Closed
Description
Related
Summary
Problem
At this time, the Okta integration that ingests system logs has a field labeled okta.debug_context.debug_data.flattened. Flattened field types are currently unsupported in ES|QL, therefore detection rule authors are unable to use the context in this field for rules or hunting.
Example JSON
{
"_index": ".ds-logs-okta.system-default-2024.05.27-000003",
"_id": "3a0ee229-1f16-11ef-ad0c-1ddcb8547577",
"_version": 1,
"_score": 0,
"_source": {
"agent": {
"name": "dejesus-okta-research",
"id": "c7c536d0-4b32-40b3-92e7-c7cbf0944339",
"type": "filebeat",
"ephemeral_id": "a1610e64-46ba-451b-a302-b63c1091b2ca",
"version": "8.12.2"
},
"elastic_agent": {
"id": "c7c536d0-4b32-40b3-92e7-c7cbf0944339",
"version": "8.12.2",
"snapshot": false
},
"source": {
"geo": {
"continent_name": "Asia",
"region_iso_code": "IN-KA",
"city_name": "Bengaluru",
"country_iso_code": "IN",
"country_name": "India",
"location": {
"lon": 1,
"lat": 1
},
"region_name": "Karnataka"
},
"as": {
"number": 55836,
"organization": {
"name": "Reliance Jio Infocomm Limited"
}
},
"ip": "redacted",
"domain": ".",
"user": {
"full_name": "redacted",
"name": "redacted",
"id": "redacted"
}
},
"tags": [
"forwarded",
"okta-system"
],
"cloud": {
"availability_zone": "us-east1-b",
"instance": {
"name": "dejesus-okta-research",
"id": "4161709401838773778"
},
"provider": "gcp",
"service": {
"name": "GCE"
},
"machine": {
"type": "e2-medium"
},
"project": {
"id": "elastic-security-dev"
},
"region": "us-east1",
"account": {
"id": "elastic-security-dev"
}
},
"input": {
"type": "httpjson"
},
"@timestamp": "2024-05-31T06:22:59.557Z",
"ecs": {
"version": "8.11.0"
},
"related": {
"ip": [
"redacted"
],
"user": [
"redacted",
"redacted"
]
},
"data_stream": {
"namespace": "default",
"type": "logs",
"dataset": "okta.system"
},
"client": {
"geo": {
"city_name": "Bengaluru",
"country_name": "India",
"location": {
"lon": 1,
"lat": 1
},
"region_name": "Karnataka"
},
"as": {
"organization": {
"name": "reliance jio infocomm limited"
}
},
"ip": "redacted",
"domain": ".",
"user": {
"full_name": "redacted",
"name": "redacted",
"id": "redacted"
}
},
"event": {
"agent_id_status": "verified",
"ingested": "2024-05-31T06:24:37Z",
"created": "2024-05-31T06:24:27.401Z",
"kind": "event",
"action": "app.oauth2.token.grant.access_token",
"id": "3a0ee229-1f16-11ef-ad0c-1ddcb8547577",
"dataset": "okta.system",
"outcome": "success"
},
"okta": {
"actor": {
"id": "redacted",
"display_name": "redacted",
"type": "PublicClientApp",
"alternate_id": "redacted"
},
"request": {
"ip_chain": [
{
"geographical_context": {
"country": "India",
"city": "Bengaluru",
"state": "Karnataka",
"postal_code": "redacted",
"geolocation": {
"lon": 1,
"lat": 1
}
},
"ip": "redacted",
"version": "V4"
}
]
},
"debug_context": {
"debug_data": {
"flattened": {
"clientAuthType": "client_secret_post",
"grantedScopes": "okta.logs.read",
"requestId": "76094a4ec67ae862a88c9d274b2353c9",
"responseTime": "269",
"dtHash": "redacted",
"clientSecret": "E5NMtFDu1xVWq6Stx_AlRA",
"requestUri": "/oauth2/v1/token",
"requestedScopes": "okta.logs.read",
"threatSuspected": "false",
"grantType": "client_credentials",
"url": "/oauth2/v1/token?"
},
"dt_hash": "redacted",
"threat_suspected": "false",
"request_id": "76094a4ec67ae862a88c9d274b2353c9",
"request_uri": "/oauth2/v1/token",
"url": "/oauth2/v1/token?"
}
},
"event_type": "app.oauth2.token.grant.access_token",
"authentication_context": {
"authentication_step": 0,
"external_session_id": "unknown"
},
"display_message": "OIDC access token is granted",
"client": {
"zone": "null",
"ip": "redacted",
"id": "redacted",
"device": "Unknown",
"user_agent": {
"raw_user_agent": "PostmanRuntime/7.39.0",
"os": "Unknown",
"browser": "UNKNOWN"
}
},
"uuid": "3a0ee229-1f16-11ef-ad0c-1ddcb8547577",
"outcome": {
"result": "SUCCESS"
},
"transaction": {
"id": "76094a4ec67ae862a88c9d274b2353c9",
"type": "WEB"
},
"security_context": {
"as": {
"number": 55836,
"organization": {
"name": "reliance jio infocomm limited"
}
},
"domain": ".",
"isp": "reliance jio infocomm limited",
"is_proxy": false
},
"target": [
{
"id": "redacted",
"type": "access_token",
"display_name": "Access Token",
"alternate_id": null
}
]
},
"user": {
"full_name": "redacted",
"name": "redacted"
},
"user_agent": {
"original": "PostmanRuntime/7.39.0",
"name": "Other",
"device": {
"name": "Other"
}
}
},
"fields": {
"okta.client.device": [
"Unknown"
],
"elastic_agent.version": [
"8.12.2"
],
"user_agent.original.text": [
"PostmanRuntime/7.39.0"
],
"okta.client.ip": [
"redacted"
],
"okta.client.user_agent.os": [
"Unknown"
],
"okta.security_context.as.number": [
55836
],
"source.user.name.text": [
"redacted"
],
"source.geo.region_name": [
"Karnataka"
],
"user.full_name.text": [
"redacted"
],
"source.ip": [
"redacted"
],
"agent.name": [
"dejesus-okta-research"
],
"event.agent_id_status": [
"verified"
],
"event.outcome": [
"success"
],
"source.geo.city_name": [
"Bengaluru"
],
"user_agent.original": [
"PostmanRuntime/7.39.0"
],
"okta.uuid": [
"3a0ee229-1f16-11ef-ad0c-1ddcb8547577"
],
"cloud.region": [
"us-east1"
],
"source.user.full_name.text": [
"redacted"
],
"input.type": [
"httpjson"
],
"okta.authentication_context.authentication_step": [
0
],
"related.user": [
"redacted",
"redacted"
],
"tags": [
"forwarded",
"okta-system"
],
"okta.client.zone": [
"null"
],
"cloud.machine.type": [
"e2-medium"
],
"cloud.provider": [
"gcp"
],
"agent.id": [
"c7c536d0-4b32-40b3-92e7-c7cbf0944339"
],
"client.user.name": [
"redacted"
],
"source.as.number": [
55836
],
"okta.authentication_context.external_session_id": [
"unknown"
],
"client.user.name.text": [
"redacted"
],
"user.name": [
"redacted"
],
"source.domain": [
"."
],
"cloud.instance.id": [
"4161709401838773778"
],
"okta.security_context.is_proxy": [
false
],
"agent.type": [
"filebeat"
],
"client.geo.region_name": [
"Karnataka"
],
"okta.actor.type": [
"PublicClientApp"
],
"related.ip": [
"redacted"
],
"elastic_agent.snapshot": [
false
],
"okta.client.user_agent.raw_user_agent": [
"PostmanRuntime/7.39.0"
],
"client.domain": [
"."
],
"elastic_agent.id": [
"c7c536d0-4b32-40b3-92e7-c7cbf0944339"
],
"okta.debug_context.debug_data.url": [
"/oauth2/v1/token?"
],
"okta.actor.display_name": [
"redacted"
],
"okta.client.id": [
"redacted"
],
"event.action": [
"app.oauth2.token.grant.access_token"
],
"event.ingested": [
"2024-05-31T06:24:37.000Z"
],
"@timestamp": [
"2024-05-31T06:22:59.557Z"
],
"cloud.account.id": [
"elastic-security-dev"
],
"data_stream.dataset": [
"okta.system"
],
"agent.ephemeral_id": [
"a1610e64-46ba-451b-a302-b63c1091b2ca"
],
"event.id": [
"3a0ee229-1f16-11ef-ad0c-1ddcb8547577"
],
"user_agent.device.name": [
"Other"
],
"cloud.instance.name": [
"dejesus-okta-research"
],
"cloud.project.id": [
"elastic-security-dev"
],
"user.name.text": [
"redacted"
],
"okta.outcome.result": [
"SUCCESS"
],
"okta.security_context.isp": [
"reliance jio infocomm limited"
],
"cloud.availability_zone": [
"us-east1-b"
],
"okta.debug_context.debug_data.request_uri": [
"/oauth2/v1/token"
],
"okta.display_message": [
"OIDC access token is granted"
],
"client.user.full_name": [
"redacted"
],
"client.as.organization.name": [
"reliance jio infocomm limited"
],
"okta.actor.alternate_id": [
"redacted"
],
"client.geo.country_name": [
"India"
],
"source.geo.region_iso_code": [
"IN-KA"
],
"client.as.organization.name.text": [
"reliance jio infocomm limited"
],
"event.kind": [
"event"
],
"okta.debug_context.debug_data.flattened": [
{
"clientAuthType": "client_secret_post",
"grantedScopes": "okta.logs.read",
"requestId": "76094a4ec67ae862a88c9d274b2353c9",
"responseTime": "269",
"dtHash": "redacted",
"clientSecret": "E5NMtFDu1xVWq6Stx_AlRA",
"requestUri": "/oauth2/v1/token",
"requestedScopes": "okta.logs.read",
"threatSuspected": "false",
"grantType": "client_credentials",
"url": "/oauth2/v1/token?"
}
],
"client.user.id": [
"redacted"
],
"okta.security_context.domain": [
"."
],
"client.ip": [
"redacted"
],
"user_agent.name": [
"Other"
],
"okta.client.user_agent.browser": [
"UNKNOWN"
],
"data_stream.type": [
"logs"
],
"okta.request.ip_chain": [
{
"geographical_context": {
"country": "India",
"city": "Bengaluru",
"state": "Karnataka",
"postal_code": "redacted",
"geolocation": {
"lon": 1,
"lat": 1
}
},
"ip": "redacted",
"version": "V4"
}
],
"okta.debug_context.debug_data.dt_hash": [
"redacted"
],
"okta.transaction.id": [
"76094a4ec67ae862a88c9d274b2353c9"
],
"cloud.service.name": [
"GCE"
],
"ecs.version": [
"8.11.0"
],
"event.created": [
"2024-05-31T06:24:27.401Z"
],
"user.full_name": [
"redacted"
],
"agent.version": [
"8.12.2"
],
"source.user.name": [
"redacted"
],
"okta.debug_context.debug_data.request_id": [
"76094a4ec67ae862a88c9d274b2353c9"
],
"source.user.full_name": [
"redacted"
],
"source.geo.location": [
{
"coordinates": [
1,
1
],
"type": "Point"
}
],
"okta.event_type": [
"app.oauth2.token.grant.access_token"
],
"okta.debug_context.debug_data.threat_suspected": [
"false"
],
"okta.transaction.type": [
"WEB"
],
"client.geo.location": [
{
"coordinates": [
1,
1
],
"type": "Point"
}
],
"event.module": [
"okta"
],
"okta.actor.id": [
"redacted"
],
"source.geo.country_iso_code": [
"IN"
],
"okta.target": [
{
"id": "redacted",
"type": "access_token",
"display_name": "Access Token",
"alternate_id": null
}
],
"source.user.id": [
"redacted"
],
"client.geo.city_name": [
"Bengaluru"
],
"source.as.organization.name.text": [
"Reliance Jio Infocomm Limited"
],
"data_stream.namespace": [
"default"
],
"source.as.organization.name": [
"Reliance Jio Infocomm Limited"
],
"source.geo.continent_name": [
"Asia"
],
"client.user.full_name.text": [
"redacted"
],
"okta.security_context.as.organization.name": [
"reliance jio infocomm limited"
],
"source.geo.country_name": [
"India"
],
"event.dataset": [
"okta.system"
]
}
}
In the example JSON, we would ideally either dissect the string to get grantType or do a regex search in ES|QL as follows below. However this is not achievable as flattened field types are not supported in ES|QL and nor is it on the roadmap from what I've found.
from logs-okta*
| where
event.action == "app.oauth2.token.grant.access_token" and event.outcome == "success"
and okta.client.user_agent.raw_user_agent != "Okta-Integrations"
and okta.actor.type == "PublicClientApp"
and okta.actor.display_name != "Okta Dashboard"
and okta.debug_context.debug_data RLIKE ".*client_credentials.*"
Solution Options
- On ingest, create a
okta.debug_context.debug_datafield that is keyword type. This is straight forward and allow us to use pre-processing commands likeDISSECTorGROKto wrangle the data ourselves. - Anytime
okta.debug_context.debug_datais observed, explode it to create new keyword fields for each key. This may add some complexity due to the indeterministic nature of the values in this field.
I'd also vote to do this with okta.target if possible as well as this has important details about the affected user or app in Okta.
For debug_data, we should add the following at least:
grantedScopesclientSecretrequestedScopesgrantType
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
