entityanalytics_okta: record whether a user's credentials include a recovery question (#10702)

Author: efd6

packages/entityanalytics_okta/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.3.0"
+ changes:
+ - description: Record whether a user's credentials include a recovery question.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/10702
 - version: "1.2.0"
  changes:
  - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

packages/entityanalytics_okta/data_stream/user/_dev/test/pipeline/test-user.json

@@ -40,7 +40,8 @@
  "provider": {
  "type": "OKTA",
  "name": "OKTA"
- }
+ },
+ "recovery_question": {}
  }
  },
  "user": {

packages/entityanalytics_okta/data_stream/user/_dev/test/pipeline/test-user.json-expected.json

@@ -26,6 +26,9 @@
  "provider": {
  "name": "OKTA",
  "type": "OKTA"
+ },
+ "recovery_question": {
+ "is_set": true
  }
  },
  "id": "00ub0oNGTSWTBKOLGLNR",

packages/entityanalytics_okta/data_stream/user/elasticsearch/ingest_pipeline/default.yml

@@ -548,6 +548,19 @@ processors:
  tag: append_user_profile_manager_name_into_related_user
  allow_duplicates: false
  if: ctx.entityanalytics_okta?.user?.profile?.manager?.name != null
+ - set:
+ field: okta.credentials.recovery_question.is_set
+ value: true
+ if: ctx.okta?.credentials?.recovery_question != null
+ - set:
+ field: okta.credentials.recovery_question.is_set
+ value: false
+ if: ctx.okta?.credentials?.recovery_question == null
+ - rename:
+ field: okta.credentials.recovery_question
+ target_field: entityanalytics_okta.user.credentials.recovery_question
+ tag: rename_user_credentials_recovery_question
+ ignore_missing: true
  - rename:
  field: okta.credentials.provider.type
  target_field: entityanalytics_okta.user.credentials.provider.type

packages/entityanalytics_okta/data_stream/user/fields/fields.yml

@@ -26,6 +26,8 @@
  type: keyword
  - name: type
  type: keyword
+ - name: recovery_question.is_set
+ type: boolean
  - name: id
  type: keyword
  description: unique key for user.

packages/entityanalytics_okta/docs/README.md

@@ -280,6 +280,7 @@ An example event for `user` looks as following:
 | entityanalytics_okta.user.created | timestamp when user was created. | date |
 | entityanalytics_okta.user.credentials.provider.name | | keyword |
 | entityanalytics_okta.user.credentials.provider.type | | keyword |
+| entityanalytics_okta.user.credentials.recovery_question.is_set | | boolean |
 | entityanalytics_okta.user.id | unique key for user. | keyword |
 | entityanalytics_okta.user.last_login | timestamp of last login. | date |
 | entityanalytics_okta.user.last_updated | timestamp when user was last updated. | date |

packages/entityanalytics_okta/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.2"
 name: entityanalytics_okta
 title: Okta Entity Analytics
-version: "1.2.0"
+version: "1.3.0"
 description: "Collect User Identities from Okta with Elastic Agent."
 type: integration
 categories: