Okta

Collect and parse event logs from Okta API with Elastic Agent.


Version	2.12.0 (View all)
Compatible Kibana version(s)	8.15.0 or higher
Supported Serverless project types What's this?	Security Observability
Subscription level What's this?	Basic
Level of support What's this?	Elastic

The Okta integration collects events from the Okta API, specifically reading from the Okta System Log API.

Logs

System

The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. This module is implemented using the httpjson input and is configured to paginate through the logs while honoring any rate-limiting headers sent by Okta.

Types Of Authentication

API Key

In this type of authentication, we only require an API Key for authenticating the client and polling for Okta System Logs.

Oauth2

In this type of authentication, we require the following information:

Your Okta domain URL. [ Example: https://dev-123456.okta.com ]
Your Okta service app Client ID.
Your Okta service app JWK Private Key
The Okta scope that is required for OAuth2. [ By default this is set to okta.logs.read which should suffice for most use cases ]

Steps to acquire Okta Oauth2 credentials:

Acquire an Okta dev or user account with privileges to mint tokens with the okta.* scopes.
Log into your Okta account, navigate to Applications on the left-hand side, click on the Create App Integration button and create an API Services application.
Click on the created app, note down the Client ID and select the option for Public key/Private key.
Generate your own Private/Public key pair in the JWK format (PEM is not supported at the moment) and save it in a credentials JSON file or copy it to use directly in the config.

Okta Integration Network (OIN)

The Okta Integration Network provides a simple integration authentication based on OAuth2, but using an API key. In this type of authentication, we only require an API Key for authenticating the client and polling for Okta System Logs.

Your Okta domain URL. [ Example: https://dev-123456.okta.com ]
Your Okta service app Client ID.
Your Okta service app Client Secret.

Steps to configure Okta OIN authenticaton:

Log into your Okta account, navigate to Applications on the left-hand side, click on the Browse App Catalog button and search for "Elastic".
Click on the Elastic app card and then click Add Integration, and then Install & Authorize.
Copy the Client Secret.
Navigate to the Fleet integration configuration page for the integration.
Set the "Okta System Log API URL" field from the value of the Okta app with the URL path "/api/v1/logs" added as shown in the UI documentation
Set the "Okta Domain URL" field from the value of the Okta app
Set the "Client ID" field with the Client ID provided by the Okta app
Set the "API Key" field to the Client Secret provided by the Okta app
Set the "Use OIN Authentication" toggle to true

NOTE: Tokens with okta.* Scopes are generally minted from the Okta Org Auth server and not the default/custom authorization server. The standard Okta Org Auth server endpoint to mint tokens is https://<your_okta_org>.okta.com/oauth2/v1/token

An example event for system looks as following:

{
    "@timestamp": "2020-02-14T20:18:57.718Z",
    "agent": {
        "ephemeral_id": "6ac1caae-4aba-4b61-8408-14b46e15b668",
        "id": "c3650180-e3d1-4dad-9094-89c988e721d7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "client": {
        "geo": {
            "city_name": "Dublin",
            "country_name": "United States",
            "location": {
                "lat": 37.7201,
                "lon": -121.919
            },
            "region_name": "California"
        },
        "ip": "108.255.197.247",
        "user": {
            "full_name": "xxxxxx",
            "id": "00u1abvz4pYqdM8ms4x6",
            "name": "xxxxxx"
        }
    },
    "data_stream": {
        "dataset": "okta.system",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "c3650180-e3d1-4dad-9094-89c988e721d7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "action": "user.session.start",
        "agent_id_status": "verified",
        "category": [
            "authentication",
            "session"
        ],
        "created": "2024-05-17T05:51:14.737Z",
        "dataset": "okta.system",
        "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546",
        "ingested": "2024-05-17T05:51:24Z",
        "kind": "event",
        "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}",
        "outcome": "success",
        "type": [
            "start",
            "info"
        ]
    },
    "input": {
        "type": "httpjson"
    },
    "okta": {
        "actor": {
            "alternate_id": "xxxxxx@elastic.co",
            "display_name": "xxxxxx",
            "id": "00u1abvz4pYqdM8ms4x6",
            "type": "User"
        },
        "authentication_context": {
            "authentication_step": 0,
            "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ"
        },
        "client": {
            "device": "Computer",
            "ip": "108.255.197.247",
            "user_agent": {
                "browser": "FIREFOX",
                "os": "Mac OS X",
                "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"
            },
            "zone": "null"
        },
        "debug_context": {
            "debug_data": {
                "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0",
                "flattened": {
                    "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0",
                    "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0",
                    "requestUri": "/api/v1/authn",
                    "threatSuspected": "false",
                    "url": "/api/v1/authn?"
                },
                "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0",
                "request_uri": "/api/v1/authn",
                "threat_suspected": "false",
                "url": "/api/v1/authn?"
            }
        },
        "display_message": "User login to Okta",
        "event_type": "user.session.start",
        "outcome": {
            "result": "SUCCESS"
        },
        "request": {
            "ip_chain": [
                {
                    "geographical_context": {
                        "city": "Dublin",
                        "country": "United States",
                        "geolocation": {
                            "lat": 37.7201,
                            "lon": -121.919
                        },
                        "postal_code": "94568",
                        "state": "California"
                    },
                    "ip": "108.255.197.247",
                    "version": "V4"
                }
            ]
        },
        "transaction": {
            "id": "XkcAsWb8WjwDP76xh@1v8wAABp0",
            "type": "WEB"
        },
        "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546"
    },
    "related": {
        "ip": [
            "108.255.197.247"
        ],
        "user": [
            "xxxxxx"
        ]
    },
    "source": {
        "ip": "108.255.197.247",
        "user": {
            "full_name": "xxxxxx",
            "id": "00u1abvz4pYqdM8ms4x6",
            "name": "xxxxxx"
        }
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "okta-system"
    ],
    "user": {
        "full_name": "xxxxxx",
        "name": "xxxxxx"
    },
    "user_agent": {
        "device": {
            "name": "Mac"
        },
        "name": "Firefox",
        "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0",
        "os": {
            "full": "Mac OS X 10.15",
            "name": "Mac OS X",
            "version": "10.15"
        },
        "version": "72.0."
    }
}

Exported fields

Field	Description	Type
@timestamp	Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.	date
cloud.image.id	Image ID for the cloud instance.	keyword
data_stream.dataset	The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: * Must not contain `-` * No longer than 100 characters	constant_keyword
data_stream.namespace	A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: * Must not contain `-` * No longer than 100 characters	constant_keyword
data_stream.type	An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.	constant_keyword
event.dataset	Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.	constant_keyword
event.module	Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.	constant_keyword
host.containerized	If the host is a container.	boolean
host.os.build	OS build information.	keyword
host.os.codename	OS codename, if any.	keyword
input.type	Type of Filebeat input.	keyword
log.flags	Flags for the log file.	keyword
log.offset	Offset of the entry in the log file.	long
okta.actor.alternate_id	Alternate identifier of the actor.	keyword
okta.actor.display_name	Display name of the actor.	keyword
okta.actor.id	Identifier of the actor.	keyword
okta.actor.type	Type of the actor.	keyword
okta.authentication_context.authentication_provider	The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER.	keyword
okta.authentication_context.authentication_step	The authentication step.	integer
okta.authentication_context.credential_provider	The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY.	keyword
okta.authentication_context.credential_type	The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID.	keyword
okta.authentication_context.external_session_id	The session identifer of the external session if any.	keyword
okta.authentication_context.interface	The interface used. e.g., Outlook, Office365, wsTrust	keyword
okta.authentication_context.issuer.id	The identifier of the issuer.	keyword
okta.authentication_context.issuer.type	The type of the issuer.	keyword
okta.client.device	The information of the client device.	keyword
okta.client.id	The identifier of the client.	keyword
okta.client.ip	The IP address of the client.	ip
okta.client.user_agent.browser	The browser informaton of the client.	keyword
okta.client.user_agent.os	The OS informaton.	keyword
okta.client.user_agent.raw_user_agent	The raw informaton of the user agent.	keyword
okta.client.zone	The zone information of the client.	keyword
okta.debug_context.debug_data		object
okta.debug_context.debug_data.authnRequestId	The authorization request ID.	keyword
okta.debug_context.debug_data.behaviors		keyword
okta.debug_context.debug_data.behaviors.New_City		keyword
okta.debug_context.debug_data.behaviors.New_Country		keyword
okta.debug_context.debug_data.behaviors.New_Device		keyword
okta.debug_context.debug_data.behaviors.New_Geo_Location		keyword
okta.debug_context.debug_data.behaviors.New_IP		keyword
okta.debug_context.debug_data.behaviors.New_State		keyword
okta.debug_context.debug_data.behaviors.Velocity		keyword
okta.debug_context.debug_data.behaviors.Velocity_Behavior		keyword
okta.debug_context.debug_data.device_fingerprint	The fingerprint of the device.	keyword
okta.debug_context.debug_data.dt_hash	The device token hash	keyword
okta.debug_context.debug_data.factor	The factor used for authentication.	keyword
okta.debug_context.debug_data.flattened	The complete debug_data object.	flattened
okta.debug_context.debug_data.logOnlySecurityData		keyword
okta.debug_context.debug_data.logOnlySecurityData.behaviors		keyword
okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_City		keyword
okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_Country		keyword
okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_Device		keyword
okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_Geo_Location		keyword
okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_IP		keyword
okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_State		keyword
okta.debug_context.debug_data.logOnlySecurityData.behaviors.Velocity		keyword
okta.debug_context.debug_data.logOnlySecurityData.risk		keyword
okta.debug_context.debug_data.logOnlySecurityData.risk.level		keyword
okta.debug_context.debug_data.logOnlySecurityData.risk.reasons		keyword
okta.debug_context.debug_data.originalPrincipal		keyword
okta.debug_context.debug_data.originalPrincipal.alternateId		keyword
okta.debug_context.debug_data.originalPrincipal.displayName		keyword
okta.debug_context.debug_data.originalPrincipal.id		keyword
okta.debug_context.debug_data.originalPrincipal.type		keyword
okta.debug_context.debug_data.promptingPolicyTypes		keyword
okta.debug_context.debug_data.request_id	The identifier of the request.	keyword
okta.debug_context.debug_data.request_uri	The request URI.	keyword
okta.debug_context.debug_data.risk		keyword
okta.debug_context.debug_data.risk.level		keyword
okta.debug_context.debug_data.risk.reasons		keyword
okta.debug_context.debug_data.risk_behaviors	The set of behaviors that contribute to a risk assessment.	keyword
okta.debug_context.debug_data.risk_level	The risk level assigned to the sign in attempt.	keyword
okta.debug_context.debug_data.risk_object		keyword
okta.debug_context.debug_data.risk_reasons	The reasons for the risk.	keyword
okta.debug_context.debug_data.threat_suspected	Threat suspected.	keyword
okta.debug_context.debug_data.url	The URL.	keyword
okta.device.device_integrator		flattened
okta.device.disk_encryption_type	The value of the device profile’s disk encryption type. One of "NONE", "FULL", "USER", "ALL_INTERNAL_VOLUMES" or "SYSTEM_VOLUME".	keyword
okta.device.id	Identifier of the device.	keyword
okta.device.managed	Whether the device is managed.	boolean
okta.device.name	The name of the device.	keyword
okta.device.os_platform	The OS of the device.	keyword
okta.device.os_version	The device's OS version.	keyword
okta.device.registered	Whether the device is registered.	boolean
okta.device.screen_lock_type	The mechanism for locking the device's screen. One of "NONE", "PASSCODE" or "BIOMETRIC".	keyword
okta.device.secure_hardware_present	Whether there is secure hardware present on the device. This is a checks for chip presence: trusted platform module (TPM) or secure enclave. It does not mark whether there are tokens on the secure hardware.	boolean
okta.display_message	The display message of the LogEvent.	keyword
okta.event_type	The type of the LogEvent.	keyword
okta.outcome.reason	The reason of the outcome.	keyword
okta.outcome.result	The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.	keyword
okta.request.ip_chain		flattened
okta.security_context.as.number	The AS number.	integer
okta.security_context.as.organization.name	The organization name.	keyword
okta.security_context.domain	The domain name.	keyword
okta.security_context.is_proxy	Whether it is a proxy or not.	boolean
okta.security_context.isp	The Internet Service Provider.	keyword
okta.severity	The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR.	keyword
okta.target	The list of targets.	flattened
okta.transaction.detail.request_api_token_id	ID of the API token used in a request.	keyword
okta.transaction.id	Identifier of the transaction.	keyword
okta.transaction.type	The type of transaction. Must be one of "WEB", "JOB".	keyword
okta.uuid	The unique identifier of the Okta LogEvent.	keyword
okta.version	The version of the LogEvent.	keyword

Changelog

Version	Details	Kibana version(s)
2.12.0	Enhancement View pull request Allow user configuration of debug_data flattened use.	8.15.0 or higher
2.11.0	Enhancement View pull request Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.	8.13.0 or higher
2.10.0	Enhancement View pull request Support OIN service application authentication.	8.13.0 or higher
2.9.0	Enhancement View pull request Allow private key to be supplied as a PEM block.	8.13.0 or higher
2.8.0	Enhancement View pull request Set sensitive values as secret.	8.12.0 or higher
2.7.1	Enhancement View pull request Changed owners	8.10.1 or higher
2.7.0	Enhancement View pull request Add okta.transaction.detail.request_api_token_id field.	8.10.1 or higher
2.6.0	Enhancement View pull request Limit request tracer log count to five.	8.10.1 or higher
2.5.0	Enhancement View pull request ECS version updated to 8.11.0.	8.10.1 or higher
2.4.0	Enhancement View pull request Improve 'event.original' check to avoid errors if set.	8.10.1 or higher
2.3.1-next	Bug fix View pull request Fix mapping of group fields	—
2.3.0	Enhancement View pull request Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.	8.10.1 or higher
2.2.0	Enhancement View pull request Update the package format_version to 3.0.0.	8.10.1 or higher
2.1.0	Enhancement View pull request Update package to ECS 8.10.0, align ECS categorization fields, and updated stack version to ^8.10.1 per security fix.	8.10.1 or higher
2.0.0	Enhancement View pull request Added Okta Oauth2 support, refactored the UI accordingly & updated stack version to ^8.10.0.	8.10.0 or higher
1.28.0	Enhancement View pull request Retain `okta.debug_context.debug_data.dt_hash` field.	8.7.1 or higher
1.27.0	Enhancement View pull request Update package-spec 2.9.0.	8.7.1 or higher
1.26.0	Enhancement View pull request Update package to ECS 8.9.0.	8.7.1 or higher
1.25.0	Enhancement View pull request Document duration units.	8.7.1 or higher
1.24.0	Enhancement View pull request Convert visualizations to lens.	8.7.1 or higher
1.23.0	Enhancement View pull request Document valid duration units.	8.7.1 or higher
1.22.1	Bug fix View pull request Fix a concurrent modification exception that occurred while modifying okta.target[].detailEntry.	8.7.1 or higher
1.22.0	Enhancement View pull request Update package to ECS 8.8.0.	8.7.1 or higher
1.21.0	Enhancement View pull request Add support for okta.device field group. Enhancement View pull request Retain `okta.target.detailEntry.methodTypeUsed` and `okta.target.detailEntry.methodUsedVerifiedProperties`.	8.7.1 or higher
1.20.0	Enhancement View pull request Add a new flag to enable request tracing	8.7.1 or higher
1.19.1	Enhancement View pull request Remove redundant rename processors.	8.6.0 or higher
1.19.0	Enhancement View pull request Retain target information.	8.6.0 or higher
1.18.0	Enhancement View pull request Update package to ECS 8.7.0.	8.6.0 or higher
1.17.0	Enhancement View pull request Extract username from email	8.6.0 or higher
1.16.1	Enhancement View pull request Added categories and/or subcategories.	8.6.0 or higher
1.16.0	Enhancement View pull request Allow configuration of HTTP keep-alive to allow for connection reuse.	8.6.0 or higher
1.15.1	Bug fix View pull request Fix documentation typo.	8.1.0 or higher
1.15.0	Enhancement View pull request Make debug_data risk factors and behaviors visible to search.	8.1.0 or higher
1.14.0	Enhancement View pull request Update package to ECS 8.6.0.	8.1.0 or higher
1.13.0	Enhancement View pull request Make debug_data risk reasons visible to search.	8.1.0 or higher
1.12.1	Bug fix View pull request Make extra efforts to extract risk information from debug_data.	8.1.0 or higher
1.12.0	Enhancement View pull request Handle already set event.original more robustly.	8.1.0 or higher
1.11.2	Enhancement View pull request Migrate the visualizations to by value in dashboards to minimize the saved object clutter and reduce time to load	8.1.0 or higher
1.11.1	Bug fix View pull request Remove duplicate fields.	7.14.0 or higher 8.0.0 or higher
1.11.0	Enhancement View pull request Update package to ECS 8.5.0.	7.14.0 or higher 8.0.0 or higher
1.10.3	Bug fix View pull request Mark url config option as a required field	7.14.0 or higher 8.0.0 or higher
1.10.2	Enhancement View pull request Use ECS geo.location definition.	7.14.0 or higher 8.0.0 or higher
1.10.1	Bug fix View pull request Mark api_key config option as a required field	7.14.0 or higher 8.0.0 or higher
1.10.0	Enhancement View pull request Update package to ECS 8.4.0	7.14.0 or higher 8.0.0 or higher
1.9.2	Bug fix View pull request Fix proxy URL documentation rendering.	7.14.0 or higher 8.0.0 or higher
1.9.1	Enhancement View pull request Update package name and description to align with standard wording	7.14.0 or higher 8.0.0 or higher
1.9.0	Enhancement View pull request Update package to ECS 8.3.0.	7.14.0 or higher 8.0.0 or higher
1.8.0	Enhancement View pull request Add `okta.debug_context.debug_data.risk_level` field Enhancement View pull request Add flattened `okta.debug_context.debug_data.flattened.log_only_security_data.*` fields Bug fix View pull request Fix mapping type for `client.as.number`	7.14.0 or higher 8.0.0 or higher
1.7.0	Enhancement View pull request Add flattened `okta.request.ip_chain.*` fields	7.14.0 or higher 8.0.0 or higher
1.6.0	Enhancement View pull request Update to ECS 8.2	7.14.0 or higher 8.0.0 or higher
1.5.2	Bug fix View pull request Handle invalid values in client.ipAddress	7.14.0 or higher 8.0.0 or higher
1.5.1	Enhancement View pull request Add documentation for multi-fields	7.14.0 or higher 8.0.0 or higher
1.5.0	Enhancement View pull request Increase the limit for the number of results in an API response.	7.14.0 or higher 8.0.0 or higher
1.4.1	Enhancement View pull request Add missing field mapping for event.created.	—
1.4.0	Enhancement View pull request Update to ECS 8.0	7.14.0 or higher 8.0.0 or higher
1.3.2	Bug fix View pull request Regenerate test files using the new GeoIP database	7.14.0 or higher 8.0.0 or higher
1.3.1	Bug fix View pull request Change test public IPs to the supported subset	—
1.3.0	Enhancement View pull request Add 8.0.0 version constraint	7.14.0 or higher 8.0.0 or higher
1.2.3	Enhancement View pull request Uniform with guidelines	7.14.0 or higher
1.2.2	Enhancement View pull request Update Title and Description.	—
1.2.1	Bug fix View pull request Fix logic that checks for the 'forwarded' tag	—
1.2.0	Enhancement View pull request Update to ECS 1.12.0	7.14.0 or higher
1.1.3	Enhancement View pull request Add proxy config	—
1.1.2	Enhancement View pull request Convert to generated ECS fields	—
1.1.1	Enhancement View pull request update to ECS 1.11.0	—
1.1.0	Enhancement View pull request Update integration description	7.14.0 or higher
1.0.1	Bug fix View pull request add missing `initial_interval` option to the manifest	—
1.0.0	Enhancement View pull request make GA Enhancement View pull request Set "event.module" and "event.dataset"	7.14.0 or higher
0.6.0	Enhancement View pull request Update to ECS 1.10.0 and add event.original options	—
0.5.2	Enhancement View pull request Add httpjson system tests and remove log input.	—
0.5.1	Enhancement View pull request Make event.original optional	—
0.5.0	Enhancement View pull request change okta.target to flattened type	—
0.4.2	Bug fix View pull request add fail_on_template_error on pagination	—
0.4.1	Enhancement View pull request update to ECS 1.9.0	—
0.4.0	Enhancement View pull request Moves edge processing to ingest pipeline	—
0.3.1	Bug fix View pull request Change kibana.version constraint to be more conservative.	—
0.1.0	Enhancement View pull request initial release	—

On this page

Article navigation