Okta

Collect and parse event logs from Okta API with Elastic Agent.

Version
3.0.0 (View all)
Compatible Kibana version(s)
8.15.0 or higher
Supported Serverless project types

Security
Observability
Subscription level
Basic
Level of support
Elastic

The Okta integration collects events from the Okta API, specifically reading from the Okta System Log API.

Logs

System

The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. This module is implemented using the httpjson input and is configured to paginate through the logs while honoring any rate-limiting headers sent by Okta.

Types Of Authentication

API Key

In this type of authentication, we only require an API Key for authenticating the client and polling for Okta System Logs.

Oauth2

In this type of authentication, we require the following information:

  1. Your Okta domain URL. [ Example: https://dev-123456.okta.com ]
  2. Your Okta service app Client ID.
  3. Your Okta service app JWK Private Key
  4. The Okta scope that is required for OAuth2. [ By default this is set to okta.logs.read which should suffice for most use cases ]

Steps to acquire Okta Oauth2 credentials:

  1. Acquire an Okta dev or user account with privileges to mint tokens with the okta.* scopes.
  2. Log into your Okta account, navigate to Applications on the left-hand side, click on the Create App Integration button and create an API Services application.
  3. Click on the created app, note down the Client ID and select the option for Public key/Private key.
  4. Generate your own Private/Public key pair in the JWK format (PEM is not supported at the moment) and save it in a credentials JSON file or copy it to use directly in the config.

Okta Integration Network (OIN)

The Okta Integration Network provides a simple integration authentication based on OAuth2, but using an API key. In this type of authentication, we only require an API Key for authenticating the client and polling for Okta System Logs.

  1. Your Okta domain URL. [ Example: https://dev-123456.okta.com ]
  2. Your Okta service app Client ID.
  3. Your Okta service app Client Secret.

Steps to configure Okta OIN authenticaton:

  1. Log into your Okta account, navigate to Applications on the left-hand side, click on the Browse App Catalog button and search for "Elastic".
  2. Click on the Elastic app card and then click Add Integration, and then Install & Authorize.
  3. Copy the Client Secret.
  4. Navigate to the Fleet integration configuration page for the integration.
  5. Set the "Okta System Log API URL" field from the value of the Okta app with the URL path "/api/v1/logs" added as shown in the UI documentation
  6. Set the "Okta Domain URL" field from the value of the Okta app
  7. Set the "Client ID" field with the Client ID provided by the Okta app
  8. Set the "API Key" field to the Client Secret provided by the Okta app
  9. Set the "Use OIN Authentication" toggle to true

NOTE: Tokens with okta.* Scopes are generally minted from the Okta Org Auth server and not the default/custom authorization server. The standard Okta Org Auth server endpoint to mint tokens is https://<your_okta_org>.okta.com/oauth2/v1/token

An example event for system looks as following:

{
    "@timestamp": "2020-02-14T20:18:57.718Z",
    "agent": {
        "ephemeral_id": "6ac1caae-4aba-4b61-8408-14b46e15b668",
        "id": "c3650180-e3d1-4dad-9094-89c988e721d7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "client": {
        "geo": {
            "city_name": "Dublin",
            "country_name": "United States",
            "location": {
                "lat": 37.7201,
                "lon": -121.919
            },
            "region_name": "California"
        },
        "ip": "108.255.197.247",
        "user": {
            "full_name": "xxxxxx",
            "id": "00u1abvz4pYqdM8ms4x6",
            "name": "xxxxxx"
        }
    },
    "data_stream": {
        "dataset": "okta.system",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "c3650180-e3d1-4dad-9094-89c988e721d7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "action": "user.session.start",
        "agent_id_status": "verified",
        "category": [
            "authentication",
            "session"
        ],
        "created": "2024-05-17T05:51:14.737Z",
        "dataset": "okta.system",
        "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546",
        "ingested": "2024-05-17T05:51:24Z",
        "kind": "event",
        "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}",
        "outcome": "success",
        "type": [
            "start",
            "info"
        ]
    },
    "input": {
        "type": "httpjson"
    },
    "okta": {
        "actor": {
            "alternate_id": "xxxxxx@elastic.co",
            "display_name": "xxxxxx",
            "id": "00u1abvz4pYqdM8ms4x6",
            "type": "User"
        },
        "authentication_context": {
            "authentication_step": 0,
            "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ"
        },
        "client": {
            "device": "Computer",
            "ip": "108.255.197.247",
            "user_agent": {
                "browser": "FIREFOX",
                "os": "Mac OS X",
                "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"
            },
            "zone": "null"
        },
        "debug_context": {
            "debug_data": {
                "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0",
                "flattened": {
                    "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0",
                    "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0",
                    "requestUri": "/api/v1/authn",
                    "threatSuspected": "false",
                    "url": "/api/v1/authn?"
                },
                "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0",
                "request_uri": "/api/v1/authn",
                "threat_suspected": "false",
                "url": "/api/v1/authn?"
            }
        },
        "display_message": "User login to Okta",
        "event_type": "user.session.start",
        "outcome": {
            "result": "SUCCESS"
        },
        "request": {
            "ip_chain": [
                {
                    "geographical_context": {
                        "city": "Dublin",
                        "country": "United States",
                        "geolocation": {
                            "lat": 37.7201,
                            "lon": -121.919
                        },
                        "postal_code": "94568",
                        "state": "California"
                    },
                    "ip": "108.255.197.247",
                    "version": "V4"
                }
            ]
        },
        "transaction": {
            "id": "XkcAsWb8WjwDP76xh@1v8wAABp0",
            "type": "WEB"
        },
        "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546"
    },
    "related": {
        "ip": [
            "108.255.197.247"
        ],
        "user": [
            "xxxxxx"
        ]
    },
    "source": {
        "ip": "108.255.197.247",
        "user": {
            "full_name": "xxxxxx",
            "id": "00u1abvz4pYqdM8ms4x6",
            "name": "xxxxxx"
        }
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "okta-system"
    ],
    "user": {
        "full_name": "xxxxxx",
        "name": "xxxxxx"
    },
    "user_agent": {
        "device": {
            "name": "Mac"
        },
        "name": "Firefox",
        "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0",
        "os": {
            "full": "Mac OS X 10.15",
            "name": "Mac OS X",
            "version": "10.15"
        },
        "version": "72.0."
    }
}

Exported fields

FieldDescriptionType
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
cloud.image.id
Image ID for the cloud instance.
keyword
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
event.dataset
Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
constant_keyword
event.module
Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module.
constant_keyword
host.containerized
If the host is a container.
boolean
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
input.type
Type of Filebeat input.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
okta.actor.alternate_id
Alternate identifier of the actor.
keyword
okta.actor.display_name
Display name of the actor.
keyword
okta.actor.id
Identifier of the actor.
keyword
okta.actor.type
Type of the actor.
keyword
okta.authentication_context.authentication_provider
The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER.
keyword
okta.authentication_context.authentication_step
The authentication step.
integer
okta.authentication_context.credential_provider
The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY.
keyword
okta.authentication_context.credential_type
The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID.
keyword
okta.authentication_context.external_session_id
The session identifer of the external session if any.
keyword
okta.authentication_context.interface
The interface used. e.g., Outlook, Office365, wsTrust
keyword
okta.authentication_context.issuer.id
The identifier of the issuer.
keyword
okta.authentication_context.issuer.type
The type of the issuer.
keyword
okta.client.device
The information of the client device.
keyword
okta.client.id
The identifier of the client.
keyword
okta.client.ip
The IP address of the client.
ip
okta.client.user_agent.browser
The browser informaton of the client.
keyword
okta.client.user_agent.os
The OS informaton.
keyword
okta.client.user_agent.raw_user_agent
The raw informaton of the user agent.
keyword
okta.client.zone
The zone information of the client.
keyword
okta.debug_context.debug_data
object
okta.debug_context.debug_data.authnRequestId
The authorization request ID.
keyword
okta.debug_context.debug_data.behaviors
keyword
okta.debug_context.debug_data.behaviors.New_City
keyword
okta.debug_context.debug_data.behaviors.New_Country
keyword
okta.debug_context.debug_data.behaviors.New_Device
keyword
okta.debug_context.debug_data.behaviors.New_Geo_Location
keyword
okta.debug_context.debug_data.behaviors.New_IP
keyword
okta.debug_context.debug_data.behaviors.New_State
keyword
okta.debug_context.debug_data.behaviors.Velocity
keyword
okta.debug_context.debug_data.behaviors.Velocity_Behavior
keyword
okta.debug_context.debug_data.client_secret
keyword
okta.debug_context.debug_data.device_fingerprint
The fingerprint of the device.
keyword
okta.debug_context.debug_data.dt_hash
The device token hash
keyword
okta.debug_context.debug_data.factor
The factor used for authentication.
keyword
okta.debug_context.debug_data.flattened
The complete debug_data object.
flattened
okta.debug_context.debug_data.grant_type
keyword
okta.debug_context.debug_data.granted_scopes
keyword
okta.debug_context.debug_data.logOnlySecurityData
keyword
okta.debug_context.debug_data.logOnlySecurityData.behaviors
keyword
okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_City
keyword
okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_Country
keyword
okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_Device
keyword
okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_Geo_Location
keyword
okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_IP
keyword
okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_State
keyword
okta.debug_context.debug_data.logOnlySecurityData.behaviors.Velocity
keyword
okta.debug_context.debug_data.logOnlySecurityData.risk
keyword
okta.debug_context.debug_data.logOnlySecurityData.risk.level
keyword
okta.debug_context.debug_data.logOnlySecurityData.risk.reasons
keyword
okta.debug_context.debug_data.originalPrincipal
keyword
okta.debug_context.debug_data.originalPrincipal.alternateId
keyword
okta.debug_context.debug_data.originalPrincipal.displayName
keyword
okta.debug_context.debug_data.originalPrincipal.id
keyword
okta.debug_context.debug_data.originalPrincipal.type
keyword
okta.debug_context.debug_data.promptingPolicyTypes
keyword
okta.debug_context.debug_data.request_id
The identifier of the request.
keyword
okta.debug_context.debug_data.request_uri
The request URI.
keyword
okta.debug_context.debug_data.requested_scopes
keyword
okta.debug_context.debug_data.risk
keyword
okta.debug_context.debug_data.risk.level
keyword
okta.debug_context.debug_data.risk.reasons
keyword
okta.debug_context.debug_data.risk_behaviors
The set of behaviors that contribute to a risk assessment.
keyword
okta.debug_context.debug_data.risk_level
The risk level assigned to the sign in attempt.
keyword
okta.debug_context.debug_data.risk_object
keyword
okta.debug_context.debug_data.risk_reasons
The reasons for the risk.
keyword
okta.debug_context.debug_data.threat_suspected
Threat suspected.
keyword
okta.debug_context.debug_data.url
The URL.
keyword
okta.device.device_integrator
flattened
okta.device.disk_encryption_type
The value of the device profile’s disk encryption type. One of "NONE", "FULL", "USER", "ALL_INTERNAL_VOLUMES" or "SYSTEM_VOLUME".
keyword
okta.device.id
Identifier of the device.
keyword
okta.device.managed
Whether the device is managed.
boolean
okta.device.name
The name of the device.
keyword
okta.device.os_platform
The OS of the device.
keyword
okta.device.os_version
The device's OS version.
keyword
okta.device.registered
Whether the device is registered.
boolean
okta.device.screen_lock_type
The mechanism for locking the device's screen. One of "NONE", "PASSCODE" or "BIOMETRIC".
keyword
okta.device.secure_hardware_present
Whether there is secure hardware present on the device. This is a checks for chip presence: trusted platform module (TPM) or secure enclave. It does not mark whether there are tokens on the secure hardware.
boolean
okta.display_message
The display message of the LogEvent.
keyword
okta.event_type
The type of the LogEvent.
keyword
okta.outcome.reason
The reason of the outcome.
keyword
okta.outcome.result
The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
keyword
okta.request.ip_chain
flattened
okta.security_context.as.number
The AS number.
integer
okta.security_context.as.organization.name
The organization name.
keyword
okta.security_context.domain
The domain name.
keyword
okta.security_context.is_proxy
Whether it is a proxy or not.
boolean
okta.security_context.isp
The Internet Service Provider.
keyword
okta.severity
The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR.
keyword
okta.target.alternate_id
The alternate ID of the target.
keyword
okta.target.changeDetails.from.*
object
okta.target.changeDetails.to.*
object
okta.target.detailEntry.*
object
okta.target.display_name
The display name of the target.
keyword
okta.target.id
The ID of the target.
keyword
okta.target.type
The type of target.
keyword
okta.transaction.detail.request_api_token_id
ID of the API token used in a request.
keyword
okta.transaction.id
Identifier of the transaction.
keyword
okta.transaction.type
The type of transaction. Must be one of "WEB", "JOB".
keyword
okta.uuid
The unique identifier of the Okta LogEvent.
keyword
okta.version
The version of the LogEvent.
keyword

Changelog

VersionDetailsKibana version(s)

3.0.0

Enhancement View pull request
Make okta.target use dynamic objects instead of flattened.

8.15.0 or higher

2.13.0

Enhancement View pull request
Include grantedScopes, grantType, clientSecret and requestedScopes fields from debug data.

8.15.0 or higher

2.12.2

Bug fix View pull request
Use triple-brace Mustache templating when referencing variables in ingest pipelines.

8.15.0 or higher

2.12.1

Bug fix View pull request
Use triple-brace Mustache templating when referencing variables in ingest pipelines.

8.15.0 or higher

2.12.0

Enhancement View pull request
Allow user configuration of debug_data flattened use.

8.15.0 or higher

2.11.0

Enhancement View pull request
Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

2.10.0

Enhancement View pull request
Support OIN service application authentication.

8.13.0 or higher

2.9.0

Enhancement View pull request
Allow private key to be supplied as a PEM block.

8.13.0 or higher

2.8.0

Enhancement View pull request
Set sensitive values as secret.

8.12.0 or higher

2.7.1

Enhancement View pull request
Changed owners

8.10.1 or higher

2.7.0

Enhancement View pull request
Add okta.transaction.detail.request_api_token_id field.

8.10.1 or higher

2.6.0

Enhancement View pull request
Limit request tracer log count to five.

8.10.1 or higher

2.5.0

Enhancement View pull request
ECS version updated to 8.11.0.

8.10.1 or higher

2.4.0

Enhancement View pull request
Improve 'event.original' check to avoid errors if set.

8.10.1 or higher

2.3.1-next

Bug fix View pull request
Fix mapping of group fields

2.3.0

Enhancement View pull request
Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

8.10.1 or higher

2.2.0

Enhancement View pull request
Update the package format_version to 3.0.0.

8.10.1 or higher

2.1.0

Enhancement View pull request
Update package to ECS 8.10.0, align ECS categorization fields, and updated stack version to ^8.10.1 per security fix.

8.10.1 or higher

2.0.0

Enhancement View pull request
Added Okta Oauth2 support, refactored the UI accordingly & updated stack version to ^8.10.0.

8.10.0 or higher

1.28.0

Enhancement View pull request
Retain okta.debug_context.debug_data.dt_hash field.

8.7.1 or higher

1.27.0

Enhancement View pull request
Update package-spec 2.9.0.

8.7.1 or higher

1.26.0

Enhancement View pull request
Update package to ECS 8.9.0.

8.7.1 or higher

1.25.0

Enhancement View pull request
Document duration units.

8.7.1 or higher

1.24.0

Enhancement View pull request
Convert visualizations to lens.

8.7.1 or higher

1.23.0

Enhancement View pull request
Document valid duration units.

8.7.1 or higher

1.22.1

Bug fix View pull request
Fix a concurrent modification exception that occurred while modifying okta.target[].detailEntry.

8.7.1 or higher

1.22.0

Enhancement View pull request
Update package to ECS 8.8.0.

8.7.1 or higher

1.21.0

Enhancement View pull request
Add support for okta.device field group.

Enhancement View pull request
Retain okta.target.detailEntry.methodTypeUsed and okta.target.detailEntry.methodUsedVerifiedProperties.

8.7.1 or higher

1.20.0

Enhancement View pull request
Add a new flag to enable request tracing

8.7.1 or higher

1.19.1

Enhancement View pull request
Remove redundant rename processors.

8.6.0 or higher

1.19.0

Enhancement View pull request
Retain target information.

8.6.0 or higher

1.18.0

Enhancement View pull request
Update package to ECS 8.7.0.

8.6.0 or higher

1.17.0

Enhancement View pull request
Extract username from email

8.6.0 or higher

1.16.1

Enhancement View pull request
Added categories and/or subcategories.

8.6.0 or higher

1.16.0

Enhancement View pull request
Allow configuration of HTTP keep-alive to allow for connection reuse.

8.6.0 or higher

1.15.1

Bug fix View pull request
Fix documentation typo.

8.1.0 or higher

1.15.0

Enhancement View pull request
Make debug_data risk factors and behaviors visible to search.

8.1.0 or higher

1.14.0

Enhancement View pull request
Update package to ECS 8.6.0.

8.1.0 or higher

1.13.0

Enhancement View pull request
Make debug_data risk reasons visible to search.

8.1.0 or higher

1.12.1

Bug fix View pull request
Make extra efforts to extract risk information from debug_data.

8.1.0 or higher

1.12.0

Enhancement View pull request
Handle already set event.original more robustly.

8.1.0 or higher

1.11.2

Enhancement View pull request
Migrate the visualizations to by value in dashboards to minimize the saved object clutter and reduce time to load

8.1.0 or higher

1.11.1

Bug fix View pull request
Remove duplicate fields.

7.14.0 or higher
8.0.0 or higher

1.11.0

Enhancement View pull request
Update package to ECS 8.5.0.

7.14.0 or higher
8.0.0 or higher

1.10.3

Bug fix View pull request
Mark url config option as a required field

7.14.0 or higher
8.0.0 or higher

1.10.2

Enhancement View pull request
Use ECS geo.location definition.

7.14.0 or higher
8.0.0 or higher

1.10.1

Bug fix View pull request
Mark api_key config option as a required field

7.14.0 or higher
8.0.0 or higher

1.10.0

Enhancement View pull request
Update package to ECS 8.4.0

7.14.0 or higher
8.0.0 or higher

1.9.2

Bug fix View pull request
Fix proxy URL documentation rendering.

7.14.0 or higher
8.0.0 or higher

1.9.1

Enhancement View pull request
Update package name and description to align with standard wording

7.14.0 or higher
8.0.0 or higher

1.9.0

Enhancement View pull request
Update package to ECS 8.3.0.

7.14.0 or higher
8.0.0 or higher

1.8.0

Enhancement View pull request
Add okta.debug_context.debug_data.risk_level field

Enhancement View pull request
Add flattened okta.debug_context.debug_data.flattened.log_only_security_data.* fields

Bug fix View pull request
Fix mapping type for client.as.number

7.14.0 or higher
8.0.0 or higher

1.7.0

Enhancement View pull request
Add flattened okta.request.ip_chain.* fields

7.14.0 or higher
8.0.0 or higher

1.6.0

Enhancement View pull request
Update to ECS 8.2

7.14.0 or higher
8.0.0 or higher

1.5.2

Bug fix View pull request
Handle invalid values in client.ipAddress

7.14.0 or higher
8.0.0 or higher

1.5.1

Enhancement View pull request
Add documentation for multi-fields

7.14.0 or higher
8.0.0 or higher

1.5.0

Enhancement View pull request
Increase the limit for the number of results in an API response.

7.14.0 or higher
8.0.0 or higher

1.4.1

Enhancement View pull request
Add missing field mapping for event.created.

1.4.0

Enhancement View pull request
Update to ECS 8.0

7.14.0 or higher
8.0.0 or higher

1.3.2

Bug fix View pull request
Regenerate test files using the new GeoIP database

7.14.0 or higher
8.0.0 or higher

1.3.1

Bug fix View pull request
Change test public IPs to the supported subset

1.3.0

Enhancement View pull request
Add 8.0.0 version constraint

7.14.0 or higher
8.0.0 or higher

1.2.3

Enhancement View pull request
Uniform with guidelines

7.14.0 or higher

1.2.2

Enhancement View pull request
Update Title and Description.

1.2.1

Bug fix View pull request
Fix logic that checks for the 'forwarded' tag

1.2.0

Enhancement View pull request
Update to ECS 1.12.0

7.14.0 or higher

1.1.3

Enhancement View pull request
Add proxy config

1.1.2

Enhancement View pull request
Convert to generated ECS fields

1.1.1

Enhancement View pull request
update to ECS 1.11.0

1.1.0

Enhancement View pull request
Update integration description

7.14.0 or higher

1.0.1

Bug fix View pull request
add missing initial_interval option to the manifest

1.0.0

Enhancement View pull request
make GA

Enhancement View pull request
Set "event.module" and "event.dataset"

7.14.0 or higher

0.6.0

Enhancement View pull request
Update to ECS 1.10.0 and add event.original options

0.5.2

Enhancement View pull request
Add httpjson system tests and remove log input.

0.5.1

Enhancement View pull request
Make event.original optional

0.5.0

Enhancement View pull request
change okta.target to flattened type

0.4.2

Bug fix View pull request
add fail_on_template_error on pagination

0.4.1

Enhancement View pull request
update to ECS 1.9.0

0.4.0

Enhancement View pull request
Moves edge processing to ingest pipeline

0.3.1

Bug fix View pull request
Change kibana.version constraint to be more conservative.

0.1.0

Enhancement View pull request
initial release