Parsers and Generated Fields
Tag Fields Created by Parser okta-sso
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser okta-sso
| Vendor Field | CPS Field | Description |
|---|---|---|
| `event.category[]` | Array | Vendor.eventType, Vendor.debugContext.debugData.threatSuspected |
| `event.type[]` | Array | Vendor.eventType |
| `rule.id` | Coalesced | Vendor.PolicyRule.id, Vendor.Rule.id |
| `rule.name` | Coalesced | Vendor.PolicyRule.displayName, Vendor.Rule.displayName |
| `client.user.full_name` | Conditionally | Vendor.actor.displayName, Vendor.actor.type |
| `client.as.number` | Copied | Vendor.securityContext.asNumber |
| `client.as.organization.name` | Copied | Vendor.securityContext.asOrg |
| `client.geo.city_name` | Copied | Vendor.client.geographicalContext.city |
| `client.geo.country_name` | Copied | Vendor.client.geographicalContext.country |
| `client.geo.location.lat` | Copied | Vendor.client.geographicalContext.geolocation.lat |
| `client.geo.location.lon` | Copied | Vendor.client.geographicalContext.geolocation.lon |
| `client.geo.region_name` | Copied | Vendor.client.geographicalContext.state |
| `client.ip` | Copied | Vendor.client.ipAddress |
| `client.user.id` | Copied | Vendor.actor.id |
| `client.user.name` | Copied | Vendor.actor.alternateId |
| `event.action` | Copied | Vendor.eventType |
| `event.id` | Copied | Vendor.uuid |
| `message` | Copied | Vendor.displayMessage |
| `network.application` | Copied | Vendor.AppInstance.displayName |
| `rule.ruleset` | Copied | Vendor.PolicyEntity.displayName |
| `source.ip` | Copied | client.ip |
| `source.user.full_name` | Copied | client.user.full_name |
| `source.user.id` | Copied | client.user.id |
| `source.user.name` | Copied | Vendor.actor.alternateId |
| `transaction.id` | Copied | Vendor.transaction.id |
| `user.email` | Copied | user.name |
| `user.full_name` | Copied | client.user.full_name |
| `user.name` | Copied | Vendor.actor.alternateId |
| `user_agent.name` | Copied | Vendor.client.userAgent.browser |
| `user_agent.original` | Copied | Vendor.client.userAgent.rawUserAgent |
| `user.target.email` | Extracted | Vendor.target[].detailEntry.emailAddress |
| `user.target.full_name` | Extracted | Vendor.target[].displayName |
| `user.target.group.id` | Extracted | Vendor.target[].id |
| `user.target.group.name` | Extracted | Vendor.target[].displayName |
| `user.target.id` | Extracted | Vendor.target[].id |
| `user.target.name` | Extracted | Vendor.target[].alternateId |
| `user_agent.os.name` | Extracted | Vendor.client.userAgent.os |
| `user_agent.os.version` | Extracted | Vendor.client.userAgent.os |
| `client.domain` | Lowercased | Vendor.securityContext.domain |
| `source.domain` | Lowercased | Vendor.securityContext.domain |
| `event.outcome` | Maps | Vendor.outcome.result |
| `event.severity` | Maps | Vendor.severity |
| `@timestamp` | Parsed | Vendor.published, Vendor.errorSummary |
| `ecs.version` | Static | None |
| `event.dataset` | Static | None |
| `event.kind` | Static | None |
| `event.module` | Static | None |
| `observer.type` | Static | None |
| `event.reason` | Uses | Vendor.outcome.reason, message |
| Vendor.securityContext.asNumber | client.as.number | |
| Vendor.securityContext.asOrg | client.as.organization.name | |
| Vendor.client.geographicalContext.city | client.geo.city_name | |
| Vendor.client.geographicalContext.country | client.geo.country_name | |
| Vendor.client.geographicalContext.geolocation.lat | client.geo.location.lat | |
| Vendor.client.geographicalContext.geolocation.lon | client.geo.location.lon | |
| Vendor.client.geographicalContext.state | client.geo.region_name | |
| Vendor.client.ipAddress | client.ip | |
| Vendor.actor.displayName | client.user.full_name | |
| Vendor.actor.alternateId | client.user.name | |
| Vendor.eventType | event.action | |
| Vendor.uuid | event.id | |
| Vendor.displayMessage | message | |
| Vendor.AppInstance.displayName | network.application | |
| Vendor.PolicyEntity.displayName | rule.ruleset | |
| client.ip | source.ip | |
| client.user.full_name | source.user.full_name | |
| client.user.id | source.user.id | |
| Vendor.actor.alternateId | source.user.name | |
| Vendor.transaction.id | transaction.id | |
| client.user.full_name | user.full_name | |
| Vendor.actor.alternateId | user.name | |
| Vendor.client.userAgent.browser | user_agent.name | |
| Vendor.client.userAgent.rawUserAgent | user_agent.original |