x-pack/filebeat/module/okta: add support for debug attributes, risk_r…

…easons, risk_behaviors and factor (#34508)

CHANGELOG.next.asciidoc

@@ -200,6 +200,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
 - Add support for new Rabbitmq timestamp format for logs {pull}34211[34211]
 - Allow user configuration of timezone offset in Cisco ASA and FTD modules. {pull}34436[34436]
 - Allow user configuration of timezone offset in Checkpoint module. {pull}34472[34472]
+- Add support for Okta debug attributes, `risk_reasons`, `risk_behaviors` and `factor`. {issue}33677[33677] {pull}34508[34508]
 
 *Auditbeat*
 

filebeat/docs/fields.asciidoc

@@ -112069,6 +112069,16 @@ The debug data.
 The fingerprint of the device.
 
 
+type: keyword
+
+--
+
+*`okta.debug_context.debug_data.factor`*::
++
+--
+The factor used for authentication.
+
+
 type: keyword
 
 --
@@ -112099,6 +112109,16 @@ type: keyword
 Threat suspected.
 
 
+type: keyword
+
+--
+
+*`okta.debug_context.debug_data.risk_behaviors`*::
++
+--
+The set of behaviors that contribute to a risk assessment.
+
+
 type: keyword
 
 --
@@ -112109,6 +112129,16 @@ type: keyword
 The risk level assigned to the sign in attempt.
 
 
+type: keyword
+
+--
+
+*`okta.debug_context.debug_data.risk_reasons`*::
++
+--
+The reasons for the risk.
+
+
 type: keyword
 
 --

x-pack/filebeat/module/okta/system/_meta/fields.yml

@@ -193,6 +193,11 @@
       description: >
         The fingerprint of the device.
 
+    - name: factor
+      type: keyword
+      description: >
+        The factor used for authentication.
+
     - name: request_id
       type: keyword
       description: >
@@ -208,11 +213,21 @@
       description: >
         Threat suspected.
 
+    - name: risk_behaviors
+      type: keyword
+      description: >
+        The set of behaviors that contribute to a risk assessment.
+
     - name: risk_level
       type: keyword
       description: >
         The risk level assigned to the sign in attempt.
 
+    - name: risk_reasons
+      type: keyword
+      description: >
+        The reasons for the risk.
+
     - name: url
       type: keyword
       description: >

x-pack/filebeat/module/okta/system/ingest/pipeline.yml

@@ -395,6 +395,36 @@ processors:
       field: okta.debug_context.debug_data.risk_level
       value: "{{{okta.debug_context.debug_data.flattened.risk.level}}}"
       if: 'ctx.okta?.debug_context?.debug_data?.risk_level == null && ctx.okta?.debug_context?.debug_data?.flattened?.risk != null && ctx.okta?.debug_context?.debug_data?.flattened?.risk != ""'
+  - set:
+      field: okta.debug_context.debug_data.factor
+      value: "{{{okta.debug_context.debug_data.flattened.factor}}}"
+      if: 'ctx.okta?.debug_context?.debug_data?.factor == null && ctx.okta?.debug_context?.debug_data?.flattened?.factor != null && ctx.okta?.debug_context?.debug_data?.flattened?.factor != ""'
+  - split:
+      field: okta.debug_context.debug_data.flattened.logOnlySecurityData.risk.reasons
+      target_field: okta.debug_context.debug_data.risk_reasons
+      separator: ',\s*'
+      if: 'ctx.okta?.debug_context?.debug_data?.flattened?.logOnlySecurityData?.risk?.reasons != null && ctx.okta?.debug_context?.debug_data?.flattened?.logOnlySecurityData?.risk?.reasons != ""'
+  - split:
+      field: okta.debug_context.debug_data.flattened.risk.reasons
+      target_field: okta.debug_context.debug_data.risk_reasons
+      separator: ',\s*'
+      if: 'ctx.okta?.debug_context?.debug_data?.risk_reasons == null && ctx.okta?.debug_context?.debug_data?.flattened?.risk?.reasons != null && ctx.okta?.debug_context?.debug_data?.flattened?.risk?.reasons != ""'
+  - script:
+      lang: painless
+      source: |
+        def src = ctx.okta?.debug_context?.debug_data?.flattened?.behaviors;
+        if (src == null) {
+          return;
+        }
+        def dst = new ArrayList();
+        for (e in src.entrySet()) {
+          if (e != null && e.getValue() == "POSITIVE") {
+            dst.add(e.getKey());
+          }
+        }
+        if (dst.length != 0) {
+          ctx.okta.debug_context.debug_data['risk_behaviors'] = dst;
+        }
   - rename:
       field: json.authenticationContext.authenticationProvider
       target_field: okta.authentication_context.authentication_provider

x-pack/filebeat/module/okta/system/test/okta-system-test.json.log

@@ -6,3 +6,5 @@
 {"actor":{"alternateId":"test@test.com","detailEntry":null,"displayName":"test@test.com","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"xxxxxx","interface":null,"issuer":null},"client":{"device":"Unknown","geographicalContext":{"city":"Ashburn","country":"United States","geolocation":{"lat":39.1469,"lon":-77.5903},"postalCode":"20149","state":"Virginia"},"id":null,"ipAddress":"81.2.69.144","userAgent":{"browser":"UNKNOWN","os":"Unknown","rawUserAgent":"blah"},"zone":"null"},"debugContext":{"debugData":{"logOnlySecurityData":"{\"risk\":{\"reasons\":\"Anomalous Location, Anomalous Device\",\"level\":\"HIGH\"},\"behaviors\":{\"New Geo-Location\":\"POSITIVE\",\"New Device\":\"BAD_REQUEST\",\"New IP\":\"POSITIVE\",\"New State\":\"POSITIVE\",\"New Country\":\"POSITIVE\",\"Velocity\":\"NEGATIVE\",\"New City\":\"POSITIVE\"}}","originalPrincipal":{"alternateId":"test@test.com","detailEntry":null,"displayName":"Test","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"device":null,"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2022-05-11T09:25:18.716Z","request":{"ipChain":[{"geographicalContext":{"city":"Ashburn","country":"United States","geolocation":{"lat":39.1469,"lon":-77.5903},"postalCode":"20149","state":"Virginia"},"ip":"81.2.69.144","source":null,"version":"V4"}]},"securityContext":{"asNumber":14618,"asOrg":"amazon data services nova","domain":"amazonaws.com","isProxy":false,"isp":"amazon.com  inc."},"severity":"INFO","target":null,"transaction":{"detail":{"requestApiTokenId":"MDU0ZTEyM2QwYjc2N2FiZDI2YzViZDRiODVkNGNhZDFkZjg4YjU2ZiAgLQo="},"id":"00u1abvz4pYqdM8ms4x6","type":"WEB"},"uuid":"8ceedc94-d725-11ec-9d64-0242ac120002","version":"0"}
 {"actor":{"alternateId":"test1@test.com","detailEntry":null,"displayName":"None","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102nZHzd6OHSfGG51vsoc22gw","interface":null,"issuer":null},"client":{"device":"Mobile","geographicalContext":{"city":"Purcellville","country":"United States","geolocation":{"lat":39.64,"lon":-77.8346},"postalCode":"20132","state":"Virginia"},"id":null,"ipAddress":"67.43.156.14","userAgent":{"browser":"SAFARI","os":"Mac OS X (iPhone)","rawUserAgent":"Mozilla/5.0 (iPhone; CPU iPhone OS 15_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Safari"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","behaviors":"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, New City=NEGATIVE}","deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify","risk":"{level=LOW}","threatSuspected":"false","url":"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify?autoPush=false&rememberDevice=false"}},"device":null,"displayMessage":"Verify user identity","eventType":"user.authentication.verify","legacyEventType":null,"outcome":{"reason":null,"result":"SUCCESS"},"published":"2022-05-11T09:27:08.708Z","request":{"ipChain":[{"geographicalContext":{"city":"Purcellville","country":"United States","geolocation":{"lat":39.64,"lon":-77.8346},"postalCode":"20132","state":"Virginia"},"ip":"67.43.156.14","source":null,"version":"V4"}]},"securityContext":{"asNumber":7922,"asOrg":"comcast","domain":"comcast.net","isProxy":false,"isp":"comcast"},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"00u1abvz4pYqdM8ms4x6","type":"WEB"},"uuid":"7e15e406-d725-11ec-9d64-0242ac120002","version":"0"}
 {"actor":{"alternateId":"Snipped_User@domain.com","detailEntry":null,"displayName":"Last_name, First_Name","id":"user_id","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102qmxOh1EdTHqn1_86CB9fzA","interface":null,"issuer":null},"client":{"device":"unknown","geographicalContext":{"city":"City","country":"Country","geolocation":{"lat":0.00,"lon":0.00},"postalCode":"00000","state":"State"},"id":null,"ipAddress":"81.2.69.144","userAgent":{"browser":"unknown","os":"unknown","rawUserAgent":"unknown"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"Y5elHFMngoYoVKvakwnp2wAAAKo","behaviors":"{New Geo-Location=NEGATIVE, New Device=POSITIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, Velocity=POSITIVE, New City=NEGATIVE}","dtHash":"751b157a5a24ed83129433243e8d42307434b047120c32d7a7f5a5d2d91726fa","requestId":"Y5elHFMngoYoVKvakwnp2wAAAKo","requestUri":"/api/v1/authn","risk":"{reasons=Anomalous Device, Anomalous Location, level=HIGH}","threatSuspected":"false","url":"/api/v1/authn?"}},"device":null,"displayMessage":"Verify user identity","eventType":"user.authentication.verify","legacyEventType":null,"outcome":{"reason":null,"result":"SUCCESS"},"published":"2022-12-12T22:03:08.791Z","request":{"ipChain":[{"geographicalContext":{"city":"City","country":"Country","geolocation":{"lat":0.00,"lon":0.00},"postalCode":"00000","state":"State"},"ip":"81.2.69.144","source":null,"version":"V4"}]},"securityContext":{"asNumber":1828,"asOrg":"org","domain":"domain.com","isProxy":false,"isp":"isp"},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"Y5elHFMngoYoVKvakwnp2wAAAKo","type":"WEB"},"uuid":"c32ae8ec-7a68-11ed-b8a7-9134a086ef85","version":"0"}
+{"actor":{"alternateId":"user@domain.com","detailEntry":null,"displayName":"first last","id":"id","type":"User"},"authenticationContext":{"authenticationProvider":"FACTOR_PROVIDER","authenticationStep":0,"credentialProvider":"OKTA_CREDENTIAL_PROVIDER","credentialType":null,"externalSessionId":"uuid","interface":null,"issuer":null},"client":{"device":"Mobile","geographicalContext":{"city":"Lucerne","country":"Switzerland","geolocation":{"lat":47.0511,"lon":8.3056},"postalCode":"6007","state":"Lucerne"},"id":null,"ipAddress":"127.0.0.1","userAgent":{"browser":"UNKNOWN","os":"Unknown mobile","rawUserAgent":"B7FdsdB65BN.com.okta.mobile/7.12.0 OktaVerify/7.12.0 iOS/16.1.2 Apple/iPhone14,2 6C743C36-ewew-400D-8FB9-A5F049A745CF"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"uuid","behaviors":"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=NEGATIVE}","factor":"OKTA_VERIFY_PUSH","requestId":"uuid","requestUri":"/api/v1/authn/factors/id/transactions/id/verify","risk":"{level=LOW}","threatSuspected":"false","url":"/api/v1/authn/factors/id/transactions/id/verify?"}},"device":null,"displayMessage":"Authentication of user via MFA","eventType":"user.authentication.auth_via_mfa","legacyEventType":"core.user.factor.attempt_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2023-02-06T08:56:36.909Z","request":{"ipChain":[{"geographicalContext":{"city":"Lucerne","country":"Switzerland","geolocation":{"lat":47.0511,"lon":8.3056},"postalCode":"6007","state":"Lucerne"},"ip":"127.0.0.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":3303,"asOrg":"bluewin is an lir and isp in switzerland.","domain":"swisscom.ch","isProxy":false,"isp":"swisscom (schweiz) ag"},"severity":"INFO","target":[{"alternateId":"user@domain.com","detailEntry":null,"displayName":"first last","id":"id","type":"User"}],"transaction":{"detail":{},"id":"uuid","type":"WEB"},"uuid":"BFA22AB8-898D-46A4-A9DF-097BF8C8B74D","version":"0"}
+{"actor":{"alternateId":"name@domain.com","detailEntry":null,"displayName":"first last","id":"id","type":"User"},"authenticationContext":{"authenticationProvider":"FACTOR_PROVIDER","authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"id","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Bredstedt","country":"Germany","geolocation":{"lat":54.6208,"lon":8.9631},"postalCode":"25821","state":"Schleswig-Holstein"},"id":null,"ipAddress":"127.0.0.1","userAgent":{"browser":"FIREFOX","os":"Linux","rawUserAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"id","behaviors":"{New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=POSITIVE}","deviceFingerprint":"id","dtHash":"hash","factor":"FIDO_WEBAUTHN","promptingPolicyTypes":"[OKTA_SIGN_ON]","requestId":"id","requestUri":"/api/v1/authn/factors/webauthn/verify","risk":"{level=LOW}","threatSuspected":"false","url":"/api/v1/authn/factors/webauthn/verify?rememberDevice=false"}},"device":null,"displayMessage":"Authentication of user via MFA","eventType":"user.authentication.auth_via_mfa","legacyEventType":"core.user.factor.attempt_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2023-02-06T08:58:37.110Z","request":{"ipChain":[{"geographicalContext":{"city":"Bredstedt","country":"Germany","geolocation":{"lat":54.6208,"lon":8.9631},"postalCode":"25821","state":"Schleswig-Holstein"},"ip":"127.0.0.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":62336,"asOrg":"customer access","domain":"german-local.net","isProxy":false,"isp":"purtel.com gmbh"},"severity":"INFO","target":[{"alternateId":"name@domain.com","detailEntry":null,"displayName":"first last","id":"id","type":"User"}],"transaction":{"detail":{},"id":"id","type":"WEB"},"uuid":"98C61C24-FDBC-479B-8329-CD73775A71ED","version":"0"}