Change log for OKTA
| Date | Changes |
|---|---|
| 2022-11-17 | Enhancement:
- The field "target[n].alternateId" is mapped to "target.resource.attribute.labels". - The field "detail.target.0.alternateId" is mapped to "target.resource.attribute.labels". |
| 2022-11-08 | Bug-fix:
- Added condition for proper email check for field "user_email". - Added check for field "Action1" not in "RATE_LIMIT". - Added null, unknown check for "actor.displayName". |
| 2022-11-04 | Enhancement:
Added support for logs having multiple events. |
| 2022-10-15 | Enhancement:
- "signOnModeType" mapped to "security_result.detection_fields". - "authenticationProvider" mapped to "security_result.detection_fields". - "credentialProvider" mapped to "security_result.detection_fields". - "device" mapped to "additional.fields". - "zone" mapped to "additional.fields". - "type" mapped to "additional.fields". |
| 2022-10-14 | Bug-fix:
- Added conditional check for 'principal.user.email_addresses' and 'target.user.email_addresses'. - Added grok to check for valid ip_address for the field 'request.ipChain.0.ip' mapped to 'principal.ip'. - Added on_error condition for the field 'debugContext.debugData.url' mapped to 'target.url'. |
| 2022-10-03 | Enhancement:
- Mapped "client.userAgent.os" to "principal.platform". - Mapped "client.device" to "principal.asset.type". - Mapped "anonymized IP" (hardcoded string) to security_result.detection_fields.key where `securityContext.isProxy` value to corresponding security_result.detection_fields.value. |
| 2022-09-16 | Enhancement:
- 'securityContext.asOrg' mapped to 'security_result.category_details'. - 'securityContext.isProxy' mapped to 'security_result.detection_fields'. - 'securityContext.domain' mapped to 'security_result.detection_fields'. - 'securityContext.isp' mapped to 'security_result.detection_fields'. - 'debugContext.debugData.risk.level' mapped to 'security_result.severity'. - 'debugContext.debugData.risk.reasons' mapped to 'security_result.detection_fields'. |
| 2022-08-12 | Enhancement: The newly ingested logs have been parsed and mapped to following fields:
- 'detail.uuid' mapped to 'metadata.product_log_id'. - 'detail.eventType' mapped to 'metadata.product_event_type' - 'detail.actor.id' mapped to 'principal.user.product_object_id'. - if 'detail.actor.alternateId' mapped to 'principal.user.userid' else 'detail.actor.alternateId' mapped to 'principal.user.email_addresses'. - 'detail.actor.displayName' mapped to 'principal.user.user_display_name'. - 'detail.actor.type' mapped to '.principal.user.attribute.roles'. - 'detail.client.ipChain.0.ip' mapped to 'principal.ip'. - 'detail.client.ipChain.0.geographicalContext.state' mapped to 'principal.location.state'. - 'detail.client.ipChain.0.geographicalContext.city' mapped to 'principal.location.city'. - 'detail.client.ipChain.0.geographicalContext.country' mapped to 'principal.location.country_or_region'. - 'detail.debugContext.debugData.requestUri' mapped to 'target.url'. - 'detail.target.0.type' mapped to 'target.resource.resource_subtype'. - 'detail.target.0.id' mapped to 'target.resource.resource.product_object_id'. - 'detail.target.0.displayName' mapped to 'target.resource.resource_subtype'. - 'detail.target.0.detailEntry.policyType' mapped to 'target.resource_ancestors.attribute.labels'. - 'detail.outcome.reason' mapped to 'security_result.category_details'. - 'detail.debugContext.debugData.threatSuspected' mapped to 'security_result.detection_fields'. - 'detail.displayMessage' mapped to 'security_result.summary'. - 'detail.outcome.result' mapped to 'security_result.action'. - 'detail.severity' mapped to 'security_result.severity'. - 'detail.transaction.id' mapped to 'network.session_id'. - 'detail.debugContext.debugData.requestUri' mapped to 'extensions.auth.auth_details'. |
| 2022-07-08 | Enhancement:
- Modified mapping for "actor.type" from "principal.user.role_name" to "principal.user.attribute.roles". - Modified mapping for "target.0.type" from "target.user.role_name" to "target.user.attribute.roles". - Modified mapping for "target.1.type" from "target.user.role_name" to "target.user.attribute.roles". |
| 2022-06-15 | Enhancement-
- for "target.0.type" == "Token". - Mapped "target.0.detailEntry.clientAppId" to "target.asset_id". - Added conditional check for the field 'transaction.id' mapped to the UDM field 'network.session_id'. |
| 2022-06-03 | Enhancement-
Mapped debugContext.debugData.privilegeGranted to target.user.attribute.roles.name additionally. Mapped debugContext.debugData.requestUri to extensions.auth.auth_details. Mapped debugContext.debugData.suspiciousActivityEventId, debugContext.debugData.threatDetections, debugContext.debugData.threatSuspected to security_result.detection_fields. |
| 2022-03-22 | Enhancement-
debugContext.debugData.behaviors mapped to security_result.description. debugContext.debugData.threatSuspected mapped to security_result.threat_status. debugContext.debugData.risk mapped to security_result.severity. |