Parsers and Generated Fields
Tag Fields Created by Parser okta-sso
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser okta-sso
| Vendor Field | CPS Field | Description |
|---|---|---|
| Vendor.published | @timestamp | Event timestamp |
| Vendor.securityContext.asOrg | client.as.organization.name | |
| Vendor.client.geographicalContext.city | client.geo.city_name | |
| Vendor.client.geographicalContext.country | client.geo.country_name | |
| Vendor.client.geographicalContext.geolocation.lat | client.geo.location.lat | |
| Vendor.client.geographicalContext.geolocation.lon | client.geo.location.lon | |
| Vendor.client.geographicalContext.state | client.geo.region_name | |
| Vendor.client.ipAddress | client.ip | |
| Vendor.actor.displayName | client.user.full_name | |
| Vendor.actor.id | client.user.id | |
| user.name | client.user.name | |
| Vendor.eventType | event.action | Event type from Okta |
| Vendor.uuid | event.id | |
| Vendor.outcome.result | event.outcome | Maps SUCCESS/ALLOW to "success", FAILURE/DENY to "failure", empty/null to "unknown" |
| Vendor.outcome.reason | event.reason | |
| Vendor.displayMessage | message | |
| Vendor.client.geographicalContext.city | source.geo.city_name | Client city location |
| Vendor.client.geographicalContext.country | source.geo.country_name | Client country location |
| Vendor.client.geographicalContext.state | source.geo.region_name | Client state location |
| Vendor.client.ipAddress | source.ip | Client IP address |
| client.ip | source.ip | |
| client.user.id | source.user.full_name | |
| client.user.id | source.user.id | |
| Vendor.client.user.id | source.user.id, source.user.full_name | Client user information |
| user.name | source.user.name | |
| client.user.full_name | user.full_name | |
| Vendor.actor.alternateId | user.name | |
| Vendor.target[].email | user.target.email | Target user email when type is User |
| __out[0] | user.target.email | |
| __out[0] | user.target.full_name | |
| Vendor.target[].displayName | user.target.full_name, user.target.name | Target user display name when type is User |
| Vendor.target[].id | user.target.group.id | Target group ID when type is UserGroup |
| __out[0] | user.target.group.id | |
| Vendor.target[].displayName | user.target.group.name | Target group name when type is UserGroup |
| __out[0] | user.target.group.name | |
| Vendor.target[].id | user.target.id | Target user ID when type is User |
| __out[0] | user.target.id | |
| __out[0] | user.target.name | |
| Vendor.client.device | user_agent.device.name | Device name |
| Vendor.client.userAgent.browser | user_agent.name | Browser name |
| Vendor.client.userAgent.rawUserAgent | user_agent.original | Raw user agent string |
| Vendor.client.userAgent.os | user_agent.os.name | Operating system name |