entityanalytics_okta,okta: record okta domain into host.name in ingested documents #13721
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
efd6 added enhancement efd6 force-pushed the e24538-entityanalytics_okta-okta branch from 59a8b42 to 3c8eaf8 Compare 
🚀 Benchmarks reportTo see the full report comment with |
efd6 force-pushed the e24538-entityanalytics_okta-okta branch from 3c8eaf8 to 54715ff Compare 
| Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
Rather than waiting for a stack release this adds the okta_domain value via a beats processor, placing it in a location that is unlikely to collide with data in the input's event data in the future. Move this to host.name in ingest, falling back to reasonable location on failure.
This records the Okta Domain value from the Okta API URL provided by the configuration. This is chosen over using the okta_domain value since the URL is always present, so this simplifies the logic. The URL is passed outside the event.original to avoid collision. This means that it does not end up in the event.original. The actual Okta Domain is obtain from the URL in the ingest pipeline and then placed gingerly in host.name if possible, falling back to the same locations used in the entityanalytics_okta integration in order to harmonise the two integrations. The work to do this is done last in the pipeline to allow an unlikely failure to not interfere with other parts of the pipeline, but to provide an informative error in that case that that does happen.
efd6 force-pushed the e24538-entityanalytics_okta-okta branch from 54715ff to 5491203 Compare 💚 Build Succeeded
History
cc @efd6 |
|
| Package entityanalytics_okta - 2.3.0 containing this change is available at https://epr.elastic.co/package/entityanalytics_okta/2.3.0/ |
| Package okta - 3.7.0 containing this change is available at https://epr.elastic.co/package/okta/3.7.0/ |
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Proposed commit message
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Related issues
Screenshots