Parsers and Generated Fields
Tag Fields Created by Parser okta-sso
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser okta-sso
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| Vendor.published, Vendor.errorSummary | @timestamp | Event timestamp | Parsed from Vendor.published using timestamp format yyyy-MM-dd'T'HH:mm:ss.SSSX when published field exists, otherwise uses @ingesttimestamp for error events |
| Vendor.securityContext.asNumber | client.as.number | AS number | Copied from Vendor.securityContext.asNumber |
| Vendor.securityContext.asOrg | client.as.organization.name | AS organization name | Copied from Vendor.securityContext.asOrg |
| Vendor.securityContext.domain | client.domain | Domain name | Lowercased from Vendor.securityContext.domain |
| Vendor.client.geographicalContext.city | client.geo.city_name | Client city location | Copied from Vendor.client.geographicalContext.city |
| Vendor.client.geographicalContext.country | client.geo.country_name | Client country location | Copied from Vendor.client.geographicalContext.country |
| Vendor.client.geographicalContext.geolocation.lat | client.geo.location.lat | Client latitude | Copied from Vendor.client.geographicalContext.geolocation.lat |
| Vendor.client.geographicalContext.geolocation.lon | client.geo.location.lon | Client longitude | Copied from Vendor.client.geographicalContext.geolocation.lon |
| Vendor.client.geographicalContext.state | client.geo.region_name | Client state location | Copied from Vendor.client.geographicalContext.state |
| Vendor.client.ipAddress | client.ip | Client IP address | Copied from Vendor.client.ipAddress |
| Vendor.actor.displayName, Vendor.actor.type | client.user.full_name | User display name | Conditionally copied from Vendor.actor.displayName based on actor type |
| Vendor.actor.id | client.user.id | User ID | Copied from Vendor.actor.id |
| Vendor.actor.alternateId | client.user.name | User identifier | Copied from Vendor.actor.alternateId |
| None | ecs.version | ECS version identifier | Static value: 9.2.0 |
| Vendor.eventType | event.action | Event type from Okta | Copied from Vendor.eventType |
| Vendor.eventType, Vendor.debugContext.debugData.threatSuspected | event.category[] | Event categorization | Array populated based on event.action patterns and threat indicators |
| None | event.dataset | Dataset identifier | Static value: sso.system |
| Vendor.uuid | event.id | Unique event identifier | Copied from Vendor.uuid |
| None | event.kind | Event kind classification | Static value: event, changed to alert for specific threat events |
| None | event.module | Module identifier | Static value: sso |
| Vendor.outcome.result | event.outcome | Event outcome status | Maps SUCCESS/ALLOW/UNANSWERED to "success", FAILURE/DENY/ABANDONED to "failure" |
| Vendor.outcome.reason, message | event.reason | Reason for the outcome | Uses Vendor.outcome.reason when available, otherwise uses message |
| Vendor.severity | event.severity | Event severity level | Maps DEBUG to 10, INFO to 30, WARN to 50, ERROR to 70, FATAL to 90 |
| Vendor.eventType | event.type[] | Event type classification | Array populated based on event.action patterns |
| Vendor.displayMessage | message | Human-readable message | Copied from Vendor.displayMessage |
| Vendor.AppInstance.displayName | network.application | Application name | Copied from Vendor.AppInstance.displayName |
| None | observer.type | Observer type identifier | Static value: identity |
| Vendor.PolicyRule.id, Vendor.Rule.id | rule.id | Rule ID | Coalesced from Vendor.PolicyRule.id and Vendor.Rule.id |
| Vendor.PolicyRule.displayName, Vendor.Rule.displayName | rule.name | Rule name | Coalesced from Vendor.PolicyRule.displayName and Vendor.Rule.displayName |
| Vendor.PolicyEntity.displayName | rule.ruleset | Policy name | Copied from Vendor.PolicyEntity.displayName |
| Vendor.securityContext.domain | source.domain | Source domain name | Lowercased from Vendor.securityContext.domain |
| client.ip | source.ip | Source IP address | Copied from client.ip |
| client.user.full_name | source.user.full_name | Source user display name | Copied from client.user.full_name |
| client.user.id | source.user.id | Source user ID | Copied from client.user.id |
| Vendor.actor.alternateId | source.user.name | Source user identifier | Copied from Vendor.actor.alternateId |
| Vendor.transaction.id | transaction.id | Transaction ID | Copied from Vendor.transaction.id |
| user.name | user.email | User email address | Copied from user.name when user.name contains @ symbol |
| client.user.full_name | user.full_name | User display name | Copied from client.user.full_name |
| Vendor.actor.alternateId | user.name | User identifier | Copied from Vendor.actor.alternateId |
| Vendor.target[].detailEntry.emailAddress | user.target.email | Target user email | Extracted from target array when type is User |
| Vendor.target[].displayName | user.target.full_name | Target user display name | Extracted from target array when type is User |
| Vendor.target[].id | user.target.group.id | Target group ID | Extracted from target array when type is UserGroup |
| Vendor.target[].displayName | user.target.group.name | Target group name | Extracted from target array when type is UserGroup |
| Vendor.target[].id | user.target.id | Target user ID | Extracted from target array when type is User |
| Vendor.target[].alternateId | user.target.name | Target user alternate ID | Extracted from target array when type is User |
| Vendor.client.userAgent.browser | user_agent.name | Browser name | Copied from Vendor.client.userAgent.browser |
| Vendor.client.userAgent.rawUserAgent | user_agent.original | Raw user agent string | Copied from Vendor.client.userAgent.rawUserAgent |
| Vendor.client.userAgent.os | user_agent.os.name | OS name | Extracted from Vendor.client.userAgent.os using regex |
| Vendor.client.userAgent.os | user_agent.os.version | OS version | Extracted from Vendor.client.userAgent.os using regex |