Closed idpi closed 1 year ago
Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
Can you please point me at the v2 API docs. I'm only seeing info about v1 in https://developer.okta.com/docs/reference/api-overview/#url-namespace.
The apiversion is currently v1.
Sorry for the confusion. Let me correct my self it's still V1 OKAT API but the DANGERs fields, and superhuman activity are related to the Adaptive MFA SKU feature in OKTA. So, once you purchase the Adaptive MFA SKU from Okta, some risk related columns start being populated with Okta’s risk features. You can see these features in DEBUG_CONTEXT:debugData.behaviors event type. An example of some of these features:
* 'New City', 'New City - 7 attempts OTP', 'New Country', 'New Country - 7 attempts OTP', 'New Device 5 attempts', 'New Device 7 attempts OTP', 'New Geo location 7 attempts OTP', 'New Geo-Location 5 attempts', 'New IP - 10 attempts', 'New IP - 20 attempts', 'New State', 'Super human activity',* 'Super human activity OTP'
Thanks, Hope it was helpful for you :)*
On Tue, Nov 17, 2020 at 10:32 PM Andrew Kroh notifications@github.com wrote:
Can you please point me at the v2 API docs. I'm only seeing info about v1 in https://developer.okta.com/docs/reference/api-overview/#url-namespace.
The apiversion is currently v1.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/elastic/beats/issues/22611#issuecomment-729184699, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMROPIFNVNLJOAEI4K4KUFLSQLMXFANCNFSM4TYKFUNQ .
--
Idan Pinto SecOps Engineer M: +972547972471 [image: App Retargeting Trends] https://www.appsflyer.com/jobs/
Hey folks, any updates on this?
Hi! We just realized that we haven't looked into this issue in a while. We're sorry!
We're labeling this issue as Stale
to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1
.
Thank you for your contribution!
Hi There, OKTA API was changed in the last year and they become more security-oriented. They develop new API with the type of logs including new fields that will be relevant for Elastic SIEM security features. I have attached logs from V1 filebeat module and v2 that we are manually collected. The extra field including login from geo-locations, new devices, and more. I am sure if you can upgrade filebeat okta module it will get better visibility for many companies worldwide using okta. I made some changes in the content but you can see the DANGER fields that were added.
Also opened case in the elastic support portal. okta-v1-from_filebeat.txt okta-v2.txt
Case 00638097
Thanks, Idan