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "policy.evaluate_sign_on", + "category": [ + "authentication" + ], + "id": "3af594f9-4f67-11ea-abd3-1f5d113f2546", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "ip": "175.16.199.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "flattened": { + "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestUri": "/api/v1/authn", + "threatSuspected": "false", + "url": "/api/v1/authn?" + }, + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "Evaluation of sign-on policy", + "event_type": "policy.evaluate_sign_on", + "outcome": { + "reason": "Sign-on policy evaluation resulted in ALLOW", + "result": "ALLOW" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "target": [ + { + "alternate_id": "unknown", + "display_name": "Default Policy", + "id": "00p1abvweGGDW10Ur4x6", + "type": "PolicyEntity" + }, + { + "alternate_id": "00p1abvweGGDW10Ur4x6", + "display_name": "Default Rule", + "id": "0pr1abvwfqGFI4n064x6", + "type": "PolicyRule" + } + ], + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3af594f9-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "ip": [ + "175.16.199.1" + ], + "user": [ + "xxxxxx" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T22:18:51.843Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.session.end", + "category": [ + "authentication", + "session" + ], + "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "end", + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102nZHzd6OHSfGG51vsoc22gw" + }, + "client": { + "device": "Computer", + "ip": "175.16.199.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "flattened": { + "authnRequestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestId": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "requestUri": "/login/signout", + "threatSuspected": "false", + "url": "/login/signout?message=login_page_messages.session_has_expired" + }, + "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "request_uri": "/login/signout", + "threat_suspected": "false", + "url": "/login/signout?message=login_page_messages.session_has_expired" + } + }, + "display_message": "User logout from Okta", + "event_type": "user.session.end", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "transaction": { + "id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "type": "WEB" + }, + "uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd" + }, + "related": { + "ip": [ + "175.16.199.1" + ], + "user": [ + "xxxxxx" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T20:18:57.718Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.session.start", + "category": [ + "authentication", + "session" + ], + "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "start", + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "ip": "175.16.199.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "flattened": { + "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestUri": "/api/v1/authn", + "threatSuspected": "false", + "url": "/api/v1/authn?" + }, + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "User login to Okta", + "event_type": "user.session.start", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "ip": [ + "175.16.199.1" + ], + "user": [ + "xxxxxx" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T20:18:57.762Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "policy.evaluate_sign_on", + "category": [ + "authentication" + ], + "id": "3af594f9-4f67-11ea-abd3-1f5d113f2546", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "ip": "175.16.199.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "flattened": { + "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestUri": "/api/v1/authn", + "threatSuspected": "false", + "url": "/api/v1/authn?" + }, + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "Evaluation of sign-on policy", + "event_type": "policy.evaluate_sign_on", + "outcome": { + "reason": "Sign-on policy evaluation resulted in ALLOW", + "result": "ALLOW" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "target": [ + { + "alternate_id": "unknown", + "display_name": "Default Policy", + "id": "00p1abvweGGDW10Ur4x6", + "type": "PolicyEntity" + }, + { + "alternate_id": "00p1abvweGGDW10Ur4x6", + "display_name": "Default Rule", + "id": "0pr1abvwfqGFI4n064x6", + "type": "PolicyRule" + } + ], + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3af594f9-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "ip": [ + "175.16.199.1" + ], + "user": [ + "xxxxxx" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T22:18:51.843Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.session.end", + "category": [ + "authentication", + "session" + ], + "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"null\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "end", + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102nZHzd6OHSfGG51vsoc22gw" + }, + "client": { + "device": "Computer", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "flattened": { + "authnRequestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestId": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "requestUri": "/login/signout", + "threatSuspected": "false", + "url": "/login/signout?message=login_page_messages.session_has_expired" + }, + "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "request_uri": "/login/signout", + "threat_suspected": "false", + "url": "/login/signout?message=login_page_messages.session_has_expired" + } + }, + "display_message": "User logout from Okta", + "event_type": "user.session.end", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "transaction": { + "id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "type": "WEB" + }, + "uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd" + }, + "related": { + "user": [ + "xxxxxx" + ] + }, + "source": { + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T20:18:57.718Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.session.start", + "category": [ + "authentication", + "session" + ], + "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"null\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "start", + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "flattened": { + "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestUri": "/api/v1/authn", + "threatSuspected": "false", + "url": "/api/v1/authn?" + }, + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "User login to Okta", + "event_type": "user.session.start", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "user": [ + "xxxxxx" + ] + }, + "source": { + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T20:18:57.762Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "policy.evaluate_sign_on", + "category": [ + "authentication" + ], + "id": "3af594f9-4f67-11ea-abd3-1f5d113f2546", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"null\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "flattened": { + "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestUri": "/api/v1/authn", + "threatSuspected": "false", + "url": "/api/v1/authn?" + }, + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "Evaluation of sign-on policy", + "event_type": "policy.evaluate_sign_on", + "outcome": { + "reason": "Sign-on policy evaluation resulted in ALLOW", + "result": "ALLOW" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "target": [ + { + "alternate_id": "unknown", + "display_name": "Default Policy", + "id": "00p1abvweGGDW10Ur4x6", + "type": "PolicyEntity" + }, + { + "alternate_id": "00p1abvweGGDW10Ur4x6", + "display_name": "Default Rule", + "id": "0pr1abvwfqGFI4n064x6", + "type": "PolicyRule" + } + ], + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3af594f9-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "user": [ + "xxxxxx" + ] + }, + "source": { + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2022-05-11T09:25:18.716Z", + "client": { + "as": { + "organization": { + "name": "amazon data services nova" + } + }, + "domain": "amazonaws.com", + "geo": { + "city_name": "Ashburn", + "country_name": "United States", + "location": { + "lat": 39.1469, + "lon": -77.5903 + }, + "region_name": "Virginia" + }, + "ip": "81.2.69.144", + "user": { + "full_name": "test@test.com", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "test" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.session.start", + "category": [ + "authentication", + "session" + ], + "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"test@test.com\",\"detailEntry\":null,\"displayName\":\"test@test.com\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"xxxxxx\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Unknown\",\"geographicalContext\":{\"city\":\"Ashburn\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.1469,\"lon\":-77.5903},\"postalCode\":\"20149\",\"state\":\"Virginia\"},\"id\":null,\"ipAddress\":\"81.2.69.144\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Unknown\",\"rawUserAgent\":\"blah\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"logOnlySecurityData\":\"{\\\"risk\\\":{\\\"reasons\\\":\\\"Anomalous Location, Anomalous Device\\\",\\\"level\\\":\\\"HIGH\\\"},\\\"behaviors\\\":{\\\"New Geo-Location\\\":\\\"POSITIVE\\\",\\\"New Device\\\":\\\"BAD_REQUEST\\\",\\\"New IP\\\":\\\"POSITIVE\\\",\\\"New State\\\":\\\"POSITIVE\\\",\\\"New Country\\\":\\\"POSITIVE\\\",\\\"Velocity\\\":\\\"NEGATIVE\\\",\\\"New City\\\":\\\"POSITIVE\\\"}}\",\"originalPrincipal\":{\"alternateId\":\"test@test.com\",\"detailEntry\":null,\"displayName\":\"Test\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"device\":null,\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2022-05-11T09:25:18.716Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Ashburn\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.1469,\"lon\":-77.5903},\"postalCode\":\"20149\",\"state\":\"Virginia\"},\"ip\":\"81.2.69.144\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":14618,\"asOrg\":\"amazon data services nova\",\"domain\":\"amazonaws.com\",\"isProxy\":false,\"isp\":\"amazon.com inc.\"},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{\"requestApiTokenId\":\"MDU0ZTEyM2QwYjc2N2FiZDI2YzViZDRiODVkNGNhZDFkZjg4YjU2ZiAgLQo=\"},\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "start", + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "test@test.com", + "display_name": "test@test.com", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "xxxxxx" + }, + "client": { + "device": "Unknown", + "ip": "81.2.69.144", + "user_agent": { + "browser": "UNKNOWN", + "os": "Unknown", + "raw_user_agent": "blah" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "flattened": { + "logOnlySecurityData": { + "behaviors": { + "New City": "POSITIVE", + "New Country": "POSITIVE", + "New Device": "BAD_REQUEST", + "New Geo-Location": "POSITIVE", + "New IP": "POSITIVE", + "New State": "POSITIVE", + "Velocity": "NEGATIVE" + }, + "risk": { + "level": "HIGH", + "reasons": "Anomalous Location, Anomalous Device" + } + }, + "originalPrincipal": { + "alternateId": "test@test.com", + "displayName": "Test", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "requestId": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "requestUri": "/api/v1/authn", + "threatSuspected": "false", + "url": "/api/v1/authn?" + }, + "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "request_uri": "/api/v1/authn", + "risk_level": "HIGH", + "risk_reasons": [ + "Anomalous Location", + "Anomalous Device" + ], + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "User login to Okta", + "event_type": "user.session.start", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Ashburn", + "country": "United States", + "geolocation": { + "lat": 39.1469, + "lon": -77.5903 + }, + "postal_code": "20149", + "state": "Virginia" + }, + "ip": "81.2.69.144", + "version": "V4" + } + ] + }, + "security_context": { + "as": { + "number": 14618, + "organization": { + "name": "amazon data services nova" + } + }, + "domain": "amazonaws.com", + "is_proxy": false, + "isp": "amazon.com inc." + }, + "transaction": { + "detail": { + "request_api_token_id": "MDU0ZTEyM2QwYjc2N2FiZDI2YzViZDRiODVkNGNhZDFkZjg4YjU2ZiAgLQo=" + }, + "id": "00u1abvz4pYqdM8ms4x6", + "type": "WEB" + }, + "uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd" + }, + "related": { + "ip": [ + "81.2.69.144" + ], + "user": [ + "test@test.com", + "test" + ] + }, + "source": { + "domain": "amazonaws.com", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "user": { + "full_name": "test@test.com", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "test" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "test@test.com", + "name": "test" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "blah" + } + }, + { + "@timestamp": "2022-05-11T09:27:08.708Z", + "client": { + "as": { + "organization": { + "name": "comcast" + } + }, + "domain": "comcast.net", + "geo": { + "city_name": "Purcellville", + "country_name": "United States", + "location": { + "lat": 39.64, + "lon": -77.8346 + }, + "region_name": "Virginia" + }, + "ip": "67.43.156.14", + "user": { + "full_name": "None", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "test1" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.authentication.verify", + "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"test1@test.com\",\"detailEntry\":null,\"displayName\":\"None\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Mobile\",\"geographicalContext\":{\"city\":\"Purcellville\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.64,\"lon\":-77.8346},\"postalCode\":\"20132\",\"state\":\"Virginia\"},\"id\":null,\"ipAddress\":\"67.43.156.14\",\"userAgent\":{\"browser\":\"SAFARI\",\"os\":\"Mac OS X (iPhone)\",\"rawUserAgent\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 15_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Safari\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"behaviors\":\"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, New City=NEGATIVE}\",\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify?autoPush=false\\u0026rememberDevice=false\"}},\"device\":null,\"displayMessage\":\"Verify user identity\",\"eventType\":\"user.authentication.verify\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2022-05-11T09:27:08.708Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Purcellville\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.64,\"lon\":-77.8346},\"postalCode\":\"20132\",\"state\":\"Virginia\"},\"ip\":\"67.43.156.14\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":7922,\"asOrg\":\"comcast\",\"domain\":\"comcast.net\",\"isProxy\":false,\"isp\":\"comcast\"},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", + "outcome": "success" + }, + "okta": { + "actor": { + "alternate_id": "test1@test.com", + "display_name": "None", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102nZHzd6OHSfGG51vsoc22gw" + }, + "client": { + "device": "Mobile", + "ip": "67.43.156.14", + "user_agent": { + "browser": "SAFARI", + "os": "Mac OS X (iPhone)", + "raw_user_agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 15_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Safari" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "flattened": { + "authnRequestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "behaviors": { + "New City": "NEGATIVE", + "New Country": "NEGATIVE", + "New Device": "NEGATIVE", + "New Geo-Location": "NEGATIVE", + "New IP": "NEGATIVE", + "New State": "NEGATIVE" + }, + "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "requestId": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "requestUri": "/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify", + "risk": { + "level": "LOW" + }, + "threatSuspected": "false", + "url": "/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify?autoPush=false&rememberDevice=false" + }, + "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "request_uri": "/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify", + "risk_level": "LOW", + "threat_suspected": "false", + "url": "/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify?autoPush=false&rememberDevice=false" + } + }, + "display_message": "Verify user identity", + "event_type": "user.authentication.verify", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Purcellville", + "country": "United States", + "geolocation": { + "lat": 39.64, + "lon": -77.8346 + }, + "postal_code": "20132", + "state": "Virginia" + }, + "ip": "67.43.156.14", + "version": "V4" + } + ] + }, + "security_context": { + "as": { + "number": 7922, + "organization": { + "name": "comcast" + } + }, + "domain": "comcast.net", + "is_proxy": false, + "isp": "comcast" + }, + "transaction": { + "id": "00u1abvz4pYqdM8ms4x6", + "type": "WEB" + }, + "uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd" + }, + "related": { + "ip": [ + "67.43.156.14" + ], + "user": [ + "None", + "test1" + ] + }, + "source": { + "as": { + "number": 35908 + }, + "domain": "comcast.net", + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.14", + "user": { + "full_name": "None", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "test1" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "None", + "name": "test1" + }, + "user_agent": { + "device": { + "name": "iPhone" + }, + "name": "Mobile Safari", + "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 15_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Safari", + "os": { + "full": "iOS 15.4.1", + "name": "iOS", + "version": "15.4.1" + } + } + }, + { + "@timestamp": "2022-12-12T22:03:08.791Z", + "client": { + "as": { + "organization": { + "name": "org" + } + }, + "domain": "domain.com", + "geo": { + "city_name": "City", + "country_name": "Country", + "location": { + "lat": 0.0, + "lon": 0.0 + }, + "region_name": "State" + }, + "ip": "81.2.69.144", + "user": { + "full_name": "Last_name, First_Name", + "id": "user_id", + "name": "Snipped_User" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.authentication.verify", + "id": "c32ae8ec-7a68-11ed-b8a7-9134a086ef85", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"Snipped_User@domain.com\",\"detailEntry\":null,\"displayName\":\"Last_name, First_Name\",\"id\":\"user_id\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102qmxOh1EdTHqn1_86CB9fzA\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"unknown\",\"geographicalContext\":{\"city\":\"City\",\"country\":\"Country\",\"geolocation\":{\"lat\":0.00,\"lon\":0.00},\"postalCode\":\"00000\",\"state\":\"State\"},\"id\":null,\"ipAddress\":\"81.2.69.144\",\"userAgent\":{\"browser\":\"unknown\",\"os\":\"unknown\",\"rawUserAgent\":\"unknown\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"Y5elHFMngoYoVKvakwnp2wAAAKo\",\"behaviors\":\"{New Geo-Location=NEGATIVE, New Device=POSITIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, Velocity=POSITIVE, New City=NEGATIVE}\",\"dtHash\":\"751b157a5a24ed83129433243e8d42307434b047120c32d7a7f5a5d2d91726fa\",\"requestId\":\"Y5elHFMngoYoVKvakwnp2wAAAKo\",\"requestUri\":\"/api/v1/authn\",\"risk\":\"{reasons=Anomalous Device, Anomalous Location, level=HIGH}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"device\":null,\"displayMessage\":\"Verify user identity\",\"eventType\":\"user.authentication.verify\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2022-12-12T22:03:08.791Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"City\",\"country\":\"Country\",\"geolocation\":{\"lat\":0.00,\"lon\":0.00},\"postalCode\":\"00000\",\"state\":\"State\"},\"ip\":\"81.2.69.144\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":1828,\"asOrg\":\"org\",\"domain\":\"domain.com\",\"isProxy\":false,\"isp\":\"isp\"},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"Y5elHFMngoYoVKvakwnp2wAAAKo\",\"type\":\"WEB\"},\"uuid\":\"c32ae8ec-7a68-11ed-b8a7-9134a086ef85\",\"version\":\"0\"}", + "outcome": "success" + }, + "okta": { + "actor": { + "alternate_id": "Snipped_User@domain.com", + "display_name": "Last_name, First_Name", + "id": "user_id", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102qmxOh1EdTHqn1_86CB9fzA" + }, + "client": { + "device": "unknown", + "ip": "81.2.69.144", + "user_agent": { + "browser": "unknown", + "os": "unknown", + "raw_user_agent": "unknown" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "dt_hash": "751b157a5a24ed83129433243e8d42307434b047120c32d7a7f5a5d2d91726fa", + "flattened": { + "authnRequestId": "Y5elHFMngoYoVKvakwnp2wAAAKo", + "behaviors": { + "New City": "NEGATIVE", + "New Country": "NEGATIVE", + "New Device": "POSITIVE", + "New Geo-Location": "NEGATIVE", + "New IP": "NEGATIVE", + "New State": "NEGATIVE", + "Velocity": "POSITIVE" + }, + "dtHash": "751b157a5a24ed83129433243e8d42307434b047120c32d7a7f5a5d2d91726fa", + "requestId": "Y5elHFMngoYoVKvakwnp2wAAAKo", + "requestUri": "/api/v1/authn", + "risk": { + "level": "HIGH", + "reasons": "Anomalous Device, Anomalous Location" + }, + "risk_object": "{reasons=Anomalous Device, Anomalous Location, level=HIGH}", + "threatSuspected": "false", + "url": "/api/v1/authn?" + }, + "request_id": "Y5elHFMngoYoVKvakwnp2wAAAKo", + "request_uri": "/api/v1/authn", + "risk_behaviors": [ + "New Device", + "Velocity" + ], + "risk_level": "HIGH", + "risk_reasons": [ + "Anomalous Device", + "Anomalous Location" + ], + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "Verify user identity", + "event_type": "user.authentication.verify", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "City", + "country": "Country", + "geolocation": { + "lat": 0.0, + "lon": 0.0 + }, + "postal_code": "00000", + "state": "State" + }, + "ip": "81.2.69.144", + "version": "V4" + } + ] + }, + "security_context": { + "as": { + "number": 1828, + "organization": { + "name": "org" + } + }, + "domain": "domain.com", + "is_proxy": false, + "isp": "isp" + }, + "transaction": { + "id": "Y5elHFMngoYoVKvakwnp2wAAAKo", + "type": "WEB" + }, + "uuid": "c32ae8ec-7a68-11ed-b8a7-9134a086ef85" + }, + "related": { + "ip": [ + "81.2.69.144" + ], + "user": [ + "Last_name, First_Name", + "Snipped_User" + ] + }, + "source": { + "domain": "domain.com", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "user": { + "full_name": "Last_name, First_Name", + "id": "user_id", + "name": "Snipped_User" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "Last_name, First_Name", + "name": "Snipped_User" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "unknown" + } + }, + { + "@timestamp": "2023-02-06T08:56:36.909Z", + "client": { + "as": { + "organization": { + "name": "bluewin is an lir and isp in switzerland." + } + }, + "domain": "swisscom.ch", + "geo": { + "city_name": "Lucerne", + "country_name": "Switzerland", + "location": { + "lat": 47.0511, + "lon": 8.3056 + }, + "region_name": "Lucerne" + }, + "ip": "127.0.0.1", + "user": { + "full_name": "first last", + "id": "id", + "name": "user" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.authentication.auth_via_mfa", + "id": "uuid", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"user@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":\"FACTOR_PROVIDER\",\"authenticationStep\":0,\"credentialProvider\":\"OKTA_CREDENTIAL_PROVIDER\",\"credentialType\":null,\"externalSessionId\":\"uuid\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Mobile\",\"geographicalContext\":{\"city\":\"Lucerne\",\"country\":\"Switzerland\",\"geolocation\":{\"lat\":47.0511,\"lon\":8.3056},\"postalCode\":\"6007\",\"state\":\"Lucerne\"},\"id\":null,\"ipAddress\":\"127.0.0.1\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Unknown mobile\",\"rawUserAgent\":\"B7FdsdB65BN.com.okta.mobile/7.12.0 OktaVerify/7.12.0 iOS/16.1.2 Apple/iPhone14,2 6C743C36-ewew-400D-8FB9-A5F049A745CF\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"uuid\",\"behaviors\":\"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=NEGATIVE}\",\"factor\":\"OKTA_VERIFY_PUSH\",\"requestId\":\"uuid\",\"requestUri\":\"/api/v1/authn/factors/id/transactions/id/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/id/transactions/id/verify?\"}},\"device\":null,\"displayMessage\":\"Authentication of user via MFA\",\"eventType\":\"user.authentication.auth_via_mfa\",\"legacyEventType\":\"core.user.factor.attempt_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-02-06T08:56:36.909Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Lucerne\",\"country\":\"Switzerland\",\"geolocation\":{\"lat\":47.0511,\"lon\":8.3056},\"postalCode\":\"6007\",\"state\":\"Lucerne\"},\"ip\":\"127.0.0.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":3303,\"asOrg\":\"bluewin is an lir and isp in switzerland.\",\"domain\":\"swisscom.ch\",\"isProxy\":false,\"isp\":\"swisscom (schweiz) ag\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"user@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"}],\"transaction\":{\"detail\":{},\"id\":\"uuid\",\"type\":\"WEB\"},\"uuid\":\"uuid\",\"version\":\"0\"}", + "outcome": "success" + }, + "okta": { + "actor": { + "alternate_id": "user@domain.com", + "display_name": "first last", + "id": "id", + "type": "User" + }, + "authentication_context": { + "authentication_provider": "FACTOR_PROVIDER", + "authentication_step": 0, + "credential_provider": "OKTA_CREDENTIAL_PROVIDER", + "external_session_id": "uuid" + }, + "client": { + "device": "Mobile", + "ip": "127.0.0.1", + "user_agent": { + "browser": "UNKNOWN", + "os": "Unknown mobile", + "raw_user_agent": "B7FdsdB65BN.com.okta.mobile/7.12.0 OktaVerify/7.12.0 iOS/16.1.2 Apple/iPhone14,2 6C743C36-ewew-400D-8FB9-A5F049A745CF" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "factor": "OKTA_VERIFY_PUSH", + "flattened": { + "authnRequestId": "uuid", + "behaviors": { + "New City": "NEGATIVE", + "New Country": "NEGATIVE", + "New Device": "NEGATIVE", + "New Geo-Location": "NEGATIVE", + "New IP": "NEGATIVE", + "New State": "NEGATIVE", + "Velocity Behavior": "NEGATIVE" + }, + "factor": "OKTA_VERIFY_PUSH", + "requestId": "uuid", + "requestUri": "/api/v1/authn/factors/id/transactions/id/verify", + "risk": { + "level": "LOW" + }, + "threatSuspected": "false", + "url": "/api/v1/authn/factors/id/transactions/id/verify?" + }, + "request_id": "uuid", + "request_uri": "/api/v1/authn/factors/id/transactions/id/verify", + "risk_level": "LOW", + "threat_suspected": "false", + "url": "/api/v1/authn/factors/id/transactions/id/verify?" + } + }, + "display_message": "Authentication of user via MFA", + "event_type": "user.authentication.auth_via_mfa", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Lucerne", + "country": "Switzerland", + "geolocation": { + "lat": 47.0511, + "lon": 8.3056 + }, + "postal_code": "6007", + "state": "Lucerne" + }, + "ip": "127.0.0.1", + "version": "V4" + } + ] + }, + "security_context": { + "as": { + "number": 3303, + "organization": { + "name": "bluewin is an lir and isp in switzerland." + } + }, + "domain": "swisscom.ch", + "is_proxy": false, + "isp": "swisscom (schweiz) ag" + }, + "target": [ + { + "alternate_id": "user@domain.com", + "display_name": "first last", + "id": "id", + "type": "User" + } + ], + "transaction": { + "id": "uuid", + "type": "WEB" + }, + "uuid": "uuid" + }, + "related": { + "ip": [ + "127.0.0.1" + ], + "user": [ + "first last", + "user" + ] + }, + "source": { + "domain": "swisscom.ch", + "ip": "127.0.0.1", + "user": { + "full_name": "first last", + "id": "id", + "name": "user" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "first last", + "name": "user", + "target": { + "full_name": "first last", + "id": "id" + } + }, + "user_agent": { + "device": { + "name": "iPhone" + }, + "name": "Mobile Safari UI/WKWebView", + "original": "B7FdsdB65BN.com.okta.mobile/7.12.0 OktaVerify/7.12.0 iOS/16.1.2 Apple/iPhone14,2 6C743C36-ewew-400D-8FB9-A5F049A745CF", + "os": { + "full": "iOS 16.1.2", + "name": "iOS", + "version": "16.1.2" + } + } + }, + { + "@timestamp": "2023-02-06T08:58:37.110Z", + "client": { + "as": { + "organization": { + "name": "customer access" + } + }, + "domain": "german-local.net", + "geo": { + "city_name": "Bredstedt", + "country_name": "Germany", + "location": { + "lat": 54.6208, + "lon": 8.9631 + }, + "region_name": "Schleswig-Holstein" + }, + "ip": "127.0.0.1", + "user": { + "full_name": "first last", + "id": "id", + "name": "name" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.authentication.auth_via_mfa", + "id": "uuid", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"name@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":\"FACTOR_PROVIDER\",\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"id\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Bredstedt\",\"country\":\"Germany\",\"geolocation\":{\"lat\":54.6208,\"lon\":8.9631},\"postalCode\":\"25821\",\"state\":\"Schleswig-Holstein\"},\"id\":null,\"ipAddress\":\"127.0.0.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Linux\",\"rawUserAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"id\",\"behaviors\":\"{New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=POSITIVE}\",\"deviceFingerprint\":\"id\",\"dtHash\":\"hash\",\"factor\":\"FIDO_WEBAUTHN\",\"promptingPolicyTypes\":\"[OKTA_SIGN_ON]\",\"requestId\":\"id\",\"requestUri\":\"/api/v1/authn/factors/webauthn/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/webauthn/verify?rememberDevice=false\"}},\"device\":null,\"displayMessage\":\"Authentication of user via MFA\",\"eventType\":\"user.authentication.auth_via_mfa\",\"legacyEventType\":\"core.user.factor.attempt_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-02-06T08:58:37.110Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Bredstedt\",\"country\":\"Germany\",\"geolocation\":{\"lat\":54.6208,\"lon\":8.9631},\"postalCode\":\"25821\",\"state\":\"Schleswig-Holstein\"},\"ip\":\"127.0.0.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":62336,\"asOrg\":\"customer access\",\"domain\":\"german-local.net\",\"isProxy\":false,\"isp\":\"purtel.com gmbh\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"name@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"}],\"transaction\":{\"detail\":{},\"id\":\"id\",\"type\":\"WEB\"},\"uuid\":\"uuid\",\"version\":\"0\"}", + "outcome": "success" + }, + "okta": { + "actor": { + "alternate_id": "name@domain.com", + "display_name": "first last", + "id": "id", + "type": "User" + }, + "authentication_context": { + "authentication_provider": "FACTOR_PROVIDER", + "authentication_step": 0, + "external_session_id": "id" + }, + "client": { + "device": "Computer", + "ip": "127.0.0.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Linux", + "raw_user_agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "id", + "dt_hash": "hash", + "factor": "FIDO_WEBAUTHN", + "flattened": { + "authnRequestId": "id", + "behaviors": { + "New City": "POSITIVE", + "New Country": "NEGATIVE", + "New Device": "NEGATIVE", + "New Geo-Location": "POSITIVE", + "New IP": "POSITIVE", + "New State": "NEGATIVE", + "Velocity Behavior": "NEGATIVE" + }, + "deviceFingerprint": "id", + "dtHash": "hash", + "factor": "FIDO_WEBAUTHN", + "promptingPolicyTypes": "[OKTA_SIGN_ON]", + "requestId": "id", + "requestUri": "/api/v1/authn/factors/webauthn/verify", + "risk": { + "level": "LOW" + }, + "threatSuspected": "false", + "url": "/api/v1/authn/factors/webauthn/verify?rememberDevice=false" + }, + "request_id": "id", + "request_uri": "/api/v1/authn/factors/webauthn/verify", + "risk_behaviors": [ + "New Geo-Location", + "New IP", + "New City" + ], + "risk_level": "LOW", + "threat_suspected": "false", + "url": "/api/v1/authn/factors/webauthn/verify?rememberDevice=false" + } + }, + "display_message": "Authentication of user via MFA", + "event_type": "user.authentication.auth_via_mfa", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Bredstedt", + "country": "Germany", + "geolocation": { + "lat": 54.6208, + "lon": 8.9631 + }, + "postal_code": "25821", + "state": "Schleswig-Holstein" + }, + "ip": "127.0.0.1", + "version": "V4" + } + ] + }, + "security_context": { + "as": { + "number": 62336, + "organization": { + "name": "customer access" + } + }, + "domain": "german-local.net", + "is_proxy": false, + "isp": "purtel.com gmbh" + }, + "target": [ + { + "alternate_id": "name@domain.com", + "display_name": "first last", + "id": "id", + "type": "User" + } + ], + "transaction": { + "id": "id", + "type": "WEB" + }, + "uuid": "uuid" + }, + "related": { + "ip": [ + "127.0.0.1" + ], + "user": [ + "first last", + "name" + ] + }, + "source": { + "domain": "german-local.net", + "ip": "127.0.0.1", + "user": { + "full_name": "first last", + "id": "id", + "name": "name" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "first last", + "name": "name", + "target": { + "full_name": "first last", + "id": "id" + } + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0", + "os": { + "name": "Linux" + }, + "version": "109.0." + } + }, + { + "@timestamp": "2023-02-06T08:58:37.110Z", + "client": { + "as": { + "organization": { + "name": "customer access" + } + }, + "domain": "german-local.net", + "geo": { + "city_name": "Bredstedt", + "country_name": "Germany", + "location": { + "lat": 54.6208, + "lon": 8.9631 + }, + "region_name": "Schleswig-Holstein" + }, + "ip": "127.0.0.1", + "user": { + "full_name": "first last", + "id": "id", + "name": "name" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.authentication.auth_via_mfa", + "id": "uuid", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"name@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":\"FACTOR_PROVIDER\",\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"id\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Bredstedt\",\"country\":\"Germany\",\"geolocation\":{\"lat\":54.6208,\"lon\":8.9631},\"postalCode\":\"25821\",\"state\":\"Schleswig-Holstein\"},\"id\":null,\"ipAddress\":\"127.0.0.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Linux\",\"rawUserAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"id\",\"behaviors\":\"{New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=POSITIVE}\",\"deviceFingerprint\":\"id\",\"dtHash\":\"hash\",\"factor\":\"FIDO_WEBAUTHN\",\"promptingPolicyTypes\":\"[OKTA_SIGN_ON]\",\"requestId\":\"id\",\"requestUri\":\"/api/v1/authn/factors/webauthn/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/webauthn/verify?rememberDevice=false\"}},\"device\":null,\"displayMessage\":\"Authentication of user via MFA\",\"eventType\":\"user.authentication.auth_via_mfa\",\"legacyEventType\":\"core.user.factor.attempt_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-02-06T08:58:37.110Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Bredstedt\",\"country\":\"Germany\",\"geolocation\":{\"lat\":54.6208,\"lon\":8.9631},\"postalCode\":\"25821\",\"state\":\"Schleswig-Holstein\"},\"ip\":\"127.0.0.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":62336,\"asOrg\":\"customer access\",\"domain\":\"german-local.net\",\"isProxy\":false,\"isp\":\"purtel.com gmbh\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"target_user@blah.co\",\"detailEntry\":null,\"displayName\":\"Test Target User\",\"id\":\"00udfsat7\",\"type\":\"User\"},{\"alternateId\":\"unknown\",\"detailEntry\":null,\"displayName\":\"software-users\",\"id\":\"00gofdasfdsat7\",\"type\":\"UserGroup\"}],\"transaction\":{\"detail\":{},\"id\":\"id\",\"type\":\"WEB\"},\"uuid\":\"uuid\",\"version\":\"0\"}", + "outcome": "success" + }, + "okta": { + "actor": { + "alternate_id": "name@domain.com", + "display_name": "first last", + "id": "id", + "type": "User" + }, + "authentication_context": { + "authentication_provider": "FACTOR_PROVIDER", + "authentication_step": 0, + "external_session_id": "id" + }, + "client": { + "device": "Computer", + "ip": "127.0.0.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Linux", + "raw_user_agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "id", + "dt_hash": "hash", + "factor": "FIDO_WEBAUTHN", + "flattened": { + "authnRequestId": "id", + "behaviors": { + "New City": "POSITIVE", + "New Country": "NEGATIVE", + "New Device": "NEGATIVE", + "New Geo-Location": "POSITIVE", + "New IP": "POSITIVE", + "New State": "NEGATIVE", + "Velocity Behavior": "NEGATIVE" + }, + "deviceFingerprint": "id", + "dtHash": "hash", + "factor": "FIDO_WEBAUTHN", + "promptingPolicyTypes": "[OKTA_SIGN_ON]", + "requestId": "id", + "requestUri": "/api/v1/authn/factors/webauthn/verify", + "risk": { + "level": "LOW" + }, + "threatSuspected": "false", + "url": "/api/v1/authn/factors/webauthn/verify?rememberDevice=false" + }, + "request_id": "id", + "request_uri": "/api/v1/authn/factors/webauthn/verify", + "risk_behaviors": [ + "New Geo-Location", + "New IP", + "New City" + ], + "risk_level": "LOW", + "threat_suspected": "false", + "url": "/api/v1/authn/factors/webauthn/verify?rememberDevice=false" + } + }, + "display_message": "Authentication of user via MFA", + "event_type": "user.authentication.auth_via_mfa", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Bredstedt", + "country": "Germany", + "geolocation": { + "lat": 54.6208, + "lon": 8.9631 + }, + "postal_code": "25821", + "state": "Schleswig-Holstein" + }, + "ip": "127.0.0.1", + "version": "V4" + } + ] + }, + "security_context": { + "as": { + "number": 62336, + "organization": { + "name": "customer access" + } + }, + "domain": "german-local.net", + "is_proxy": false, + "isp": "purtel.com gmbh" + }, + "target": [ + { + "alternate_id": "target_user@blah.co", + "display_name": "Test Target User", + "id": "00udfsat7", + "type": "User" + }, + { + "alternate_id": "unknown", + "display_name": "software-users", + "id": "00gofdasfdsat7", + "type": "UserGroup" + } + ], + "transaction": { + "id": "id", + "type": "WEB" + }, + "uuid": "uuid" + }, + "related": { + "ip": [ + "127.0.0.1" + ], + "user": [ + "first last", + "Test Target User", + "name" + ] + }, + "source": { + "domain": "german-local.net", + "ip": "127.0.0.1", + "user": { + "full_name": "first last", + "id": "id", + "name": "name" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "first last", + "name": "name", + "target": { + "full_name": "Test Target User", + "group": { + "id": "00gofdasfdsat7", + "name": "software-users" + }, + "id": "00udfsat7" + } + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0", + "os": { + "name": "Linux" + }, + "version": "109.0." + } + }, + { + "@timestamp": "2023-04-26T16:25:06.297Z", + "client": { + "as": { + "organization": { + "name": "elasticsearch inc" + } + }, + "domain": "thisisadomain.com", + "geo": { + "city_name": "San Francisco", + "country_name": "United States", + "location": { + "lat": 37.7642, + "lon": -122.3993 + }, + "region_name": "California" + }, + "ip": "192.168.7.19", + "user": { + "full_name": "Test Actor User", + "id": "randomidhere", + "name": "actor.user" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "group.user_membership.add", + "category": [ + "iam" + ], + "id": "B96ED4D1-D013-4A13-AEFE-A67FA32C5747", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"actor.user@test.com\",\"detailEntry\":null,\"displayName\":\"Test Actor User\",\"id\":\"randomidhere\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"602deqxi8mycjkwk3sth4ci6cxxtr9rr\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"San Francisco\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7642,\"lon\":-122.3993},\"postalCode\":\"94107\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"192.168.7.19\",\"userAgent\":{\"browser\":\"CHROME\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"dtHash\":\"veqflnui3t7ql7k6v0nptw9lipilzybr\",\"requestId\":\"3bsdgs8tyatf74aufwsvkt7lv1i9x0o9\",\"requestUri\":\"/admin/group/h23gdxfk7jc8kf5fb923xc1lt5ojey93/addUser\",\"url\":\"/admin/group/h23gdxfk7jc8kf5fb923xc1lt5ojey93/addUser?\"}},\"device\":null,\"displayMessage\":\"Add user to group membership\",\"eventType\":\"group.user_membership.add\",\"legacyEventType\":\"core.user_group_member.user_add\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-04-26T16:25:06.297Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"San Francisco\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7642,\"lon\":-122.3993},\"postalCode\":\"94107\",\"state\":\"California\"},\"ip\":\"192.168.7.19\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":6461,\"asOrg\":\"elasticsearch inc\",\"domain\":\"thisisadomain.com\",\"isProxy\":false,\"isp\":\"bandwidth\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"target.user@test.com\",\"detailEntry\":null,\"displayName\":\"Target User Test Name\",\"id\":\"7cexsxmg5m671po4lmyb29a0knaqpaqg\",\"type\":\"User\"},{\"alternateId\":\"unknown\",\"detailEntry\":null,\"displayName\":\"Sales\",\"id\":\"h23gdxfk7jc8kf5fb923xc1lt5ojey93\",\"type\":\"UserGroup\"}],\"transaction\":{\"detail\":{},\"id\":\"448ahm88tkkxo0npwiu28ws20oj38nya\",\"type\":\"WEB\"},\"uuid\":\"B96ED4D1-D013-4A13-AEFE-A67FA32C5747\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "group", + "change" + ] + }, + "okta": { + "actor": { + "alternate_id": "actor.user@test.com", + "display_name": "Test Actor User", + "id": "randomidhere", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "602deqxi8mycjkwk3sth4ci6cxxtr9rr" + }, + "client": { + "device": "Computer", + "ip": "192.168.7.19", + "user_agent": { + "browser": "CHROME", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "dt_hash": "veqflnui3t7ql7k6v0nptw9lipilzybr", + "flattened": { + "dtHash": "veqflnui3t7ql7k6v0nptw9lipilzybr", + "requestId": "3bsdgs8tyatf74aufwsvkt7lv1i9x0o9", + "requestUri": "/admin/group/h23gdxfk7jc8kf5fb923xc1lt5ojey93/addUser", + "url": "/admin/group/h23gdxfk7jc8kf5fb923xc1lt5ojey93/addUser?" + }, + "request_id": "3bsdgs8tyatf74aufwsvkt7lv1i9x0o9", + "request_uri": "/admin/group/h23gdxfk7jc8kf5fb923xc1lt5ojey93/addUser", + "url": "/admin/group/h23gdxfk7jc8kf5fb923xc1lt5ojey93/addUser?" + } + }, + "display_message": "Add user to group membership", + "event_type": "group.user_membership.add", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "San Francisco", + "country": "United States", + "geolocation": { + "lat": 37.7642, + "lon": -122.3993 + }, + "postal_code": "94107", + "state": "California" + }, + "ip": "192.168.7.19", + "version": "V4" + } + ] + }, + "security_context": { + "as": { + "number": 6461, + "organization": { + "name": "elasticsearch inc" + } + }, + "domain": "thisisadomain.com", + "is_proxy": false, + "isp": "bandwidth" + }, + "target": [ + { + "alternate_id": "target.user@test.com", + "display_name": "Target User Test Name", + "id": "7cexsxmg5m671po4lmyb29a0knaqpaqg", + "type": "User" + }, + { + "alternate_id": "unknown", + "display_name": "Sales", + "id": "h23gdxfk7jc8kf5fb923xc1lt5ojey93", + "type": "UserGroup" + } + ], + "transaction": { + "id": "448ahm88tkkxo0npwiu28ws20oj38nya", + "type": "WEB" + }, + "uuid": "B96ED4D1-D013-4A13-AEFE-A67FA32C5747" + }, + "related": { + "ip": [ + "192.168.7.19" + ], + "user": [ + "Test Actor User", + "Target User Test Name", + "actor.user" + ] + }, + "source": { + "domain": "thisisadomain.com", + "ip": "192.168.7.19", + "user": { + "full_name": "Test Actor User", + "id": "randomidhere", + "name": "actor.user" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "Test Actor User", + "name": "actor.user", + "target": { + "full_name": "Target User Test Name", + "group": { + "id": "h23gdxfk7jc8kf5fb923xc1lt5ojey93", + "name": "Sales" + }, + "id": "7cexsxmg5m671po4lmyb29a0knaqpaqg" + } + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", + "os": { + "full": "Mac OS X 10.15.7", + "name": "Mac OS X", + "version": "10.15.7" + }, + "version": "112.0.0.0" + } + }, + { + "@timestamp": "2023-04-27T00:56:17.750Z", + "client": { + "user": { + "full_name": "Okta System", + "id": "spr294puarJOdUsWD1t7", + "name": "system" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "app.user_management", + "id": "23A8F6AA-0E52-45F7-A2FB-FEF6E0B38FC7", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"system@okta.com\",\"detailEntry\":null,\"displayName\":\"Okta System\",\"id\":\"spr294puarJOdUsWD1t7\",\"type\":\"SystemPrincipal\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"4ivdy6m56cqo8s6w57o6cvq5fbb409wr\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":null,\"geographicalContext\":null,\"id\":null,\"ipAddress\":null,\"userAgent\":null,\"zone\":null},\"debugContext\":{\"debugData\":{}},\"device\":null,\"displayMessage\":\"Successfully imported new member to an app group\",\"eventType\":\"app.user_management\",\"legacyEventType\":\"app.user_management.app_group_member_import.insert_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-04-27T00:56:17.750Z\",\"request\":{\"ipChain\":[]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"domain.user@test.com\",\"detailEntry\":null,\"displayName\":\"domain.user@test.com\",\"id\":\"ew1qskfvt7mvqipcx6hxt3j95pqi01p8\",\"type\":\"AppUser\"},{\"alternateId\":\"group_email@test.com\",\"detailEntry\":null,\"displayName\":\"Payable\",\"id\":\"l2l6h6p946io0fwyd3jw7jzgy8sq6a61\",\"type\":\"AppGroup\"},{\"alternateId\":\"domain.user@test.com\",\"detailEntry\":null,\"displayName\":\"Domain User\",\"id\":\"9uuw5t9im68f03w5b9a3x72i18gugbqn\",\"type\":\"User\"},{\"alternateId\":\"G Suite\",\"detailEntry\":null,\"displayName\":\"Google Workspace\",\"id\":\"1a45g3hf19hvzgggw2ybn7e5q7xh0v4a\",\"type\":\"AppInstance\"}],\"transaction\":{\"detail\":{},\"id\":\"37r7dugr7fswsjdzv4r97layultdf19r\",\"type\":\"JOB\"},\"uuid\":\"23A8F6AA-0E52-45F7-A2FB-FEF6E0B38FC7\",\"version\":\"0\"}", + "outcome": "success" + }, + "okta": { + "actor": { + "alternate_id": "system@okta.com", + "display_name": "Okta System", + "id": "spr294puarJOdUsWD1t7", + "type": "SystemPrincipal" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "4ivdy6m56cqo8s6w57o6cvq5fbb409wr" + }, + "display_message": "Successfully imported new member to an app group", + "event_type": "app.user_management", + "outcome": { + "result": "SUCCESS" + }, + "target": [ + { + "alternate_id": "domain.user@test.com", + "display_name": "domain.user@test.com", + "id": "ew1qskfvt7mvqipcx6hxt3j95pqi01p8", + "type": "AppUser" + }, + { + "alternate_id": "group_email@test.com", + "display_name": "Payable", + "id": "l2l6h6p946io0fwyd3jw7jzgy8sq6a61", + "type": "AppGroup" + }, + { + "alternate_id": "domain.user@test.com", + "display_name": "Domain User", + "id": "9uuw5t9im68f03w5b9a3x72i18gugbqn", + "type": "User" + }, + { + "alternate_id": "G Suite", + "display_name": "Google Workspace", + "id": "1a45g3hf19hvzgggw2ybn7e5q7xh0v4a", + "type": "AppInstance" + } + ], + "transaction": { + "id": "37r7dugr7fswsjdzv4r97layultdf19r", + "type": "JOB" + }, + "uuid": "23A8F6AA-0E52-45F7-A2FB-FEF6E0B38FC7" + }, + "related": { + "user": [ + "Okta System", + "Domain User", + "system" + ] + }, + "source": { + "user": { + "full_name": "Okta System", + "id": "spr294puarJOdUsWD1t7", + "name": "system" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "Okta System", + "name": "system", + "target": { + "full_name": "Domain User", + "id": "9uuw5t9im68f03w5b9a3x72i18gugbqn" + } + } + }, + { + "@timestamp": "2023-05-23T19:39:49.513Z", + "client": { + "as": { + "organization": { + "name": "at&t corp." + } + }, + "domain": "sbcglobal.net", + "user": { + "full_name": "Test User", + "id": "00uk123456abct7", + "name": "test.user" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.authentication.sso", + "category": [ + "authentication" + ], + "id": "2D6FC3CC-3BFB-4AC1-8259-016CF6A5976C", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"test.user@test.com\",\"detailEntry\":null,\"displayName\":\"Test User\",\"id\":\"00uk123456abct7\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"idxabcdefg123zA\",\"interface\":null,\"issuer\":null},\"client\":{},\"debugContext\":{},\"device\":{\"device_integrator\":null,\"disk_encryption_type\":\"ALL_INTERNAL_VOLUMES\",\"id\":\"abcdefghijklmnop\",\"jailbreak\":null,\"managed\":false,\"name\":\"MacBookPro14,2\",\"os_platform\":\"OSX\",\"os_version\":\"12.6.6\",\"registered\":true,\"screen_lock_type\":\"PASSCODE\",\"secure_hardware_present\":true},\"displayMessage\":\"User single sign on to app\",\"eventType\":\"user.authentication.sso\",\"legacyEventType\":\"app.auth.sso\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-05-23T19:39:49.513Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Lawn Park\",\"country\":\"United States\",\"geolocation\":{\"lat\":47.8907,\"lon\":-87.7908},\"postalCode\":\"999999\",\"state\":\"California\"},\"ip\":\"192.168.1.10\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":7018,\"asOrg\":\"at&t corp.\",\"domain\":\"sbcglobal.net\",\"isProxy\":false,\"isp\":\"att services inc\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"Wiki\",\"detailEntry\":{\"signOnModeType\":\"SAML_2_0\"},\"displayName\":\"An App Server\",\"id\":\"0o123456abcdef1t7\",\"type\":\"AppInstance\"},{\"alternateId\":\"test.user@test.com\",\"detailEntry\":null,\"displayName\":\"Test User\",\"id\":\"0ustyhdhurhjtdrhh1t7\",\"type\":\"AppUser\"}],\"transaction\":{\"detail\":{},\"id\":\"ZGmw\",\"type\":\"WEB\"},\"uuid\":\"2D6FC3CC-3BFB-4AC1-8259-016CF6A5976C\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "test.user@test.com", + "display_name": "Test User", + "id": "00uk123456abct7", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "idxabcdefg123zA" + }, + "device": { + "disk_encryption_type": "ALL_INTERNAL_VOLUMES", + "id": "abcdefghijklmnop", + "managed": false, + "name": "MacBookPro14,2", + "os_platform": "OSX", + "os_version": "12.6.6", + "registered": true, + "screen_lock_type": "PASSCODE", + "secure_hardware_present": true + }, + "display_message": "User single sign on to app", + "event_type": "user.authentication.sso", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Lawn Park", + "country": "United States", + "geolocation": { + "lat": 47.8907, + "lon": -87.7908 + }, + "postal_code": "999999", + "state": "California" + }, + "ip": "192.168.1.10", + "version": "V4" + } + ] + }, + "security_context": { + "as": { + "number": 7018, + "organization": { + "name": "at&t corp." + } + }, + "domain": "sbcglobal.net", + "is_proxy": false, + "isp": "att services inc" + }, + "target": [ + { + "alternate_id": "Wiki", + "display_name": "An App Server", + "id": "0o123456abcdef1t7", + "type": "AppInstance" + }, + { + "alternate_id": "test.user@test.com", + "display_name": "Test User", + "id": "0ustyhdhurhjtdrhh1t7", + "type": "AppUser" + } + ], + "transaction": { + "id": "ZGmw", + "type": "WEB" + }, + "uuid": "2D6FC3CC-3BFB-4AC1-8259-016CF6A5976C" + }, + "related": { + "user": [ + "Test User", + "test.user" + ] + }, + "source": { + "domain": "sbcglobal.net", + "user": { + "full_name": "Test User", + "id": "00uk123456abct7", + "name": "test.user" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "Test User", + "name": "test.user" + } + }, + { + "@timestamp": "2023-05-23T19:39:49.513Z", + "client": { + "as": { + "organization": { + "name": "at&t corp." + } + }, + "domain": "sbcglobal.net", + "user": { + "full_name": "Test User", + "id": "00uk123456abct7", + "name": "test.user" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.authentication.sso", + "category": [ + "authentication" + ], + "id": "2D6FC3CC-3BFB-4AC1-8259-016CF6A5976C", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"test.user@test.com\",\"detailEntry\":null,\"displayName\":\"Test User\",\"id\":\"00uk123456abct7\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"idxabcdefg123zA\",\"interface\":null,\"issuer\":null},\"client\":{},\"debugContext\":{},\"device\":{\"device_integrator\":\"{\\\"WSC\\\":{},\\\"CROWDSTRIKE\\\":{}}\",\"disk_encryption_type\":\"ALL_INTERNAL_VOLUMES\",\"id\":\"V9YPwc5tnhWcaLs3\",\"jailbreak\":null,\"managed\":false,\"name\":\"MacBookPro18,2\",\"os_platform\":\"OSX\",\"os_version\":\"13.3.1\",\"registered\":true,\"screen_lock_type\":\"BIOMETRIC\",\"secure_hardware_present\":true},\"displayMessage\":\"User single sign on to app\",\"eventType\":\"user.authentication.sso\",\"legacyEventType\":\"app.auth.sso\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-05-23T19:39:49.513Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Lawn Park\",\"country\":\"United States\",\"geolocation\":{\"lat\":47.8907,\"lon\":-87.7908},\"postalCode\":\"999999\",\"state\":\"California\"},\"ip\":\"192.168.1.10\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":7018,\"asOrg\":\"at&t corp.\",\"domain\":\"sbcglobal.net\",\"isProxy\":false,\"isp\":\"att services inc\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"Wiki\",\"detailEntry\":{\"signOnModeType\":\"SAML_2_0\"},\"displayName\":\"An App Server\",\"id\":\"0o123456abcdef1t7\",\"type\":\"AppInstance\"},{\"alternateId\":\"test.user@test.com\",\"detailEntry\":null,\"displayName\":\"Test User\",\"id\":\"0ustyhdhurhjtdrhh1t7\",\"type\":\"AppUser\"}],\"transaction\":{\"detail\":{},\"id\":\"ZGmw\",\"type\":\"WEB\"},\"uuid\":\"2D6FC3CC-3BFB-4AC1-8259-016CF6A5976C\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "test.user@test.com", + "display_name": "Test User", + "id": "00uk123456abct7", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "idxabcdefg123zA" + }, + "device": { + "device_integrator": { + "CROWDSTRIKE": {}, + "WSC": {} + }, + "disk_encryption_type": "ALL_INTERNAL_VOLUMES", + "id": "V9YPwc5tnhWcaLs3", + "managed": false, + "name": "MacBookPro18,2", + "os_platform": "OSX", + "os_version": "13.3.1", + "registered": true, + "screen_lock_type": "BIOMETRIC", + "secure_hardware_present": true + }, + "display_message": "User single sign on to app", + "event_type": "user.authentication.sso", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Lawn Park", + "country": "United States", + "geolocation": { + "lat": 47.8907, + "lon": -87.7908 + }, + "postal_code": "999999", + "state": "California" + }, + "ip": "192.168.1.10", + "version": "V4" + } + ] + }, + "security_context": { + "as": { + "number": 7018, + "organization": { + "name": "at&t corp." + } + }, + "domain": "sbcglobal.net", + "is_proxy": false, + "isp": "att services inc" + }, + "target": [ + { + "alternate_id": "Wiki", + "display_name": "An App Server", + "id": "0o123456abcdef1t7", + "type": "AppInstance" + }, + { + "alternate_id": "test.user@test.com", + "display_name": "Test User", + "id": "0ustyhdhurhjtdrhh1t7", + "type": "AppUser" + } + ], + "transaction": { + "id": "ZGmw", + "type": "WEB" + }, + "uuid": "2D6FC3CC-3BFB-4AC1-8259-016CF6A5976C" + }, + "related": { + "user": [ + "Test User", + "test.user" + ] + }, + "source": { + "domain": "sbcglobal.net", + "user": { + "full_name": "Test User", + "id": "00uk123456abct7", + "name": "test.user" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "Test User", + "name": "test.user" + } + }, + { + "@timestamp": "2023-05-22T12:11:48.092Z", + "client": { + "as": { + "organization": { + "name": "vo energies catv customers - region of oron/vd" + } + }, + "domain": "voenergies.net", + "geo": { + "city_name": "Palezieux", + "country_name": "Switzerland", + "location": { + "lat": 46.5379, + "lon": 6.8409 + }, + "region_name": "Vaud" + }, + "ip": "192.168.1.10", + "user": { + "full_name": "Test User", + "id": "00ua123456abcat7", + "name": "test.user" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user.authentication.auth_via_mfa", + "id": "150A5E5C-C236-426A-A0D1-B79F1E391A6B", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"test.user@domain.com\",\"detailEntry\":null,\"displayName\":\"Test User\",\"id\":\"00ua123456abcat7\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":\"FACTOR_PROVIDER\",\"authenticationStep\":0,\"credentialProvider\":\"OKTA_CREDENTIAL_PROVIDER\",\"credentialType\":null,\"externalSessionId\":\"idx123456asdsajA\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Palezieux\",\"country\":\"Switzerland\",\"geolocation\":{\"lat\":46.5379,\"lon\":6.8409},\"postalCode\":\"1607\",\"state\":\"Vaud\"},\"id\":null,\"ipAddress\":\"192.168.1.10\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"B7F62B65BN.com.okta.mobile/3.13.4 OktaDeviceSDK/0.0.1 macOS/13.3.1 Apple/MacBookPro18,2 UUID123\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"dtHash\":\"abc123456abc\",\"factor\":\"SIGNED_NONCE\",\"requestId\":\"123456abcdefghij\",\"requestUri\":\"/idp/authenticators/123456abcdefghij/transactions/123456abcdefghij/verify\",\"url\":\"/idp/authenticators/123456abcdefghij/transactions/123456abcdefghij/verify?\"}},\"device\":null,\"displayMessage\":\"Authentication of user via MFA\",\"eventType\":\"user.authentication.auth_via_mfa\",\"legacyEventType\":\"core.user.factor.attempt_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-05-22T12:11:48.092Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Palezieux\",\"country\":\"Switzerland\",\"geolocation\":{\"lat\":46.5379,\"lon\":6.8409},\"postalCode\":\"1607\",\"state\":\"Vaud\"},\"ip\":\"192.168.1.10\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":39544,\"asOrg\":\"vo energies catv customers - region of oron/vd\",\"domain\":\"voenergies.net\",\"isProxy\":false,\"isp\":\"vo energies multimedia sa\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"test.user@domain.com\",\"detailEntry\":null,\"displayName\":\"Test User\",\"id\":\"00ua123456abcat7\",\"type\":\"User\"},{\"alternateId\":\"unknown\",\"detailEntry\":{\"methodTypeUsed\":\"Use Okta FastPass\",\"methodUsedVerifiedProperties\":\"[DEVICE_BOUND, PHISHING_RESISTANT, USER_VERIFYING, USER_PRESENCE, HARDWARE_PROTECTED]\"},\"displayName\":\"Okta Verify\",\"id\":\"00ua123456abcat7\",\"type\":\"AuthenticatorEnrollment\"}],\"transaction\":{\"detail\":{},\"id\":\"00ua123456abcat7\",\"type\":\"WEB\"},\"uuid\":\"150A5E5C-C236-426A-A0D1-B79F1E391A6B\",\"version\":\"0\"}", + "outcome": "success" + }, + "okta": { + "actor": { + "alternate_id": "test.user@domain.com", + "display_name": "Test User", + "id": "00ua123456abcat7", + "type": "User" + }, + "authentication_context": { + "authentication_provider": "FACTOR_PROVIDER", + "authentication_step": 0, + "credential_provider": "OKTA_CREDENTIAL_PROVIDER", + "external_session_id": "idx123456asdsajA" + }, + "client": { + "device": "Computer", + "ip": "192.168.1.10", + "user_agent": { + "browser": "UNKNOWN", + "os": "Mac OS X", + "raw_user_agent": "B7F62B65BN.com.okta.mobile/3.13.4 OktaDeviceSDK/0.0.1 macOS/13.3.1 Apple/MacBookPro18,2 UUID123" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "dt_hash": "abc123456abc", + "factor": "SIGNED_NONCE", + "flattened": { + "dtHash": "abc123456abc", + "factor": "SIGNED_NONCE", + "requestId": "123456abcdefghij", + "requestUri": "/idp/authenticators/123456abcdefghij/transactions/123456abcdefghij/verify", + "url": "/idp/authenticators/123456abcdefghij/transactions/123456abcdefghij/verify?" + }, + "request_id": "123456abcdefghij", + "request_uri": "/idp/authenticators/123456abcdefghij/transactions/123456abcdefghij/verify", + "url": "/idp/authenticators/123456abcdefghij/transactions/123456abcdefghij/verify?" + } + }, + "display_message": "Authentication of user via MFA", + "event_type": "user.authentication.auth_via_mfa", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Palezieux", + "country": "Switzerland", + "geolocation": { + "lat": 46.5379, + "lon": 6.8409 + }, + "postal_code": "1607", + "state": "Vaud" + }, + "ip": "192.168.1.10", + "version": "V4" + } + ] + }, + "security_context": { + "as": { + "number": 39544, + "organization": { + "name": "vo energies catv customers - region of oron/vd" + } + }, + "domain": "voenergies.net", + "is_proxy": false, + "isp": "vo energies multimedia sa" + }, + "target": [ + { + "alternate_id": "test.user@domain.com", + "display_name": "Test User", + "id": "00ua123456abcat7", + "type": "User" + }, + { + "alternate_id": "unknown", + "detailEntry": { + "methodTypeUsed": "Use Okta FastPass", + "methodUsedVerifiedProperties": "[DEVICE_BOUND, PHISHING_RESISTANT, USER_VERIFYING, USER_PRESENCE, HARDWARE_PROTECTED]" + }, + "display_name": "Okta Verify", + "id": "00ua123456abcat7", + "type": "AuthenticatorEnrollment" + } + ], + "transaction": { + "id": "00ua123456abcat7", + "type": "WEB" + }, + "uuid": "150A5E5C-C236-426A-A0D1-B79F1E391A6B" + }, + "related": { + "ip": [ + "192.168.1.10" + ], + "user": [ + "Test User", + "test.user" + ] + }, + "source": { + "domain": "voenergies.net", + "ip": "192.168.1.10", + "user": { + "full_name": "Test User", + "id": "00ua123456abcat7", + "name": "test.user" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "Test User", + "name": "test.user", + "target": { + "full_name": "Test User", + "id": "00ua123456abcat7" + } + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "B7F62B65BN.com.okta.mobile/3.13.4 OktaDeviceSDK/0.0.1 macOS/13.3.1 Apple/MacBookPro18,2 UUID123" + } + }, + { + "@timestamp": "2023-06-07T15:49:45.109Z", + "client": { + "as": { + "organization": { + "name": "verizon" + } + }, + "domain": "verizon.net", + "geo": { + "city_name": "Bay Shore", + "country_name": "United States", + "location": { + "lat": 40.7051, + "lon": -73.243 + }, + "region_name": "New York" + }, + "ip": "192.168.1.10", + "user": { + "full_name": "John Doe", + "id": "00aabbccddeeffaaaaaa", + "name": "john.doe" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "device.user.add", + "id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"john.doe@elastic.co\",\"detailEntry\":null,\"displayName\":\"John Doe\",\"id\":\"00aabbccddeeffaaaaaa\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"abcdefghijklM-NopQrsTUvWx\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Bay Shore\",\"country\":\"United States\",\"geolocation\":{\"lat\":40.7051,\"lon\":-73.243},\"postalCode\":\"11706\",\"state\":\"New York\"},\"id\":null,\"ipAddress\":\"192.168.1.10\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"FAKEFAKEFAKE.com.okta.mobile/8.1.1 OktaDeviceSDK/0.0.1 macOS/13.4.0 Apple/MacBookPro16,2 RANDOM-AAAA-BBBB-CCCC-DDDDDDDDDDDD\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"requestId\":\"XXXXXXXXXXXXXXXXXX\",\"requestUri\":\"/idp/authenticators\",\"url\":\"/idp/authenticators?\"}},\"device\":null,\"displayMessage\":\"Add device to user\",\"eventType\":\"device.user.add\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-06-07T15:49:45.109Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Bay Shore\",\"country\":\"United States\",\"geolocation\":{\"lat\":40.7051,\"lon\":-73.243},\"postalCode\":\"11706\",\"state\":\"New York\"},\"ip\":\"175.16.199.18\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":701,\"asOrg\":\"verizon\",\"domain\":\"verizon.net\",\"isProxy\":false,\"isp\":\"verizon\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"deviceStatus\":\"CREATED\",\"managed\":\"false\",\"oktaDeviceId\":\"xxxxxxxxxxxxxxxxx\",\"osPlatform\":\"MACOS\",\"osVersion\":\"13.4.0\",\"serialNumber\":\"XXXXXXXX\",\"tpmPresent\":\"false\",\"uuid\":\"AAAAAAAA-CCCC-DDDD-EEEE-BBBBBBBBBBBB\"},\"displayName\":\"John's MacBook Pro\",\"id\":\"fakefakefakefake\",\"type\":\"UDDevice\"}],\"transaction\":{\"detail\":{\"requestApiTokenId\":\"aa.aa.bbbbbbbbbbbbbbbbbbbbbbb_wwwwwwwwwwwwwwww\"},\"id\":\"ABCDEFCGALKDJDLK\",\"type\":\"WEB\"},\"uuid\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\",\"version\":\"0\"}", + "outcome": "success" + }, + "okta": { + "actor": { + "alternate_id": "john.doe@elastic.co", + "display_name": "John Doe", + "id": "00aabbccddeeffaaaaaa", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "abcdefghijklM-NopQrsTUvWx" + }, + "client": { + "device": "Computer", + "ip": "192.168.1.10", + "user_agent": { + "browser": "UNKNOWN", + "os": "Mac OS X", + "raw_user_agent": "FAKEFAKEFAKE.com.okta.mobile/8.1.1 OktaDeviceSDK/0.0.1 macOS/13.4.0 Apple/MacBookPro16,2 RANDOM-AAAA-BBBB-CCCC-DDDDDDDDDDDD" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "flattened": { + "requestId": "XXXXXXXXXXXXXXXXXX", + "requestUri": "/idp/authenticators", + "url": "/idp/authenticators?" + }, + "request_id": "XXXXXXXXXXXXXXXXXX", + "request_uri": "/idp/authenticators", + "url": "/idp/authenticators?" + } + }, + "display_message": "Add device to user", + "event_type": "device.user.add", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Bay Shore", + "country": "United States", + "geolocation": { + "lat": 40.7051, + "lon": -73.243 + }, + "postal_code": "11706", + "state": "New York" + }, + "ip": "175.16.199.18", + "version": "V4" + } + ] + }, + "security_context": { + "as": { + "number": 701, + "organization": { + "name": "verizon" + } + }, + "domain": "verizon.net", + "is_proxy": false, + "isp": "verizon" + }, + "target": [ + { + "alternate_id": "unknown", + "display_name": "John's MacBook Pro", + "id": "fakefakefakefake", + "type": "UDDevice" + } + ], + "transaction": { + "detail": { + "request_api_token_id": "aa.aa.bbbbbbbbbbbbbbbbbbbbbbb_wwwwwwwwwwwwwwww" + }, + "id": "ABCDEFCGALKDJDLK", + "type": "WEB" + }, + "uuid": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" + }, + "related": { + "ip": [ + "192.168.1.10" + ], + "user": [ + "John Doe", + "john.doe" + ] + }, + "source": { + "domain": "verizon.net", + "ip": "192.168.1.10", + "user": { + "full_name": "John Doe", + "id": "00aabbccddeeffaaaaaa", + "name": "john.doe" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "John Doe", + "name": "john.doe" + }, + "user_agent": { + "device": { + "name": "Generic Feature Phone" + }, + "name": "Other", + "original": "FAKEFAKEFAKE.com.okta.mobile/8.1.1 OktaDeviceSDK/0.0.1 macOS/13.4.0 Apple/MacBookPro16,2 RANDOM-AAAA-BBBB-CCCC-DDDDDDDDDDDD" + } + } + ] +} \ No newline at end of file diff --git a/packages/okta/data_stream/system/_dev/test/system/test-api-key-no-flattened-config.yml b/packages/okta/data_stream/system/_dev/test/system/test-api-key-no-flattened-config.yml new file mode 100644 index 00000000000..49e549fcf96 --- /dev/null +++ b/packages/okta/data_stream/system/_dev/test/system/test-api-key-no-flattened-config.yml @@ -0,0 +1,14 @@ +input: httpjson +service: okta +vars: + url: http://{{Hostname}}:{{Port}}/api/v1/logs + interval: 10s + api_key: testing + enable_request_tracer: true +policy_template: okta +data_stream: + vars: + preserve_original_event: true + remove_flattened_debug: true +assert: + hit_count: 4 diff --git a/packages/okta/data_stream/system/_dev/test/system/test-oauth2-config.yml b/packages/okta/data_stream/system/_dev/test/system/test-oauth2-config.yml index cd8dc954383..73e30f19dd5 100644 --- a/packages/okta/data_stream/system/_dev/test/system/test-oauth2-config.yml +++ b/packages/okta/data_stream/system/_dev/test/system/test-oauth2-config.yml @@ -13,5 +13,6 @@ policy_template: okta data_stream: vars: preserve_original_event: true + remove_flattened_debug: false assert: hit_count: 4 diff --git a/packages/okta/data_stream/system/agent/stream/httpjson.yml.hbs b/packages/okta/data_stream/system/agent/stream/httpjson.yml.hbs index 78f1a378d6e..ac6ee4ffe97 100644 --- a/packages/okta/data_stream/system/agent/stream/httpjson.yml.hbs +++ b/packages/okta/data_stream/system/agent/stream/httpjson.yml.hbs @@ -105,6 +105,10 @@ tags: {{#contains "forwarded" tags}} publisher_pipeline.disable_host: true {{/contains}} +fields_under_root: true +fields: + _conf: + remove_flattened_debug: {{remove_flattened_debug}} {{#if processors}} processors: {{processors}} diff --git a/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml index 864b1dd1d83..5a925fbf23e 100644 --- a/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml +++ b/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml @@ -282,145 +282,12 @@ processors: target_field: okta.transaction.detail.request_api_token_id ignore_missing: true ignore_failure: true - - set: - field: okta.debug_context.debug_data.flattened - copy_from: json.debugContext.debugData - ignore_failure: true - - json: - field: okta.debug_context.debug_data.flattened.logOnlySecurityData - ignore_failure: true - - dissect: - field: okta.debug_context.debug_data.flattened.behaviors - pattern: "{%{okta.debug_context.debug_data.flattened.behaviors}}" - ignore_missing: true - ignore_failure: true - - kv: - field: okta.debug_context.debug_data.flattened.behaviors - field_split: ", " - value_split: "=" - target_field: _behaviors_object - if: ctx.okta?.debug_context?.debug_data?.flattened?.behaviors != null - - remove: - field: okta.debug_context.debug_data.flattened.behaviors - if: ctx._behaviors_object != null - - rename: - field: _behaviors_object - target_field: okta.debug_context.debug_data.flattened.behaviors - ignore_missing: true - ignore_failure: true - - set: - field: okta.debug_context.debug_data.flattened.risk_object - copy_from: okta.debug_context.debug_data.flattened.risk - if: ctx.okta?.debug_context?.debug_data?.flattened?.risk != null - - dissect: - field: okta.debug_context.debug_data.flattened.risk - pattern: "{%{okta.debug_context.debug_data.flattened.risk}}" - ignore_missing: true - ignore_failure: true - - kv: - field: okta.debug_context.debug_data.flattened.risk - field_split: ", " - value_split: "=" - target_field: _risk_object - if: ctx.okta?.debug_context?.debug_data?.flattened?.risk != null - on_failure: - - remove: - field: _risk_object - - remove: - field: okta.debug_context.debug_data.flattened.risk_object - if: ctx._risk_object != null - # Make heroic efforts to capture risk level and reason if kv could not get them. - - grok: - field: okta.debug_context.debug_data.flattened.risk - patterns: - - level=%{NOTSPACE:_risk_object.level} - if: ctx.okta?.debug_context?.debug_data?.flattened?.risk_object != null && ctx.okta?.debug_context?.debug_data?.flattened?.risk != null - ignore_failure: true - - grok: - field: okta.debug_context.debug_data.flattened.risk - patterns: - - reasons=%{DATA:_risk_object.reasons}, %{KEY} - - reasons=%{DATA:_risk_object.reasons}$ - pattern_definitions: - KEY: '%{NOTSPACE}=' - if: ctx.okta?.debug_context?.debug_data?.flattened?.risk_object != null && ctx.okta?.debug_context?.debug_data?.flattened?.risk != null - ignore_failure: true - - remove: - field: okta.debug_context.debug_data.flattened.risk - if: ctx._risk_object != null - - rename: - field: _risk_object - target_field: okta.debug_context.debug_data.flattened.risk - ignore_missing: true - ignore_failure: true - - rename: - field: json.debugContext.debugData.deviceFingerprint - target_field: okta.debug_context.debug_data.device_fingerprint - ignore_missing: true - ignore_failure: true - - rename: - field: json.debugContext.debugData.requestId - target_field: okta.debug_context.debug_data.request_id - ignore_missing: true - ignore_failure: true - - rename: - field: json.debugContext.debugData.requestUri - target_field: okta.debug_context.debug_data.request_uri - ignore_missing: true - ignore_failure: true - - rename: - field: json.debugContext.debugData.threatSuspected - target_field: okta.debug_context.debug_data.threat_suspected - ignore_missing: true - ignore_failure: true - - rename: - field: json.debugContext.debugData.url - target_field: okta.debug_context.debug_data.url - ignore_missing: true - ignore_failure: true - - rename: - field: json.debugContext.debugData.dtHash - target_field: okta.debug_context.debug_data.dt_hash - ignore_missing: true - ignore_failure: true - - set: - field: okta.debug_context.debug_data.risk_level - value: "{{{okta.debug_context.debug_data.flattened.logOnlySecurityData.risk.level}}}" - if: 'ctx.okta?.debug_context?.debug_data?.flattened?.logOnlySecurityData?.risk?.level != null && ctx.okta?.debug_context?.debug_data?.flattened?.logOnlySecurityData?.risk?.level != ""' - - split: - field: okta.debug_context.debug_data.flattened.logOnlySecurityData.risk.reasons - target_field: okta.debug_context.debug_data.risk_reasons - separator: ',\s*' - if: 'ctx.okta?.debug_context?.debug_data?.flattened?.logOnlySecurityData?.risk?.reasons != null && ctx.okta?.debug_context?.debug_data?.flattened?.logOnlySecurityData?.risk?.reasons != ""' - - set: - field: okta.debug_context.debug_data.risk_level - value: "{{{okta.debug_context.debug_data.flattened.risk.level}}}" - if: 'ctx.okta?.debug_context?.debug_data?.risk_level == null && ctx.okta?.debug_context?.debug_data?.flattened?.risk?.level != null && ctx.okta?.debug_context?.debug_data?.flattened?.risk?.level != ""' - - set: - field: okta.debug_context.debug_data.factor - value: "{{{okta.debug_context.debug_data.flattened.factor}}}" - if: 'ctx.okta?.debug_context?.debug_data?.factor == null && ctx.okta?.debug_context?.debug_data?.flattened?.factor != null && ctx.okta?.debug_context?.debug_data?.flattened?.factor != ""' - - split: - field: okta.debug_context.debug_data.flattened.risk.reasons - target_field: okta.debug_context.debug_data.risk_reasons - separator: ',\s*' - if: 'ctx.okta?.debug_context?.debug_data?.risk_reasons == null && ctx.okta?.debug_context?.debug_data?.flattened?.risk?.reasons != null && ctx.okta?.debug_context?.debug_data?.flattened?.risk?.reasons != ""' - - script: - lang: painless - source: | - def src = ctx.okta?.debug_context?.debug_data?.flattened?.behaviors; - if (src == null) { - return; - } - def dst = new ArrayList(); - for (e in src.entrySet()) { - if (e != null && e.getValue() == "POSITIVE") { - dst.add(e.getKey()); - } - } - if (dst.length != 0) { - ctx.okta.debug_context.debug_data['risk_behaviors'] = dst; - } + - pipeline: + if: ctx._conf?.remove_flattened_debug != true + name: '{{ IngestPipeline "use_flattened_debug" }}' + - pipeline: + if: ctx._conf?.remove_flattened_debug == true + name: '{{ IngestPipeline "no_use_flattened_debug" }}' - rename: field: json.authenticationContext.authenticationProvider target_field: okta.authentication_context.authentication_provider @@ -723,6 +590,10 @@ processors: if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" ignore_failure: true ignore_missing: true + - remove: + field: _conf + ignore_missing: true + ignore_failure: true on_failure: - set: field: event.kind diff --git a/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/no_use_flattened_debug.yml b/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/no_use_flattened_debug.yml new file mode 100644 index 00000000000..61899fc53ab --- /dev/null +++ b/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/no_use_flattened_debug.yml @@ -0,0 +1,181 @@ +--- +description: Pipeline for Okta debug data not using flattened. +processors: + - rename: + field: json.debugContext.debugData + target_field: okta.debug_context.debug_data + ignore_failure: true + - json: + field: okta.debug_context.debug_data.logOnlySecurityData + ignore_failure: true + - dissect: + field: okta.debug_context.debug_data.behaviors + pattern: "{%{okta.debug_context.debug_data.behaviors}}" + ignore_missing: true + ignore_failure: true + - kv: + field: okta.debug_context.debug_data.behaviors + field_split: ", " + value_split: "=" + target_field: _behaviors_object + if: ctx.okta?.debug_context?.debug_data?.behaviors != null + - remove: + field: okta.debug_context.debug_data.behaviors + if: ctx._behaviors_object != null + - rename: + field: _behaviors_object + target_field: okta.debug_context.debug_data.behaviors + ignore_missing: true + ignore_failure: true + - set: + field: okta.debug_context.debug_data.risk_object + copy_from: okta.debug_context.debug_data.risk + if: ctx.okta?.debug_context?.debug_data?.risk != null + - dissect: + field: okta.debug_context.debug_data.risk + pattern: "{%{okta.debug_context.debug_data.risk}}" + ignore_missing: true + ignore_failure: true + - kv: + field: okta.debug_context.debug_data.risk + field_split: ", " + value_split: "=" + target_field: _risk_object + if: ctx.okta?.debug_context?.debug_data?.risk != null + on_failure: + - remove: + field: _risk_object + - remove: + field: okta.debug_context.debug_data.risk_object + if: ctx._risk_object != null + # Make heroic efforts to capture risk level and reason if kv could not get them. + - grok: + field: okta.debug_context.debug_data.risk + patterns: + - level=%{NOTSPACE:_risk_object.level} + if: ctx.okta?.debug_context?.debug_data?.risk_object != null && ctx.okta?.debug_context?.debug_data?.risk != null + ignore_failure: true + - grok: + field: okta.debug_context.debug_data.risk + patterns: + - reasons=%{DATA:_risk_object.reasons}, %{KEY} + - reasons=%{DATA:_risk_object.reasons}$ + pattern_definitions: + KEY: '%{NOTSPACE}=' + if: ctx.okta?.debug_context?.debug_data?.risk_object != null && ctx.okta?.debug_context?.debug_data?.risk != null + ignore_failure: true + - remove: + field: okta.debug_context.debug_data.risk + if: ctx._risk_object != null + - rename: + field: _risk_object + target_field: okta.debug_context.debug_data.risk + ignore_missing: true + ignore_failure: true + - set: + field: okta.debug_context.debug_data.risk_level + value: "{{{okta.debug_context.debug_data.logOnlySecurityData.risk.level}}}" + if: 'ctx.okta?.debug_context?.debug_data?.logOnlySecurityData?.risk?.level != null && ctx.okta?.debug_context?.debug_data?.logOnlySecurityData?.risk?.level != ""' + - split: + field: okta.debug_context.debug_data.logOnlySecurityData.risk.reasons + target_field: okta.debug_context.debug_data.risk_reasons + separator: ',\s*' + if: 'ctx.okta?.debug_context?.debug_data?.logOnlySecurityData?.risk?.reasons != null && ctx.okta?.debug_context?.debug_data?.logOnlySecurityData?.risk?.reasons != ""' + - set: + field: okta.debug_context.debug_data.risk_level + value: "{{{okta.debug_context.debug_data.risk.level}}}" + if: 'ctx.okta?.debug_context?.debug_data?.risk_level == null && ctx.okta?.debug_context?.debug_data?.risk?.level != null && ctx.okta?.debug_context?.debug_data?.risk?.level != ""' + - set: + field: okta.debug_context.debug_data.factor + value: "{{{okta.debug_context.debug_data.factor}}}" + if: 'ctx.okta?.debug_context?.debug_data?.factor == null && ctx.okta?.debug_context?.debug_data?.factor != null && ctx.okta?.debug_context?.debug_data?.factor != ""' + - split: + field: okta.debug_context.debug_data.risk.reasons + target_field: okta.debug_context.debug_data.risk_reasons + separator: ',\s*' + if: 'ctx.okta?.debug_context?.debug_data?.risk_reasons == null && ctx.okta?.debug_context?.debug_data?.risk?.reasons != null && ctx.okta?.debug_context?.debug_data?.risk?.reasons != ""' + - script: + lang: painless + source: | + def src = ctx.okta?.debug_context?.debug_data?.behaviors; + if (src == null) { + return; + } + def dst = new ArrayList(); + for (e in src.entrySet()) { + if (e != null && e.getValue() == "POSITIVE") { + dst.add(e.getKey()); + } + } + if (dst.length != 0) { + ctx.okta.debug_context.debug_data['risk_behaviors'] = dst; + } + + # Special cases for fields that were previously extracted from flattened. + - rename: + field: okta.debug_context.debug_data.deviceFingerprint + target_field: okta.debug_context.debug_data.device_fingerprint + ignore_missing: true + ignore_failure: true + - rename: + field: okta.debug_context.debug_data.dtHash + target_field: okta.debug_context.debug_data.dt_hash + ignore_missing: true + ignore_failure: true + - rename: + field: okta.debug_context.debug_data.requestId + target_field: okta.debug_context.debug_data.request_id + ignore_missing: true + ignore_failure: true + - rename: + field: okta.debug_context.debug_data.requestUri + target_field: okta.debug_context.debug_data.request_uri + ignore_missing: true + ignore_failure: true + - rename: + field: okta.debug_context.debug_data.threatSuspected + target_field: okta.debug_context.debug_data.threat_suspected + ignore_missing: true + ignore_failure: true + - script: + lang: painless + description: Replace spaces and dashes in field names under okta.debug_context.debug_data. + tag: painless_purge_spaces_and_dashes + if: ctx.okta?.debug_context?.debug_data != null + source: | + String underscore(String s) { + return /[ -]/.matcher(s).replaceAll('_'); + } + def renameKeys(Map src) { + def dst = new HashMap(); + for (def entry: src.entrySet()) { + def key = entry.getKey(); + def value = entry.getValue(); + if (value instanceof Map) { + dst[underscore(key)] = renameKeys(value); + } else if (value instanceof List) { + for (int i = 0; i < value.length; i++) { + if (value[i] instanceof Map) { + value[i] = renameKeys(value[i]); + } + } + dst[underscore(key)] = value; + } else { + dst[underscore(key)] = value; + } + } + return dst; + } + ctx.okta.debug_context.debug_data = renameKeys(ctx.okta.debug_context.debug_data) + +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: >- + Processor '{{ _ingest.on_failure_processor_type }}' + {{#_ingest.on_failure_processor_tag}}with tag '{{ _ingest.on_failure_processor_tag }}' + {{/_ingest.on_failure_processor_tag}}failed with message '{{ _ingest.on_failure_message }}' + diff --git a/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/use_flattened_debug.yml b/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/use_flattened_debug.yml new file mode 100644 index 00000000000..bc6a330bc5b --- /dev/null +++ b/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/use_flattened_debug.yml @@ -0,0 +1,153 @@ +--- +description: Pipeline for Okta debug data using flattened. +processors: + - set: + field: okta.debug_context.debug_data.flattened + copy_from: json.debugContext.debugData + ignore_failure: true + - json: + field: okta.debug_context.debug_data.flattened.logOnlySecurityData + ignore_failure: true + - dissect: + field: okta.debug_context.debug_data.flattened.behaviors + pattern: "{%{okta.debug_context.debug_data.flattened.behaviors}}" + ignore_missing: true + ignore_failure: true + - kv: + field: okta.debug_context.debug_data.flattened.behaviors + field_split: ", " + value_split: "=" + target_field: _behaviors_object + if: ctx.okta?.debug_context?.debug_data?.flattened?.behaviors != null + - remove: + field: okta.debug_context.debug_data.flattened.behaviors + if: ctx._behaviors_object != null + - rename: + field: _behaviors_object + target_field: okta.debug_context.debug_data.flattened.behaviors + ignore_missing: true + ignore_failure: true + - set: + field: okta.debug_context.debug_data.flattened.risk_object + copy_from: okta.debug_context.debug_data.flattened.risk + if: ctx.okta?.debug_context?.debug_data?.flattened?.risk != null + - dissect: + field: okta.debug_context.debug_data.flattened.risk + pattern: "{%{okta.debug_context.debug_data.flattened.risk}}" + ignore_missing: true + ignore_failure: true + - kv: + field: okta.debug_context.debug_data.flattened.risk + field_split: ", " + value_split: "=" + target_field: _risk_object + if: ctx.okta?.debug_context?.debug_data?.flattened?.risk != null + on_failure: + - remove: + field: _risk_object + - remove: + field: okta.debug_context.debug_data.flattened.risk_object + if: ctx._risk_object != null + # Make heroic efforts to capture risk level and reason if kv could not get them. + - grok: + field: okta.debug_context.debug_data.flattened.risk + patterns: + - level=%{NOTSPACE:_risk_object.level} + if: ctx.okta?.debug_context?.debug_data?.flattened?.risk_object != null && ctx.okta?.debug_context?.debug_data?.flattened?.risk != null + ignore_failure: true + - grok: + field: okta.debug_context.debug_data.flattened.risk + patterns: + - reasons=%{DATA:_risk_object.reasons}, %{KEY} + - reasons=%{DATA:_risk_object.reasons}$ + pattern_definitions: + KEY: '%{NOTSPACE}=' + if: ctx.okta?.debug_context?.debug_data?.flattened?.risk_object != null && ctx.okta?.debug_context?.debug_data?.flattened?.risk != null + ignore_failure: true + - remove: + field: okta.debug_context.debug_data.flattened.risk + if: ctx._risk_object != null + - rename: + field: _risk_object + target_field: okta.debug_context.debug_data.flattened.risk + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.deviceFingerprint + target_field: okta.debug_context.debug_data.device_fingerprint + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.requestId + target_field: okta.debug_context.debug_data.request_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.requestUri + target_field: okta.debug_context.debug_data.request_uri + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.threatSuspected + target_field: okta.debug_context.debug_data.threat_suspected + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.url + target_field: okta.debug_context.debug_data.url + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.dtHash + target_field: okta.debug_context.debug_data.dt_hash + ignore_missing: true + ignore_failure: true + - set: + field: okta.debug_context.debug_data.risk_level + value: "{{{okta.debug_context.debug_data.flattened.logOnlySecurityData.risk.level}}}" + if: 'ctx.okta?.debug_context?.debug_data?.flattened?.logOnlySecurityData?.risk?.level != null && ctx.okta?.debug_context?.debug_data?.flattened?.logOnlySecurityData?.risk?.level != ""' + - split: + field: okta.debug_context.debug_data.flattened.logOnlySecurityData.risk.reasons + target_field: okta.debug_context.debug_data.risk_reasons + separator: ',\s*' + if: 'ctx.okta?.debug_context?.debug_data?.flattened?.logOnlySecurityData?.risk?.reasons != null && ctx.okta?.debug_context?.debug_data?.flattened?.logOnlySecurityData?.risk?.reasons != ""' + - set: + field: okta.debug_context.debug_data.risk_level + value: "{{{okta.debug_context.debug_data.flattened.risk.level}}}" + if: 'ctx.okta?.debug_context?.debug_data?.risk_level == null && ctx.okta?.debug_context?.debug_data?.flattened?.risk?.level != null && ctx.okta?.debug_context?.debug_data?.flattened?.risk?.level != ""' + - set: + field: okta.debug_context.debug_data.factor + value: "{{{okta.debug_context.debug_data.flattened.factor}}}" + if: 'ctx.okta?.debug_context?.debug_data?.factor == null && ctx.okta?.debug_context?.debug_data?.flattened?.factor != null && ctx.okta?.debug_context?.debug_data?.flattened?.factor != ""' + - split: + field: okta.debug_context.debug_data.flattened.risk.reasons + target_field: okta.debug_context.debug_data.risk_reasons + separator: ',\s*' + if: 'ctx.okta?.debug_context?.debug_data?.risk_reasons == null && ctx.okta?.debug_context?.debug_data?.flattened?.risk?.reasons != null && ctx.okta?.debug_context?.debug_data?.flattened?.risk?.reasons != ""' + - script: + lang: painless + source: | + def src = ctx.okta?.debug_context?.debug_data?.flattened?.behaviors; + if (src == null) { + return; + } + def dst = new ArrayList(); + for (e in src.entrySet()) { + if (e != null && e.getValue() == "POSITIVE") { + dst.add(e.getKey()); + } + } + if (dst.length != 0) { + ctx.okta.debug_context.debug_data['risk_behaviors'] = dst; + } +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: >- + Processor '{{ _ingest.on_failure_processor_type }}' + {{#_ingest.on_failure_processor_tag}}with tag '{{ _ingest.on_failure_processor_tag }}' + {{/_ingest.on_failure_processor_tag}}failed with message '{{ _ingest.on_failure_message }}' + diff --git a/packages/okta/data_stream/system/fields/agent.yml b/packages/okta/data_stream/system/fields/agent.yml index 2bc58530bac..17556ecdf13 100644 --- a/packages/okta/data_stream/system/fields/agent.yml +++ b/packages/okta/data_stream/system/fields/agent.yml @@ -1,17 +1,10 @@ - name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - name: image.id type: keyword description: Image ID for the cloud instance. - name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - name: containerized diff --git a/packages/okta/data_stream/system/fields/base-fields.yml b/packages/okta/data_stream/system/fields/base-fields.yml index 915728ae0c3..0e886dfafa3 100644 --- a/packages/okta/data_stream/system/fields/base-fields.yml +++ b/packages/okta/data_stream/system/fields/base-fields.yml @@ -1,20 +1,16 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: event.module type: constant_keyword - description: Event module + external: ecs value: okta - name: event.dataset type: constant_keyword - description: Event dataset + external: ecs value: okta.system - name: "@timestamp" - type: date - description: Event timestamp. + external: ecs diff --git a/packages/okta/data_stream/system/fields/fields.yml b/packages/okta/data_stream/system/fields/fields.yml index 65ce4499c33..38171d28e04 100644 --- a/packages/okta/data_stream/system/fields/fields.yml +++ b/packages/okta/data_stream/system/fields/fields.yml @@ -1,30 +1,24 @@ - name: okta.uuid - title: UUID type: keyword description: | The unique identifier of the Okta LogEvent. - name: okta.event_type - title: Event Type type: keyword description: | The type of the LogEvent. - name: okta.version - title: Version type: keyword description: | The version of the LogEvent. - name: okta.severity - title: Severity type: keyword description: | The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. - name: okta.display_message - title: Display Message type: keyword description: | The display message of the LogEvent. - name: okta.actor - title: Actor type: group fields: - name: id @@ -44,7 +38,6 @@ description: | Display name of the actor. - name: okta.client - title: Client type: group fields: - name: ip @@ -79,7 +72,6 @@ description: | The identifier of the client. - name: okta.device - title: Client type: group fields: - name: device_integrator @@ -123,7 +115,6 @@ trusted platform module (TPM) or secure enclave. It does not mark whether there are tokens on the secure hardware. - name: okta.outcome - title: Outcome of the LogEvent. type: group fields: - name: reason @@ -135,12 +126,10 @@ description: | The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. - name: okta.target - title: Target type: flattened description: | The list of targets. - name: okta.transaction - title: Transaction type: group fields: - name: id @@ -155,58 +144,124 @@ type: keyword description: ID of the API token used in a request. - name: okta.debug_context - title: Debug Context type: group fields: - name: debug_data - type: group - fields: - - name: device_fingerprint - type: keyword - description: | - The fingerprint of the device. - - name: dt_hash - type: keyword - description: | - The device token hash - - name: factor - type: keyword - description: | - The factor used for authentication. - - name: request_id - type: keyword - description: | - The identifier of the request. - - name: request_uri - type: keyword - description: | - The request URI. - - name: threat_suspected - type: keyword - description: | - Threat suspected. - - name: risk_behaviors - type: keyword - description: | - The set of behaviors that contribute to a risk assessment. - - name: risk_level - type: keyword - description: | - The risk level assigned to the sign in attempt. - - name: risk_reasons - type: keyword - description: | - The reasons for the risk. - - name: url - type: keyword - description: | - The URL. - - name: flattened - type: flattened - description: | - The complete debug_data object. + type: object + object_type: keyword + object_type_mapping_type: "*" + subobjects: false + - name: debug_data.authnRequestId + type: keyword + description: | + The authorization request ID. + - name: debug_data.device_fingerprint + type: keyword + description: | + The fingerprint of the device. + - name: debug_data.dt_hash + type: keyword + description: | + The device token hash + - name: debug_data.factor + type: keyword + description: | + The factor used for authentication. + - name: debug_data.request_id + type: keyword + description: | + The identifier of the request. + - name: debug_data.request_uri + type: keyword + description: | + The request URI. + - name: debug_data.threat_suspected + type: keyword + description: | + Threat suspected. + - name: debug_data.risk_behaviors + type: keyword + description: | + The set of behaviors that contribute to a risk assessment. + - name: debug_data.risk_level + type: keyword + description: | + The risk level assigned to the sign in attempt. + - name: debug_data.risk_reasons + type: keyword + description: | + The reasons for the risk. + - name: debug_data.url + type: keyword + description: | + The URL. + - name: debug_data.flattened + type: flattened + description: | + The complete debug_data object. + - name: debug_data.behaviors + type: keyword + - name: debug_data.behaviors.New_City + type: keyword + - name: debug_data.behaviors.New_Country + type: keyword + - name: debug_data.behaviors.New_Device + type: keyword + - name: debug_data.behaviors.New_Geo_Location + type: keyword + - name: debug_data.behaviors.New_IP + type: keyword + - name: debug_data.behaviors.New_State + type: keyword + - name: debug_data.behaviors.Velocity + type: keyword + - name: debug_data.behaviors.Velocity_Behavior + type: keyword + - name: debug_data.logOnlySecurityData + type: keyword + - name: debug_data.logOnlySecurityData.behaviors + type: keyword + - name: debug_data.logOnlySecurityData.behaviors.New_City + type: keyword + - name: debug_data.logOnlySecurityData.behaviors.New_Country + type: keyword + - name: debug_data.logOnlySecurityData.behaviors.New_Device + type: keyword + - name: debug_data.logOnlySecurityData.behaviors.New_Geo_Location + type: keyword + - name: debug_data.logOnlySecurityData.behaviors.New_IP + type: keyword + - name: debug_data.logOnlySecurityData.behaviors.New_State + type: keyword + - name: debug_data.logOnlySecurityData.behaviors.Velocity + type: keyword + - name: debug_data.logOnlySecurityData.risk + type: keyword + - name: debug_data.logOnlySecurityData.risk.level + type: keyword + - name: debug_data.logOnlySecurityData.risk.reasons + type: keyword + - name: debug_data.originalPrincipal + type: keyword + - name: debug_data.originalPrincipal.alternateId + type: keyword + - name: debug_data.originalPrincipal.displayName + type: keyword + - name: debug_data.originalPrincipal.id + type: keyword + - name: debug_data.originalPrincipal.type + type: keyword + - name: debug_data.promptingPolicyTypes + type: keyword + - name: debug_data.risk + type: keyword + - name: debug_data.risk.level + type: keyword + - name: debug_data.risk.reasons + type: keyword + - name: debug_data.risk_object + type: keyword - name: okta.authentication_context - title: Authentication Context type: group fields: - name: authentication_provider @@ -247,7 +302,6 @@ description: | The interface used. e.g., Outlook, Office365, wsTrust - name: okta.security_context - title: Security Context type: group fields: - name: as @@ -277,7 +331,6 @@ description: | Whether it is a proxy or not. - name: okta.request - title: Request type: group fields: - name: ip_chain diff --git a/packages/okta/data_stream/system/manifest.yml b/packages/okta/data_stream/system/manifest.yml index b30d547cb9e..404b18cfae0 100644 --- a/packages/okta/data_stream/system/manifest.yml +++ b/packages/okta/data_stream/system/manifest.yml @@ -20,6 +20,14 @@ streams: type: bool multi: false default: false + - name: remove_flattened_debug + type: bool + title: Remove flattened debug data + description: >- + When set to false, the original `debugContext.debugData` object will be kept in `okta.debug_context.debug_data.flattened`. We recommend turning this on for new installations where nothing depends on `okta.debug_context.debug_data.flattened`. + multi: false + required: false + show_user: false - name: disable_keep_alive required: true show_user: false diff --git a/packages/okta/data_stream/system/sample_event.json b/packages/okta/data_stream/system/sample_event.json index 67fe0628295..1077be7e800 100644 --- a/packages/okta/data_stream/system/sample_event.json +++ b/packages/okta/data_stream/system/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2020-02-14T20:18:57.718Z", "agent": { - "ephemeral_id": "3b6c86fa-7cc1-4bd2-8064-b2f3c8c38bef", - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "ephemeral_id": "6ac1caae-4aba-4b61-8408-14b46e15b668", + "id": "c3650180-e3d1-4dad-9094-89c988e721d7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.13.0" }, "client": { "geo": { @@ -33,9 +33,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "id": "c3650180-e3d1-4dad-9094-89c988e721d7", "snapshot": false, - "version": "8.10.1" + "version": "8.13.0" }, "event": { "action": "user.session.start", @@ -44,10 +44,10 @@ "authentication", "session" ], - "created": "2023-09-22T17:12:24.505Z", + "created": "2024-05-17T05:51:14.737Z", "dataset": "okta.system", "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", - "ingested": "2023-09-22T17:12:25Z", + "ingested": "2024-05-17T05:51:24Z", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", "outcome": "success", @@ -163,4 +163,4 @@ }, "version": "72.0." } -} +} \ No newline at end of file diff --git a/packages/okta/docs/README.md b/packages/okta/docs/README.md index 4920e98dbbc..32eefbe42c3 100644 --- a/packages/okta/docs/README.md +++ b/packages/okta/docs/README.md @@ -53,11 +53,11 @@ An example event for `system` looks as following: { "@timestamp": "2020-02-14T20:18:57.718Z", "agent": { - "ephemeral_id": "3b6c86fa-7cc1-4bd2-8064-b2f3c8c38bef", - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "ephemeral_id": "6ac1caae-4aba-4b61-8408-14b46e15b668", + "id": "c3650180-e3d1-4dad-9094-89c988e721d7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.13.0" }, "client": { "geo": { @@ -85,9 +85,9 @@ An example event for `system` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "id": "c3650180-e3d1-4dad-9094-89c988e721d7", "snapshot": false, - "version": "8.10.1" + "version": "8.13.0" }, "event": { "action": "user.session.start", @@ -96,10 +96,10 @@ An example event for `system` looks as following: "authentication", "session" ], - "created": "2023-09-22T17:12:24.505Z", + "created": "2024-05-17T05:51:14.737Z", "dataset": "okta.system", "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", - "ingested": "2023-09-22T17:12:25Z", + "ingested": "2024-05-17T05:51:24Z", "kind": "event", "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", "outcome": "success", @@ -216,20 +216,19 @@ An example event for `system` looks as following: "version": "72.0." } } - ``` **Exported fields** | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | cloud.image.id | Image ID for the cloud instance. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | | host.containerized | If the host is a container. | boolean | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | @@ -255,14 +254,47 @@ An example event for `system` looks as following: | okta.client.user_agent.os | The OS informaton. | keyword | | okta.client.user_agent.raw_user_agent | The raw informaton of the user agent. | keyword | | okta.client.zone | The zone information of the client. | keyword | +| okta.debug_context.debug_data | | object | +| okta.debug_context.debug_data.authnRequestId | The authorization request ID. | keyword | +| okta.debug_context.debug_data.behaviors | | keyword | +| okta.debug_context.debug_data.behaviors.New_City | | keyword | +| okta.debug_context.debug_data.behaviors.New_Country | | keyword | +| okta.debug_context.debug_data.behaviors.New_Device | | keyword | +| okta.debug_context.debug_data.behaviors.New_Geo_Location | | keyword | +| okta.debug_context.debug_data.behaviors.New_IP | | keyword | +| okta.debug_context.debug_data.behaviors.New_State | | keyword | +| okta.debug_context.debug_data.behaviors.Velocity | | keyword | +| okta.debug_context.debug_data.behaviors.Velocity_Behavior | | keyword | | okta.debug_context.debug_data.device_fingerprint | The fingerprint of the device. | keyword | | okta.debug_context.debug_data.dt_hash | The device token hash | keyword | | okta.debug_context.debug_data.factor | The factor used for authentication. | keyword | | okta.debug_context.debug_data.flattened | The complete debug_data object. | flattened | +| okta.debug_context.debug_data.logOnlySecurityData | | keyword | +| okta.debug_context.debug_data.logOnlySecurityData.behaviors | | keyword | +| okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_City | | keyword | +| okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_Country | | keyword | +| okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_Device | | keyword | +| okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_Geo_Location | | keyword | +| okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_IP | | keyword | +| okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_State | | keyword | +| okta.debug_context.debug_data.logOnlySecurityData.behaviors.Velocity | | keyword | +| okta.debug_context.debug_data.logOnlySecurityData.risk | | keyword | +| okta.debug_context.debug_data.logOnlySecurityData.risk.level | | keyword | +| okta.debug_context.debug_data.logOnlySecurityData.risk.reasons | | keyword | +| okta.debug_context.debug_data.originalPrincipal | | keyword | +| okta.debug_context.debug_data.originalPrincipal.alternateId | | keyword | +| okta.debug_context.debug_data.originalPrincipal.displayName | | keyword | +| okta.debug_context.debug_data.originalPrincipal.id | | keyword | +| okta.debug_context.debug_data.originalPrincipal.type | | keyword | +| okta.debug_context.debug_data.promptingPolicyTypes | | keyword | | okta.debug_context.debug_data.request_id | The identifier of the request. | keyword | | okta.debug_context.debug_data.request_uri | The request URI. | keyword | +| okta.debug_context.debug_data.risk | | keyword | +| okta.debug_context.debug_data.risk.level | | keyword | +| okta.debug_context.debug_data.risk.reasons | | keyword | | okta.debug_context.debug_data.risk_behaviors | The set of behaviors that contribute to a risk assessment. | keyword | | okta.debug_context.debug_data.risk_level | The risk level assigned to the sign in attempt. | keyword | +| okta.debug_context.debug_data.risk_object | | keyword | | okta.debug_context.debug_data.risk_reasons | The reasons for the risk. | keyword | | okta.debug_context.debug_data.threat_suspected | Threat suspected. | keyword | | okta.debug_context.debug_data.url | The URL. | keyword | diff --git a/packages/okta/manifest.yml b/packages/okta/manifest.yml index 8c21b151717..2f8dfd80f75 100644 --- a/packages/okta/manifest.yml +++ b/packages/okta/manifest.yml @@ -1,13 +1,13 @@ name: okta title: Okta -version: "2.11.0" +version: "2.12.0" description: Collect and parse event logs from Okta API with Elastic Agent. type: integration -format_version: "3.0.2" +format_version: "3.1.0" categories: [security, iam] conditions: kibana: - version: ^8.13.0 + version: ^8.15.0 icons: - src: /img/okta-logo.svg title: Okta diff --git a/packages/okta/validation.yml b/packages/okta/validation.yml index 1189aa63c89..9cbfeb3bdcf 100644 --- a/packages/okta/validation.yml +++ b/packages/okta/validation.yml @@ -1,3 +1,4 @@ errors: exclude_checks: - SVR00004 # References in dashboards. + - JSE00001