Okta fields
Stack
Module for handling system logs from Okta.
Fields from Okta.
okta.uuid-
The unique identifier of the Okta LogEvent.
type: keyword
okta.event_type-
The type of the LogEvent.
type: keyword
okta.version-
The version of the LogEvent.
type: keyword
okta.severity-
The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR.
type: keyword
okta.display_message-
The display message of the LogEvent.
type: keyword
Fields that let you store information of the actor for the LogEvent.
okta.actor.id-
Identifier of the actor.
type: keyword
okta.actor.type-
Type of the actor.
type: keyword
okta.actor.alternate_id-
Alternate identifier of the actor.
type: keyword
okta.actor.display_name-
Display name of the actor.
type: keyword
Fields that let you store information about the client of the actor.
okta.client.ip-
The IP address of the client.
type: ip
Fields about the user agent information of the client.
okta.client.user_agent.raw_user_agent-
The raw informaton of the user agent.
type: keyword
okta.client.user_agent.os-
The OS informaton.
type: keyword
okta.client.user_agent.browser-
The browser informaton of the client.
type: keyword
okta.client.zone-
The zone information of the client.
type: keyword
okta.client.device-
The information of the client device.
type: keyword
okta.client.id-
The identifier of the client.
type: keyword
Fields that let you store information about the outcome.
okta.outcome.reason-
The reason of the outcome.
type: keyword
okta.outcome.result-
The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
type: keyword
okta.target-
The list of targets.
type: flattened
Fields that let you store information about related transaction.
okta.transaction.id-
Identifier of the transaction.
type: keyword
okta.transaction.type-
The type of transaction. Must be one of "WEB", "JOB".
type: keyword
Fields that let you store information about the debug context.
The debug data.
okta.debug_context.debug_data.device_fingerprint-
The fingerprint of the device.
type: keyword
okta.debug_context.debug_data.factor-
The factor used for authentication.
type: keyword
okta.debug_context.debug_data.request_id-
The identifier of the request.
type: keyword
okta.debug_context.debug_data.request_uri-
The request URI.
type: keyword
okta.debug_context.debug_data.threat_suspected-
Threat suspected.
type: keyword
okta.debug_context.debug_data.risk_behaviors-
The set of behaviors that contribute to a risk assessment.
type: keyword
okta.debug_context.debug_data.risk_level-
The risk level assigned to the sign in attempt.
type: keyword
okta.debug_context.debug_data.risk_reasons-
The reasons for the risk.
type: keyword
okta.debug_context.debug_data.url-
The URL.
type: keyword
okta.debug_context.debug_data.flattened-
The complete debug_data object.
type: flattened
The suspicious activity fields from the debug data.
okta.debug_context.debug_data.suspicious_activity.browser-
The browser used.
type: keyword
okta.debug_context.debug_data.suspicious_activity.event_city-
The city where the suspicious activity took place.
type: keyword
okta.debug_context.debug_data.suspicious_activity.event_country-
The country where the suspicious activity took place.
type: keyword
okta.debug_context.debug_data.suspicious_activity.event_id-
The event ID.
type: keyword
okta.debug_context.debug_data.suspicious_activity.event_ip-
The IP of the suspicious event.
type: ip
okta.debug_context.debug_data.suspicious_activity.event_latitude-
The latitude where the suspicious activity took place.
type: float
okta.debug_context.debug_data.suspicious_activity.event_longitude-
The longitude where the suspicious activity took place.
type: float
okta.debug_context.debug_data.suspicious_activity.event_state-
The state where the suspicious activity took place.
type: keyword
okta.debug_context.debug_data.suspicious_activity.event_transaction_id-
The event transaction ID.
type: keyword
okta.debug_context.debug_data.suspicious_activity.event_type-
The event type.
type: keyword
okta.debug_context.debug_data.suspicious_activity.os-
The OS of the system from where the suspicious activity occured.
type: keyword
okta.debug_context.debug_data.suspicious_activity.timestamp-
The timestamp of when the activity occurred.
type: date
Fields that let you store information about authentication context.
okta.authentication_context.authentication_provider-
The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER.
type: keyword
okta.authentication_context.authentication_step-
The authentication step.
type: integer
okta.authentication_context.credential_provider-
The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY.
type: keyword
okta.authentication_context.credential_type-
The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID.
type: keyword
okta.authentication_context.issuer-
The information about the issuer.
type: array
okta.authentication_context.external_session_id-
The session identifer of the external session if any.
type: keyword
okta.authentication_context.interface-
The interface used. e.g., Outlook, Office365, wsTrust
type: keyword
Fields that let you store information about security context.
The autonomous system.
okta.security_context.as.number-
The AS number.
type: integer
The organization that owns the AS number.
okta.security_context.as.organization.name-
The organization name.
type: keyword
okta.security_context.isp-
The Internet Service Provider.
type: keyword
okta.security_context.domain-
The domain name.
type: keyword
okta.security_context.is_proxy-
Whether it is a proxy or not.
type: boolean
Fields that let you store information about the request, in the form of list of ip_chain.
okta.request.ip_chain-
List of ip_chain objects.
type: flattened