Change log for OKTA

Date Changes
2024-09-20 Enhancement:
- Added a Grok pattern to extract "userid" from "profile.login" and mapped it to "principal.user.userid".
- Mapped "profile.displayName" to "principal.user.user_display_name".
- Mapped "profile.email" to "principal.user.email_addresses".
2024-09-12 Enhancement:
- Added "gsub" to parse the unparsed logs.
2024-07-23 Enhancement:
- Removed mapping of "actor.displayname" from "principal.application".
- Added conditional check before setting event_type to "USER_DELETION".
2024-06-26 Enhancement:
- Added support to parse unparsed logs.
- Mapped the "securityContext.isProxy" field to "additional.fields".
2024-05-16 Enhancement:
If "is_alert" is "true" and "is_significant" is "true", then set "security_result.alert_state" as "ALERTING".
2024-03-05 Enhancement:
- Updated "security_result.action" field to reflect whether the traffic was allowed or blocked.
2024-02-16 Bug-Fix:
- When "target.0.type" is "User" or "AppUser", then mapped "target.0.alternateId" to "target.user.userid".
- When "target.1.type" is "User" or "AppUser", then mapped "target.1.alternateId" to "target.user.userid".
2023-12-14 Enhancement:
- Mapped "securityContext.asNumber" to "security_result.detection_fields".
- Mapped "legacyEventType" to "security_result.detection_fields".
- Added "conditional_check" before setting "metadata.event_type".
2023-06-28 Enhancement:
- Mapped complete value of "debugContext.debugData.suspiciousActivityEventType" to "security_result.detection_fields".
- Mapped complete value of "debugContext.debugData.logOnlySecurityData.behaviors.New Device" to "security_result.detection_fields".
2023-06-09 Enhancement:
- The field "debugContext.debugData.deviceFingerprint" is mapped to "target.asset.asset_id".
- Mapped complete value of "debugContext.debugData.risk.reasons" to "security_result.detection_fields".
2023-05-17 - The field 'authenticationContext.externalSessionId' is mapped to 'network.parent_session_id'.
- The field 'debugContext.debugData.pushOnlyResponseType' is mapped to 'security_result.detection_fields.key/value'.
- The field 'debugContext.debugData.factor' is mapped to 'security_result.detection_fields.key/value'.
- The field 'debugContext.debugData.factorIntent' is mapped to 'security_result.detection_fields.key/value'.
- The field 'debugContext.debugData.pushWithNumberChallengeResponseType' is mapped to 'security_result.detection_fields.key/value'.
- The field 'debugContext.debugData.dtHash' is mapped to 'security_result.detection_fields.key/value'.
- The field 'client.userAgent.rawUserAgent' is mapped to 'network.http.user_agent'.
- Changed the mapping from 'ALLOW_WITH_MODIFICATION' to enum value 'CHALLENGE' under 'security_result.action'.
- For the eventType 'system.api_token.create', changed metadata.event_type from 'USER_UNCATEGORIZED' to 'RESOURCE_CREATION'.
2023-04-28 Bug-Fix:
- Modified mapping for "security_result.threat_status" to "ACTIVE" when "debugContext.debugData.threatSuspected" is "true" else mapped to "FALSE_POSITIVE".
2023-04-11 Enhancement:
- Remapped the fields which are mapped to "http.user_agent" to "http.parsed_user_agent".
- Mapped "target.displayName" to "target.resource_ancestors.name".
- Mapped "targetfield.detailEntry.methodTypeUsed" to "target.resource_ancestors.attribute.labels".
- Mapped "targetfield.detailEntry.methodUsedVerifiedProperties" to "target.resource_ancestors.attribute.labels".
2023-03-24 Enhancement:
- Mapped "logOnlySecurityData" fields to "security_result.detection_fields".
- Additionally, resolved parsing error by adding "DEFERRED" to action list.
2023-02-20 Enhancement:
- Changed "metadata.event_type" from "USER_LOGIN" to "STATUS_UPDATE" where "eventType" is "user.authentication.auth_via_AD_agent"
2022-12-14 Enhancement:
- Mapped "debugContext.debugData.changedAttributes" to "security_result.detection_fields".
- Added null check for "detail.actor.alternateId".
2022-11-17 Enhancement:
- The field "target[n].alternateId" is mapped to "target.resource.attribute.labels".
- The field "detail.target.0.alternateId" is mapped to "target.resource.attribute.labels".
2022-11-08 Bug-fix:
- Added condition for proper email check for field "user_email".
- Added check for field "Action1" not in "RATE_LIMIT".
- Added null, unknown check for "actor.displayName".
2022-11-04 Enhancement:
Added support for logs having multiple events.
2022-10-15 Enhancement:
- "signOnModeType" mapped to "security_result.detection_fields".
- "authenticationProvider" mapped to "security_result.detection_fields".
- "credentialProvider" mapped to "security_result.detection_fields".
- "device" mapped to "additional.fields".
- "zone" mapped to "additional.fields".
- "type" mapped to "additional.fields".
2022-10-14 Bug-fix:
- Added conditional check for 'principal.user.email_addresses' and 'target.user.email_addresses'.
- Added grok to check for valid ip_address for the field 'request.ipChain.0.ip' mapped to 'principal.ip'.
- Added on_error condition for the field 'debugContext.debugData.url' mapped to 'target.url'.
2022-10-03 Enhancement:
- Mapped "client.userAgent.os" to "principal.platform".
- Mapped "client.device" to "principal.asset.type".
- Mapped "anonymized IP" (hardcoded string) to security_result.detection_fields.key where 'securityContext.isProxy' value to corresponding security_result.detection_fields.value.
2022-09-16 Enhancement:
- 'securityContext.asOrg' mapped to 'security_result.category_details'.
- 'securityContext.isProxy' mapped to 'security_result.detection_fields'.
- 'securityContext.domain' mapped to 'security_result.detection_fields'.
- 'securityContext.isp' mapped to 'security_result.detection_fields'.
- 'debugContext.debugData.risk.level' mapped to 'security_result.severity'.
- 'debugContext.debugData.risk.reasons' mapped to 'security_result.detection_fields'.
2022-08-12 Enhancement: The newly ingested logs have been parsed and mapped to following fields:
- 'detail.uuid' mapped to 'metadata.product_log_id'.
- 'detail.eventType' mapped to 'metadata.product_event_type'
- 'detail.actor.id' mapped to 'principal.user.product_object_id'.
- if 'detail.actor.alternateId' mapped to 'principal.user.userid' else
'detail.actor.alternateId' mapped to 'principal.user.email_addresses'.
- 'detail.actor.displayName' mapped to 'principal.user.user_display_name'.
- 'detail.actor.type' mapped to '.principal.user.attribute.roles'.
- 'detail.client.ipChain.0.ip' mapped to 'principal.ip'.
- 'detail.client.ipChain.0.geographicalContext.state' mapped to 'principal.location.state'.
- 'detail.client.ipChain.0.geographicalContext.city' mapped to 'principal.location.city'.
- 'detail.client.ipChain.0.geographicalContext.country' mapped to 'principal.location.country_or_region'.
- 'detail.debugContext.debugData.requestUri' mapped to 'target.url'.
- 'detail.target.0.type' mapped to 'target.resource.resource_subtype'.
- 'detail.target.0.id' mapped to 'target.resource.resource.product_object_id'.
- 'detail.target.0.displayName' mapped to 'target.resource.resource_subtype'.
- 'detail.target.0.detailEntry.policyType' mapped to 'target.resource_ancestors.attribute.labels'.
- 'detail.outcome.reason' mapped to 'security_result.category_details'.
- 'detail.debugContext.debugData.threatSuspected' mapped to 'security_result.detection_fields'.
- 'detail.displayMessage' mapped to 'security_result.summary'.
- 'detail.outcome.result' mapped to 'security_result.action'.
- 'detail.severity' mapped to 'security_result.severity'.
- 'detail.transaction.id' mapped to 'network.session_id'.
- 'detail.debugContext.debugData.requestUri' mapped to 'extensions.auth.auth_details'.
2022-07-08 Enhancement:
- Modified mapping for "actor.type" from "principal.user.role_name" to "principal.user.attribute.roles".
- Modified mapping for "target.0.type" from "target.user.role_name" to "target.user.attribute.roles".
- Modified mapping for "target.1.type" from "target.user.role_name" to "target.user.attribute.roles".
2022-06-15 Enhancement-
- for "target.0.type" == "Token".
- Mapped "target.0.detailEntry.clientAppId" to "target.asset_id".
- Added conditional check for the field 'transaction.id' mapped to the UDM field 'network.session_id'.
2022-06-03 Enhancement-
Mapped debugContext.debugData.privilegeGranted to target.user.attribute.roles.name additionally.
Mapped debugContext.debugData.requestUri to extensions.auth.auth_details.
Mapped debugContext.debugData.suspiciousActivityEventId, debugContext.debugData.threatDetections, debugContext.debugData.threatSuspected to security_result.detection_fields.
2022-03-22 Enhancement-
debugContext.debugData.behaviors mapped to security_result.description.
debugContext.debugData.threatSuspected mapped to security_result.threat_status.
debugContext.debugData.risk mapped to security_result.severity.