Recolha registos da Okta
Compatível com:
Google secops
SIEM
Este documento explica como carregar registos do Okta para o Google Security Operations através da API Okta. O analisador extrai registos do sistema, processando eventos únicos e eventos em lote numa matriz JSON. Normaliza os dados para o formato UDM, mapeando os campos do Okta para os equivalentes do UDM, enriquecendo os dados com agentes de utilizador analisados, informações geográficas e detalhes de autenticação, e gerando eventos de resultados de segurança com base nos resultados e nas informações de risco.
Antes de começar
- Instância do Google SecOps
- Acesso privilegiado ao Okta
Como configurar a Okta
Para configurar o SSO do Okta, conclua as seguintes tarefas:
Crie um utilizador administrativo do Okta com privilégios só de leitura
- Inicie sessão na consola do administrador do Okta.
Crie um utilizador padrão.
- Aceda a Diretório > Pessoas.
- Clique em Adicionar pessoa e preencha os campos obrigatórios.
Selecione Segurança > Administradores.
Clique em Adicionar administrador.
No campo Atribuição de administrador por administrador, encontre o utilizador padrão.
Na secção Funções, selecione Administrador só de leitura na lista.
Termine sessão na conta de administrador.
Obtenha a chave da API
- Inicie sessão na consola do administrador do Okta com o utilizador administrador só de leitura.
- Aceda a Segurança > API > Tokens.
- Clique em Criar token.
- Atribua um nome significativo ao token.
- Indique a zona de IP onde a API vai ser usada (pode selecionar qualquer IP se não tiver a certeza).
- Clique em Criar token.
- Copie a chave da API.
- Clique em OK.
Configure feeds
Existem dois pontos de entrada diferentes para configurar feeds na plataforma Google SecOps:
- Definições do SIEM > Feeds > Adicionar novo feed
- Content Hub > Pacotes de conteúdo > Começar
Como configurar o feed do Okta
Para configurar este tipo de registo, siga estes passos:
- Clique no pacote Okta.
- Localize o tipo de registo Okta.
Especifique valores para os seguintes campos:
- Tipo de origem: API de terceiros (recomendado)
- Cabeçalho HTTP de autenticação: introduza a chave da API Okta no seguinte formato:
Authorization:<API_KEY>. - Nome do anfitrião da API: especifique o nome do domínio do seu anfitrião do Okta (por exemplo,
<your-domain>.okta.com). - Espaço de nomes do recurso: o espaço de nomes do recurso.
- Etiquetas de carregamento: a etiqueta aplicada aos eventos deste feed.
Opções avançadas
- Nome do feed: um valor pré-preenchido que identifica o feed.
- Espaço de nomes do recurso: espaço de nomes associado ao feed.
- Etiquetas de carregamento: etiquetas aplicadas a todos os eventos deste feed.
Clique em Criar feed.
Para mais informações sobre a configuração de vários feeds para diferentes tipos de registos nesta família de produtos, consulte o artigo Configure feeds por produto.
Tabela de mapeamento do UDM
| Campo de registo | Mapeamento do UDM | Observação |
|---|---|---|
actor.displayName |
principal.resource.attribute.labels |
|
assigned_group[] |
security_result.detection_fields |
|
created |
target.resource.attribute.labels |
|
credentials.oauthClient.autoKeyRotation |
security_result.detection_fields |
|
credentials.oauthClient.pkce_required |
security_result.detection_fields |
|
credentials.oauthClient.token_endpoint_auth_method |
security_result.detection_fields |
|
credentials.signing.kid |
security_result.detection_fields |
|
credentials.userNameTemplate.pushStatus |
security_result.detection_fields |
|
credentials.userNameTemplate.template |
metadata.product_event_type |
|
credentials.userNameTemplate.type |
security_result.detection_fields |
|
id |
principal.user.userid |
|
label |
target.resource.attribute.labels |
|
lastUpdated |
target.resource.attribute.labels |
|
orn |
target.resource.attribute.labels |
|
settings.implicitAssignment |
security_result.detection_fields |
|
settings.manualProvisioning |
security_result.detection_fields |
|
settings.notifications.vpn.network.connection |
security_result.detection_fields |
|
settings.notifications.vpn.network.helpUrl |
security_result.detection_fields |
|
settings.notifications.vpn.network.message |
security_result.detection_fields |
|
settings.oauthClient.application_type |
security_result.detection_fields |
|
settings.oauthClient.client_uri |
security_result.detection_fields |
|
settings.oauthClient.consent_method |
security_result.detection_fields |
|
settings.oauthClient.dpop_bound_access_tokens |
security_result.detection_fields |
|
settings.oauthClient.grant_types[] |
security_result.detection_fields |
|
settings.oauthClient.idp_initiated_login.mode |
security_result.detection_fields |
|
settings.oauthClient.initiate_login_uri |
security_result.detection_fields |
|
settings.oauthClient.issuer_mode |
security_result.detection_fields |
|
settings.oauthClient.logo_uri |
security_result.detection_fields |
|
settings.oauthClient.pkce_required |
security_result.detection_fields |
|
settings.oauthClient.redirect_uris[] |
security_result.detection_fields |
|
settings.oauthClient.response_types[] |
security_result.detection_fields |
|
settings.oauthClient.token_endpoint_auth_method |
security_result.detection_fields |
|
settings.oauthClient.wildcard_redirect |
security_result.detection_fields |
|
settings.signOn.acsUrl |
security_result.detection_fields |
|
settings.signOn.assertionSigned |
security_result.detection_fields |
|
settings.signOn.attributeStatements[0].filterType |
security_result.detection_fields |
|
settings.signOn.attributeStatements[0].filterValue |
security_result.detection_fields |
|
settings.signOn.attributeStatements[0].name |
security_result.detection_fields |
|
settings.signOn.attributeStatements[0].namespace |
security_result.detection_fields |
|
settings.signOn.attributeStatements[0].type |
security_result.detection_fields |
|
settings.signOn.audience |
security_result.detection_fields |
|
settings.signOn.authnContextClassRef |
security_result.detection_fields |
|
settings.signOn.defaultRelayState |
security_result.detection_fields |
|
settings.signOn.destination |
security_result.detection_fields |
|
settings.signOn.digestAlgorithm |
security_result.detection_fields |
|
settings.signOn.idpIssuer |
security_result.detection_fields |
|
settings.signOn.recipient |
security_result.detection_fields |
|
settings.signOn.responseSigned |
security_result.detection_fields |
|
settings.signOn.signatureAlgorithm |
security_result.detection_fields |
|
settings.signOn.subjectNameIdFormat |
security_result.detection_fields |
|
settings.signOn.subjectNameIdTemplate |
security_result.detection_fields |
|
signOnMode |
security_result.detection_fields |
|
status |
security_result.detection_fields |
|
visibility.appLinks.oidc_client_link |
security_result.detection_fields |
|
visibility.autoSubmitToolbar |
security_result.detection_fields |
|
visibility.hide.iOS |
security_result.detection_fields |
|
visibility.hide.web |
security_result.detection_fields |
|
| N/A | metadata.vendor_name |
Definido como Okta. |
| N/A | metadata.product_name |
Definido como Okta. |
| N/A | extensions.auth.type |
Definido como SSO. |
Tabela de mapeamento de matrizes
A tabela seguinte apresenta o mapeamento dos elementos da matriz do Okta para campos UDM repetidos.
| Matriz de registos | Matriz de eventos | Observação |
|---|---|---|
actor.alternateId |
TBD |
|
actor.displayName |
principal.user.user_display_name |
Quando eventType é application.user_membership.update, policy.rule.update ou user.authentication.auth_via_radius. |
actor.displayName |
principal.user.user_display_name |
Quando eventType não é application.user_membership.update, policy.rule.update nem user.authentication.auth_via_radius. |
actor.type |
principal.user.attribute.roles.name |
Quando eventType é application.user_membership.update, policy.rule.update ou user.authentication.auth_via_radius. |
actor.type |
principal.user.attribute.roles.name |
Quando eventType não é application.user_membership.update, policy.rule.update nem user.authentication.auth_via_radius. |
anonymous |
security_result.detection_fields |
|
authenticationContext.externalSessionId |
network.parent_session_id |
|
client.device |
principal.asset.type |
Suporta: LINUX, WINDOWS, MAC, IOS, ANDROID e CHROME_OS |
client.device |
additional.fields |
Event_type |
client.geographicalContext.city |
principal.location.city |
|
client.geographicalContext.country |
principal.location.country_or_region |
|
client.geographicalContext.geolocation.lat |
principal.location.region_latitude |
|
client.geographicalContext.geolocation.lon |
principal.location.region_longitude |
|
client.geographicalContext.postalCode |
additional.fields |
|
client.geographicalContext.postalCode |
target.resource.attribute.labels |
|
client.ipAddress |
principal.ip |
|
client.userAgent |
network.http.user_agentnetwork.http.parsed_user_agent |
|
client.userAgent.browser |
target.resource.attribute.labels |
|
client.userAgent.os |
principal.platform |
|
client.userAgent.os |
principal.platform |
|
client.userAgent.rawUserAgent |
network.http.user_agentnetwork.http.parsed_user_agent |
|
client.zone |
additional.fields |
Event_type |
debugContext.debugData.behaviors.New City |
security_result.detection_fields |
|
debugContext.debugData.behaviors.New Country |
security_result.detection_fields |
|
debugContext.debugData.behaviors.New Device |
security_result.detection_fields |
|
debugContext.debugData.behaviors.New Geo-Location |
security_result.detection_fields |
|
debugContext.debugData.behaviors.New IP |
security_result.detection_fields |
|
debugContext.debugData.behaviors.New State |
security_result.detection_fields |
|
debugContext.debugData.behaviors.Velocity |
security_result.detection_fields |
|
debugContext.debugData.clientAddress |
principal.ipprincipal.asset.ip |
|
debugContext.debugData.dtHash |
security_result.detection_fields |
|
debugContext.debugData.factor |
security_result.detection_fields |
|
debugContext.debugData.factorIntent |
security_result.detection_fields |
|
debugContext.debugData.logOnlySecurityData.behaviors |
security_result.description |
|
debugContext.debugData.logOnlySecurityData.behaviors.New City |
security_result.detection_fields |
|
debugContext.debugData.logOnlySecurityData.behaviors.New Country |
security_result.detection_fields |
|
debugContext.debugData.logOnlySecurityData.behaviors.New Device |
security_result.detection_fields |
|
debugContext.debugData.logOnlySecurityData.behaviors.New Geo-Location |
security_result.detection_fields |
|
debugContext.debugData.logOnlySecurityData.behaviors.New IP |
security_result.detection_fields |
|
debugContext.debugData.logOnlySecurityData.behaviors.New State |
security_result.detection_fields |
|
debugContext.debugData.logOnlySecurityData.behaviors.Velocity |
security_result.detection_fields |
|
debugContext.debugData.logOnlySecurityData.risk.reasons |
security_result.detection_fields |
|
debugContext.debugData.logOnlySecurityData.risk.reasons |
security_result.description |
|
debugContext.debugData.logOnlySecurityData.risk.level |
security_result.severity_details |
|
debugContext.debugData.logOnlySecurityData.url |
target.url |
|
debugContext.debugData.privilegeGranted[] |
target.user.attribute.roles.nametarget.user.attribute.roles.description |
|
debugContext.debugData.pushOnlyResponseType |
security_result.detection_fields |
|
debugContext.debugData.pushWithNumberChallengeResponseType |
security_result.detection_fields |
|
debugContext.debugData.requestUri |
extensions.auth.auth_details |
|
debugContext.debugData.requestUri |
target.url |
|
debugContext.debugData.risk |
security_result.detection_fields |
Motivos mapeados para security_result.detection_fields. |
debugContext.debugData.suspiciousActivityEventId |
security_result.detection_fields |
|
debugContext.debugData.suspiciousActivityEventType |
security_result.detection_fields |
|
debugContext.debugData.threatDetections |
security_result.detection_fields |
|
debugContext.debugData.threatSuspected |
security_result.detection_fieldssecurity_result.threat_status |
|
debugContext.debugData.threatSuspected |
security_result.detection_fieldssecurity_result.threat_status |
|
debugContext.debugData.tunnels[].anonymous |
security_result.detection_fields |
|
debugContext.debugData.tunnels[].operator |
security_result.detection_fields |
|
debugContext.debugData.tunnels[].type |
security_result.detection_fields |
|
debugContext.debugData.tunnels.n.anonymous |
security_result.detection_fields |
|
debugContext.debugData.tunnels.n.operator |
security_result.detection_fields |
|
debugContext.debugData.tunnels.n.type |
security_result.detection_fields |
|
detail.actor.id |
principal.user.product_object_id |
Quando eventType é application.user_membership.update, policy.rule.update ou user.authentication.auth_via_radius. |
detail.actor.id |
principal.user.product_object_id |
Quando eventType não é application.user_membership.update, policy.rule.update nem user.authentication.auth_via_radius. |
detail.authenticationContext.externalSessionId |
network.parent_session_id |
|
detail.client.ipChain.0.ipclient.ipAddress |
principal.ipprincipal.asset.ip |
|
detail.debugContext.debugData.dtHash |
security_result.detection_fields |
|
detail.debugContext.debugData.factor |
security_result.detection_fields |
|
detail.debugContext.debugData.factorIntent |
security_result.detection_fields |
|
detail.debugContext.debugData.pushOnlyResponseType |
security_result.detection_fields |
|
detail.debugContext.debugData.pushWithNumberChallengeResponseType |
security_result.detection_fields |
|
detail.debugContext.debugData.requestUri |
target.url |
|
detail.eventType |
metadata.product_event_type |
|
detail.outcome.reason |
security_result.category_details |
|
detail.outcome.result |
security_result.action |
|
detail.request.ipChain.0.geographicalContext.city |
principal.location.city |
|
detail.request.ipChain.0.geographicalContext.country |
principal.location.country_or_region |
|
detail.request.ipChain.0.geographicalContext.state |
principal.location.state |
|
detail.severity |
security_result.severity |
|
detail.target.0.alternateId |
Veja a observação. | tgtuser_id => target.user.userid%{tgtusername}@%{tgtdomain} => target.user.email_addresses |
detail.target.0.displayName |
target.applicationtarget.resource.name |
|
detail.target.0.displayName |
target.user.user_display_name |
|
detail.target.0.detailEntry.policyType} |
target.resource_ancestors.attribute.labels |
|
detail.target.0.id |
target.resource.product_object_id |
|
detail.target.0.id |
target.resource_ancestors.product_object_id |
|
detail.target.0.type |
target.resource.resource_subtype |
|
detail.target.0.type |
target.resource_ancestors.resource_subtype |
|
detail.uuid |
metadata.product_log_id |
|
displayMessage |
security_result.summary |
|
extensions.auth.type |
SSO |
Event_type |
extensions.auth.type |
SSO |
Quando msg.target.type é qualquer caso que não seja AppInstance, PolicyEntity, PolicyRule ou User. |
eventType |
metadata.product_event_type |
|
eventTypedetail.eventType |
metadata.product_event_type |
|
json_array.n.actor.id |
principal.user.product_object_id |
|
mapped data.fields to fields |
||
metadata.product_name |
Okta |
Event_type |
metadata.vendor_name |
Okta |
Event_type |
msg.actor.alternateId |
Veja a observação. | Se a análise falhar, isto é mapeado para principal.user.userid ou, caso contrário, mapeia o nome de utilizador para principal.user.useridou username@domain para principal.user.email_addresses. |
msg.actor.displayName |
principal.user.user_display_name |
|
msg.actor.type |
principal.user.attribute.roles.name |
|
msg.authenticationContext.authenticationProvider |
security_result.detection_fields |
Event_type |
msg.authenticationContext.credentialProvider |
security_result.detection_fields |
Event_type |
msg.authenticationContext.externalSessionId |
network.parent_session_id |
|
msg.client.device |
principal.asset.type |
Suporta: MOBILE, WORKSTATION, LAPTOP, IOT, NETWORK_ATTACHED_STORAGE, PRINTER, SCANNER, SERVER, TAPE_LIBRARY |
msg.client.geographicalContext.city |
principal.location.city |
|
msg.client.geographicalContext.country |
principal.location.country_or_region |
|
msg.client.geographicalContext.geolocation.lat |
principal.location.region_latitude |
|
msg.client.geographicalContext.geolocation.lon |
principal.location.region_longitude |
|
msg.client.geographicalContext.postalCode |
additional.fields |
|
msg.client.geographicalContext.state |
principal.location.state |
|
msg.client.ipAddress |
principal.ip |
|
msg.client.userAgent.browser |
target.resource.attribute.labels |
|
msg.client.userAgent.os |
principal.platform |
Suporta: LINUX, WINDOWS, MAC, IOS, ANDROID e CHROME_OS |
msg.client.userAgent.rawUserAgent |
network.http.user_agentnetwork.http.parsed_user_agent |
|
msg.debugContext.debugData.dtHash |
security_result.detection_fields |
|
msg.debugContext.debugData.factor |
security_result.detection_fields |
|
msg.debugContext.debugData.factorIntent |
security_result.detection_fields |
|
msg.debugContext.debugData.logOnlySecurityData.behaviors |
security_result.description |
|
msg.debugContext.debugData.logOnlySecurityData.risk.reasons |
security_result.detection_fields |
|
msg.debugContext.debugData.logOnlySecurityData.url |
target.url |
|
msg.debugContext.debugData.pushOnlyResponseType |
security_result.detection_fields |
|
msg.debugContext.debugData.pushWithNumberChallengeResponseType |
security_result.detection_fields |
|
msg.debugContext.debugData.requestUri |
extensions.auth.auth_details |
|
msg.debugContext.debugData.threatSuspected |
security_result.detection_fieldssecurity_result.threat_status |
|
msg.displayMessage |
security_result.summary |
|
msg.eventType |
metadata.product_event_type |
|
msg.legacyEventType |
security_result.detection_fields |
|
msg.outcome.reason |
security_result.category_details |
|
msg.outcome.result |
security_result.action |
|
msg.published |
metadata.event_timestamp |
|
msg.request.ipChain.n.geographicalContext.city |
intermediary[n].location.city |
|
msg.request.ipChain.n.geographicalContext.country |
intermediary[n].location.country_or_region |
|
msg.request.ipChain.n.geographicalContext.geolocation.lat |
intermediary[n].location.region_latitude |
|
msg.request.ipChain.n.geographicalContext.geolocation.lon |
intermediary[n].location.region_longitude |
|
msg.request.ipChain.n.geographicalContext.state |
intermediary[n].location.state |
|
msg.request.ipChain.n.ip |
intermediary[n].ip |
|
msg.securityContext.asNumber |
security_result.detection_fields |
|
msg.securityContext.asOrg |
security_result.detection_fields |
|
msg.securityContext.domain |
security_result.detection_fields |
|
msg.securityContext.isProxy |
security_result.detection_fields |
|
msg.securityContext.isp |
security_result.detection_fields |
|
msg.severity |
security_result.severity |
|
msg.target.alternateId (when msg.target.type == User) |
target.user.email_addresses |
Quando msg.target.type = User. No entanto, se a análise falhar, este elemento é mapeado para target.user.useridou, caso contrário, target_user_name é mapeado para target.user.userid. |
msg.target.detailEntry.policyType |
target.resource_ancestors.attribute.labels |
Quando msg.target.type = PolicyEntity. |
msg.target.detailEntry.signOnModeType |
security_result.detection_fields |
Quando msg.target.type é qualquer caso que não seja AppInstance, PolicyEntity, PolicyRule ou User. |
msg.target.displayName |
additional.fields |
|
msg.target.displayName |
about.resource.name |
Quando msg.target.type é qualquer caso que não seja AppInstance, PolicyEntity, PolicyRule ou User. |
msg.target.displayName |
principal.user.user_display_name |
Quando msg.target.type = User. |
msg.target.displayName |
target.application |
Quando msg.target.type = AppInstance. |
msg.target.displayName |
target.resource.name |
Quando msg.target.type = AppInstance. |
msg.target.displayName |
target.resource.name |
Quando msg.target.type = PolicyRule. |
msg.target.displayName |
target.resource_ancestors.name |
Quando msg.target.type = PolicyEntity. |
msg.target.id |
about.resource.product_object_id |
Quando msg.target.type é qualquer caso que não seja AppInstance, PolicyEntity, PolicyRule ou User. |
msg.target.id |
target.resource.product_object_id |
Quando msg.target.type = AppInstance. |
msg.target.id |
target.resource.product_object_id |
Quando msg.target.type = PolicyRule. |
msg.target.id |
target.resource_ancestors.product_object_id |
Quando msg.target.type = PolicyEntity. |
msg.target.id |
target.user.product_object_id |
Quando msg.target.type = User. |
msg.target.type |
about.resource.resource_subtype |
Quando msg.target.type é qualquer caso que não seja AppInstance, PolicyEntity, PolicyRule ou User. |
msg.target.type |
target.resource.resource_subtype |
Quando msg.target.type = AppInstance. |
msg.target.type |
target.resource.resource_subtype |
Quando msg.target.type = PolicyRule. |
msg.target.type |
target.resource_ancestors.resource_subtype |
Quando msg.target.type = PolicyEntity. |
msg.target.type |
target.user.attribute.roles.name |
Quando msg.target.type = User. |
msg.transaction.id |
network.session_id |
|
msg.transaction.type |
additional.fields |
Event_type |
msg.uuid |
metadata.product_log_id |
|
operator |
security_result.detection_fields |
|
outcome.reasondetail.outcome.reason |
security_result.category_details |
|
outcome.resultdetail.outcome.result |
security_result.action |
|
profile.displayName |
principal.user.user_display_name |
|
profile.email |
principal.user.email_addresses |
|
profile.login |
principal.user.userid |
username => principal.user.userid |
published |
metadata.event_timestamp |
|
published |
metadata.event_timestamp |
|
request.ipChain.0.geographicalContext.citydetail.request.ipChain.0.geographicalContext.city |
principal.location.city |
|
request.ipChain.0.geographicalContext.countrydetail.request.ipChain.0.geographicalContext.country |
principal.location.country_or_region |
|
request.ipChain.0.geographicalContext.statedetail.request.ipChain.0.geographicalContext.state |
principal.location.state |
|
request.ipChain.0.ip |
principal.ipprincipal.asset.ip |
|
request.ipChain.1.geographicalContext.city |
intermediary.location.city |
|
request.ipChain.1.geographicalContext.country |
intermediary.location.country_or_region |
|
request.ipChain.1.geographicalContext.state |
intermediary.location.state |
|
securityContext.asNumber |
security_result.detection_fields |
|
securityContext.asOrg |
security_result.detection_fields |
|
securityContext.domain |
security_result.detection_fields |
|
securityContext.isProxy |
security_result.detection_fields |
|
securityContext.isProxy |
security_result.detection_fieldsadditional.fields |
|
securityContext.isp |
security_result.detection_fields |
|
severitydetail.severity |
security_result.severity |
|
target[].alternateId |
target.resource.attribute.labels |
|
target[].detailEntry.methodTypeUsed |
target.resource_ancestors.attribute.labels |
|
target[].detailEntry.methodUsedVerifiedProperties |
target.resource_ancestors.attribute.labels |
|
target[].detailEntry.policyRuleFactorMode |
security_result.detection_fields |
|
target[].detailEntry.policyType |
target.resource_ancestors.attribute.labels |
|
target[].detailEntry.signOnModeType |
security_result.detection_fields |
|
target[].displayName |
additional.fields |
|
target[].displayName |
target.applicationtarget.resource.name |
|
target[].displayName |
target.resource.name |
|
target[].displayName |
target.resource_ancestors.name |
|
target[].id |
target.resource.product_object_id |
|
target[].id |
target.resource_ancestors.product_object_id |
|
target[].type |
target.resource.resource_subtype |
|
target[].type |
target.resource_ancestors.resource_subtype |
|
target.0.alternateId |
Veja a observação. | tgtuser_id => target.user.userid%{tgtusername}@%{tgtdomain} => target.user.email_addresses |
target.0.detailEntry.clientAppId |
target.asset_id |
|
target.0.displayNamedetail.target.0.displayName |
target.user.user_display_name |
|
target.0.displayName/target.1.displayName |
target.user.group_identifiers |
|
target.0.id |
target.user.product_object_id |
|
target.0.typedetail.target.0.type |
target.user.attribute.roles.name |
|
target.1.alternateId |
Veja a observação. | tgtuser_id => target.user.userid%{tgtusername}@%{tgtdomain} => target.user.email_addresses |
target.1.detailEntry.clientAppId |
target.asset_id |
|
target.1.displayName |
target.user.user_display_name |
|
target.1.id |
target.user.product_object_id |
|
target.1.type |
target.user.attribute.roles.name |
|
transaction.id |
network.session_id |
|
type |
security_result.detection_fields |
|
user_agent.browser |
target.resource.attribute.labels |
|
user_email |
principal.user.email_addresses |
Quando eventType é application.user_membership.update, policy.rule.update ou user.authentication.auth_via_radius. |
user_email |
principal.user.email_addresses |
Quando eventType não é application.user_membership.update, policy.rule.update nem user.authentication.auth_via_radius. |
user_id |
principal.user.userid |
Quando eventType é application.user_membership.update, policy.rule.update ou user.authentication.auth_via_radius. |
user_id |
principal.user.userid |
Quando eventType não é application.user_membership.update, policy.rule.update nem user.authentication.auth_via_radius. |
uuid |
metadata.product_log_id |
|
uuid |
metadata.product_log_id |
Referência delta do mapeamento de UDM
A 26 de agosto de 2025, a Google SecOps lançou uma nova versão do analisador Okta, que inclui alterações significativas ao mapeamento dos campos de registo do Okta para os campos da UDM e alterações ao mapeamento dos tipos de eventos.
Delta do mapeamento de campos de registo
A tabela seguinte indica o delta de mapeamento para os campos de registo do Okta expostos antes de 26 de agosto de 2025 e posteriormente (indicados nas colunas Mapeamento antigo e Mapeamento atual, respetivamente).
| Campo de registo | Mapeamento antigo | Mapeamento atual |
|---|---|---|
client.geographicalContext.geolocation.lat |
target.location.region_latitude |
principal.location.region_coordinates.latitude |
client.geographicalContext.geolocation.lon |
target.location.region_longitude |
principal.location.region_coordinates.longitude |
created |
target.resource.attribute.labels |
metadata.event_timestamp |
debugContext.debugData.authnRequestId |
additional.fields |
security_result.detection_fields |
debugContext.debugData.factorType |
additional.fields |
security_result.detection_fields |
debugContext.debugData.traceId |
additional.fields |
security_result.detection_fields |
debugContext.debugData.tunnels.anonymous |
security_result.detection_fields |
network.proxy_info.anonymous |
lastUpdated |
target.resource.attribute.labels |
target.resource.attribute.last_update_time |
platform quando a plataforma é iOS |
principal.platform = MAC |
principal.platform = IOS |
securityContext.asOrg |
security_result.detection_fields |
network.organization_name |
securityContext.isProxy |
additional.fields |
network.is_proxy |
target.detailEntry.methodTypeUsed |
target.resource.attribute.labels |
security_result.detection_fields |
target.detailEntry.methodUsedVerifiedProperties |
target.resource.attribute.labels |
security_result.detection_fields |
Delta de mapeamento de tipo de evento
Vários eventos que foram classificados anteriormente como eventos genéricos são agora classificados corretamente com tipos de eventos significativos.
A tabela seguinte apresenta a diferença no processamento dos tipos de eventos do Okta antes de 26 de agosto de 2025 e posteriormente (indicados nas colunas Old event_type e Current event-type, respetivamente).
| eventType do registo | Old event_type | Current event_type |
|---|---|---|
app.oauth2.as.authorize |
USER_UNCATEGORIZED |
USER_LOGIN |
app.oauth2.as.authorize.code |
USER_UNCATEGORIZED |
USER_LOGIN |
app.oauth2.as.authorize.implicit.access_token |
USER_UNCATEGORIZED |
USER_LOGIN |
app.oauth2.as.authorize.implicit.id_token |
USER_UNCATEGORIZED |
USER_LOGIN |
app.oauth2.authorize.code |
USER_UNCATEGORIZED |
USER_LOGIN |
app.oauth2.token.grant |
USER_UNCATEGORIZED |
USER_LOGIN |
application.user_membership.remove |
USER_UNCATEGORIZED |
USER_CHANGE_PERMISSIONS |
application.user_membership.update |
STATUS_UPDATE |
USER_CHANGE_PERMISSIONS |
user.authentication.auth_via_AD_agent |
STATUS_UPDATE |
USER_UNCATEGORIZED |
user.authentication.slo |
USER_UNCATEGORIZED |
USER_LOGOUT |
Precisa de mais ajuda? Receba respostas de membros da comunidade e profissionais da Google SecOps.