okta: make okta.target use dynamic objects instead of flattened (#11501)

ref: https://developer.okta.com/docs/api/openapi/okta-management/management/tag/SystemLog/#tag/SystemLog/operation/listLogEvents!c=200&path=target&t=response

Author: efd6

packages/okta/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.0.0"
+ changes:
+ - description: Make `okta.target` use dynamic objects instead of flattened.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/11501
 - version: "2.13.0"
  changes:
  - description: Include `grantedScopes`, `grantType`, `clientSecret` and `requestedScopes` fields from debug data.

packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml

@@ -448,6 +448,27 @@ processors:
  arr[i].remove("detailEntry");
  }
  }
+
+ // Ensure that all entries in changeDetails.{from,to}.* are strings.
+ def cd = arr[i].get("changeDetails");
+ if (cd != null) {
+ if (cd.from instanceof Map) {
+ for (def f: cd.from.entrySet()) {
+ def v = f.getValue();
+ if (v != null && (v instanceof String)) {
+ cd.from[f.getKey()] = v.toString()
+ }
+ }
+ }
+ if (cd.to instanceof Map) {
+ for (def t: cd.to.entrySet()) {
+ def v = t.getValue();
+ if (v != null && (v instanceof String)) {
+ cd.to[t.getKey()] = v.toString()
+ }
+ }
+ }
+ } 
  }
 
  for (def i = 0; i < arr.length; i++) {

packages/okta/data_stream/system/fields/fields.yml

@@ -126,9 +126,33 @@
  description: |
  The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
 - name: okta.target
- type: flattened
- description: |
- The list of targets.
+ description: The list of targets.
+ type: group
+ fields:
+ - name: alternate_id
+ type: keyword
+ description: The alternate ID of the target.
+ - name: changeDetails.from.*
+ type: object
+ object_type: keyword
+ object_type_mapping_type: "*"
+ - name: changeDetails.to.*
+ type: object
+ object_type: keyword
+ object_type_mapping_type: "*"
+ - name: detailEntry.*
+ type: object
+ object_type: keyword
+ object_type_mapping_type: "*"
+ - name: display_name
+ type: keyword
+ description: The display name of the target.
+ - name: id
+ type: keyword
+ description: The ID of the target.
+ - name: type
+ type: keyword
+ description: The type of target.
 - name: okta.transaction
  type: group
  fields:

packages/okta/docs/README.md

@@ -323,7 +323,13 @@ An example event for `system` looks as following:
 | okta.security_context.is_proxy | Whether it is a proxy or not. | boolean |
 | okta.security_context.isp | The Internet Service Provider. | keyword |
 | okta.severity | The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. | keyword |
-| okta.target | The list of targets. | flattened |
+| okta.target.alternate_id | The alternate ID of the target. | keyword |
+| okta.target.changeDetails.from.\* | | object |
+| okta.target.changeDetails.to.\* | | object |
+| okta.target.detailEntry.\* | | object |
+| okta.target.display_name | The display name of the target. | keyword |
+| okta.target.id | The ID of the target. | keyword |
+| okta.target.type | The type of target. | keyword |
 | okta.transaction.detail.request_api_token_id | ID of the API token used in a request. | keyword |
 | okta.transaction.id | Identifier of the transaction. | keyword |
 | okta.transaction.type | The type of transaction. Must be one of "WEB", "JOB". | keyword |

packages/okta/manifest.yml

@@ -1,6 +1,6 @@
 name: okta
 title: Okta
-version: "2.13.0"
+version: "3.0.0"
 description: Collect and parse event logs from Okta API with Elastic Agent.
 type: integration
 format_version: "3.1.0"