Add Okta module documentation, config cleanup, _id field #18953
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
andrewkroh
added
docs
review
Filebeat
This add documentation for the Okta module. It contains descriptions of the configuration options and general information about the module. I fixed an issue with the module where it was not setting the _id field for Elasticsearch events. I also did some cleanup to the pipeline.js (indentation, semi-colons, strict equality checks). The module's manifest was updated to not duplicate httpjson's default values. The module was accepting configuration as JSON strings for some parameters (http_headers, http_request_body, pagination, rate_limit, ssl) which is inconsistent with how other parts of Beats are configured so I removed this. Now these options expect regular YAML objects for values. None of these options are required to use the module so the impact to users should be minimal.
andrewkroh
force-pushed
the
bugfix/fb/okta-docs
branch
from
b23a56c
to
7cf5baf
Compare
|
Pinging @elastic/siem (Team:SIEM) |
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
|
leehinman
approved these changes
Jun 3, 2020
|
run tests |
6 tasks
andrewkroh
added
v7.9.0
and removed
needs_backport
andrewkroh
added a commit
to andrewkroh/beats
that referenced
this pull request
Jun 9, 2020
This add documentation for the Okta module. It contains descriptions of the configuration options and general information about the module. I fixed an issue with the module where it was not setting the _id field for Elasticsearch events. I also did some cleanup to the pipeline.js (indentation, semi-colons, strict equality checks). The module's manifest was updated to not duplicate httpjson's default values. The module was accepting configuration as JSON strings for some parameters (http_headers, http_request_body, pagination, rate_limit, ssl) which is inconsistent with how other parts of Beats are configured so I removed this. Now these options expect regular YAML objects for values. None of these options are required to use the module so the impact to users should be minimal. (cherry picked from commit 0ef20cc)
andrewkroh
added a commit
that referenced
this pull request
Jun 9, 2020
…9051) This add documentation for the Okta module. It contains descriptions of the configuration options and general information about the module. I fixed an issue with the module where it was not setting the _id field for Elasticsearch events. I also did some cleanup to the pipeline.js (indentation, semi-colons, strict equality checks). The module's manifest was updated to not duplicate httpjson's default values. The module was accepting configuration as JSON strings for some parameters (http_headers, http_request_body, pagination, rate_limit, ssl) which is inconsistent with how other parts of Beats are configured so I removed this. Now these options expect regular YAML objects for values. None of these options are required to use the module so the impact to users should be minimal. (cherry picked from commit 0ef20cc)
melchiormoulin
pushed a commit
to melchiormoulin/beats
that referenced
this pull request
Oct 14, 2020
This add documentation for the Okta module. It contains descriptions of the configuration options and general information about the module. I fixed an issue with the module where it was not setting the _id field for Elasticsearch events. I also did some cleanup to the pipeline.js (indentation, semi-colons, strict equality checks). The module's manifest was updated to not duplicate httpjson's default values. The module was accepting configuration as JSON strings for some parameters (http_headers, http_request_body, pagination, rate_limit, ssl) which is inconsistent with how other parts of Beats are configured so I removed this. Now these options expect regular YAML objects for values. None of these options are required to use the module so the impact to users should be minimal.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This add documentation for the Okta module. It contains descriptions of the
configuration options and general information about the module.
I fixed an issue with the module where it was not setting the
_idfield for Elasticsearch events.I also did some cleanup to the pipeline.js (indentation, semi-colons, strict equality checks).
The module's manifest was updated to not duplicate httpjson's default values.
The module was accepting configuration as JSON strings for some parameters (
http_headers,http_request_body,pagination,rate_limit,ssl) which is inconsistent with how other parts of Beats are configured so I removed this. Now these options expect regular YAML objects for values. None of these options are required to use the module so the impact to users should be minimal.Why is it important?
Documentation is required for users to know how to use the module.
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Logs
I ran the module against the Okta API to test. You'll note that the
@metadata._idfield is now set which libbeat will use when writing the data to Elasticsearch.{ "@timestamp": "2020-06-03T18:10:38.118Z", "@metadata": { "beat": "filebeat", "type": "_doc", "version": "8.0.0", "pipeline": "filebeat-8.0.0-okta-system-pipeline", "_id": "870da4d0-a5c5-11ea-a40a-5d8cbb5cdb88" }, "input": { "type": "httpjson" }, "fileset": { "name": "system" }, "client": { "user": { "full_name": "Andrew Kroh", "id": "00ue26zi9EdhopJgw4x6" }, "geo": { "region_name": "Virginia", "country_name": "United States", "location": { "lat": 38.9637, "lon": -77.6099 }, "city_name": "Aldie" }, "ip": "198.51.100.1", "as": { "number": 701, "organization": { "name": "verizon" } }, "domain": "verizon.net" }, "user_agent": { "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:76.0) Gecko/20100101 Firefox/76.0" }, "source": { "ip": "198.51.100.1", "domain": "verizon.net", "user": { "full_name": "Andrew Kroh", "id": "00ue26zi9EdhopJgw4x6" } }, "ecs": { "version": "1.5.0" }, "event": { "category": [ "authentication" ], "action": "system.api_token.create", "id": "870da4d0-a5c5-11ea-a40a-5d8cbb5cdb88", "kind": "event", "module": "okta", "dataset": "okta.system", "original": "{\"actor\":{\"alternateId\":\"id-okta@test.com\",\"detailEntry\":null,\"displayName\":\"Andrew Kroh\",\"id\":\"00ue26zi9EdhopJgw4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102NKlIOnToQGGOboI6cpvgYQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Aldie\",\"country\":\"United States\",\"geolocation\":{\"lat\":38.9637,\"lon\":-77.6099},\"postalCode\":\"20105\",\"state\":\"Virginia\"},\"id\":null,\"ipAddress\":\"198.51.100.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:76.0) Gecko/20100101 Firefox/76.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"requestId\":\"XtfnnhZLAtrLPbdLtrp-4AAABw4\",\"requestUri\":\"/api/internal/tokens\",\"threatSuspected\":\"false\",\"url\":\"/api/internal/tokens?expand=user\"}},\"displayMessage\":\"Create API token\",\"eventType\":\"system.api_token.create\",\"legacyEventType\":\"api.token.create\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-06-03T18:10:38.118Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Aldie\",\"country\":\"United States\",\"geolocation\":{\"lat\":38.9637,\"lon\":-77.6099},\"postalCode\":\"20105\",\"state\":\"Virginia\"},\"ip\":\"198.51.100.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":701,\"asOrg\":\"verizon\",\"domain\":\"verizon.net\",\"isProxy\":false,\"isp\":\"mci communications services inc. d/b/a verizon business\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":null,\"displayName\":\"filebeat\",\"id\":\"00Tt0pmrpvAs7CHYL4x5\",\"type\":\"Token\"}],\"transaction\":{\"detail\":{},\"id\":\"XtfnnhZLAtrLPbdLtrp-4AAABw4\",\"type\":\"WEB\"},\"uuid\":\"870da4d0-a5c5-11ea-a40a-5d8cbb5cdb88\",\"version\":\"0\"}", "type": [ "access" ], "outcome": "success", "created": "2020-06-03T18:12:23.908Z" }, "okta": { "event_type": "system.api_token.create", "client": { "device": "Computer", "ip": "198.51.100.1", "user_agent": { "os": "Mac OS X", "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:76.0) Gecko/20100101 Firefox/76.0", "browser": "FIREFOX" }, "zone": "null" }, "authentication_context": { "external_session_id": "102NKlIOnToQGGOboI6cpvgYQ", "authentication_step": 0 }, "display_message": "Create API token", "uuid": "870da4d0-a5c5-11ea-a40a-5d8cbb5cdb88", "actor": { "display_name": "Andrew Kroh", "id": "00ue26zi9EdhopJgw4x6", "type": "User", "alternate_id": "id-okta@test.com" }, "outcome": { "result": "SUCCESS" }, "target": [ { "type": "Token", "alternate_id": "unknown", "display_name": "filebeat", "id": "00Tt0pmrpvAs7CHYL4x5" } ], "transaction": { "id": "XtfnnhZLAtrLPbdLtrp-4AAABw4", "type": "WEB" }, "debug_context": { "debug_data": { "request_id": "XtfnnhZLAtrLPbdLtrp-4AAABw4", "request_uri": "/api/internal/tokens", "threat_suspected": "false", "url": "/api/internal/tokens?expand=user" } }, "security_context": { "as": { "number": 701, "organization": { "name": "verizon" } }, "domain": "verizon.net", "is_proxy": false, "isp": "mci communications services inc. d/b/a verizon business" } }, "tags": [ "forwarded" ], "service": { "type": "okta" }, "agent": { "ephemeral_id": "9cd78eb3-acb9-4da6-95a3-7484450a5ad9", "id": "1ee8bc3e-9e78-4384-b771-a5655904db72", "name": "mac15.example.com", "type": "filebeat", "version": "8.0.0" }, "related": { "user": "Andrew Kroh", "ip": "198.51.100.1" } }