search

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
https://www.elastic.co/products/beats
Other
12.15k stars 4.91k forks source link

Filebeat - OKTA module feature request V2 instated v1 #22611

Closed idpi closed 1 year ago

idpi commented 3 years ago

Hi There, OKTA API was changed in the last year and they become more security-oriented. They develop new API with the type of logs including new fields that will be relevant for Elastic SIEM security features. I have attached logs from V1 filebeat module and v2 that we are manually collected. The extra field including login from geo-locations, new devices, and more. I am sure if you can upgrade filebeat okta module it will get better visibility for many companies worldwide using okta. I made some changes in the content but you can see the DANGER fields that were added.

Also opened case in the elastic support portal. okta-v1-from_filebeat.txt okta-v2.txt

Case 00638097

Thanks, Idan

elasticmachine commented 3 years ago

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

andrewkroh commented 3 years ago

Can you please point me at the v2 API docs. I'm only seeing info about v1 in https://developer.okta.com/docs/reference/api-overview/#url-namespace.

The apiversion is currently v1.

idpi commented 3 years ago

Sorry for the confusion. Let me correct my self it's still V1 OKAT API but the DANGERs fields, and superhuman activity are related to the Adaptive MFA SKU feature in OKTA. So, once you purchase the Adaptive MFA SKU from Okta, some risk related columns start being populated with Okta’s risk features. You can see these features in DEBUG_CONTEXT:debugData.behaviors event type. An example of some of these features:

* 'New City', 'New City - 7 attempts OTP', 'New Country', 'New Country - 7 attempts OTP', 'New Device 5 attempts', 'New Device 7 attempts OTP', 'New Geo location 7 attempts OTP', 'New Geo-Location 5 attempts', 'New IP - 10 attempts', 'New IP - 20 attempts', 'New State', 'Super human activity',* 'Super human activity OTP'

Thanks, Hope it was helpful for you :)*

On Tue, Nov 17, 2020 at 10:32 PM Andrew Kroh notifications@github.com wrote:

Can you please point me at the v2 API docs. I'm only seeing info about v1 in https://developer.okta.com/docs/reference/api-overview/#url-namespace.

The apiversion is currently v1.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/elastic/beats/issues/22611#issuecomment-729184699, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMROPIFNVNLJOAEI4K4KUFLSQLMXFANCNFSM4TYKFUNQ .

--

Idan Pinto SecOps Engineer M: +972547972471 [image: App Retargeting Trends] https://www.appsflyer.com/jobs/

tl-Bruno-Braga commented 3 years ago

Hey folks, any updates on this?

botelastic[bot] commented 2 years ago

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!