Skip to content

Commit 54ff457

Browse files
ZaulaoZaulao
authored
Merge branch 'falcosecurity:main' into feat/cloudtrail-ssm-request-params
2 parents e7aa923 + 24ebf63 commit 54ff457

File tree

2 files changed

+70
-53
lines changed

2 files changed

+70
-53
lines changed

plugins/okta/README.md

Lines changed: 56 additions & 50 deletions
Original file line numberDiff line numberDiff line change
@@ -23,56 +23,62 @@ The event source for `okta` events is `okta`.
2323
# Supported Fields
2424

2525
<!-- README-PLUGIN-FIELDS -->
26-
| NAME | TYPE | ARG | DESCRIPTION |
27-
|---------------------------------|----------|-----------------|---------------------------------------|
28-
| `okta.app` | `string` | None | Application |
29-
| `okta.org` | `string` | None | Organization |
30-
| `okta.evt.type` | `string` | None | Event Type |
31-
| `okta.evt.legacytype` | `string` | None | Event Legacy Type |
32-
| `okta.severity` | `string` | None | Severity |
33-
| `okta.message` | `string` | None | Message |
34-
| `okta.published` | `string` | None | Event Source Timestamp |
35-
| `okta.actor.id` | `string` | None | Actor ID |
36-
| `okta.actor.Type` | `string` | None | Actor Type |
37-
| `okta.actor.alternateid` | `string` | None | Actor Alternate ID |
38-
| `okta.actor.name` | `string` | None | Actor Display Name |
39-
| `okta.client.zone` | `string` | None | Client Zone |
40-
| `okta.client.ip` | `string` | None | Client IP Address |
41-
| `okta.client.device` | `string` | None | Client Device |
42-
| `okta.client.id` | `string` | None | Client ID |
43-
| `okta.client.geo.city` | `string` | None | Client Geographical City |
44-
| `okta.client.geo.state` | `string` | None | Client Geographical State |
45-
| `okta.client.geo.country` | `string` | None | Client Geographical Country |
46-
| `okta.client.geo.postalcode` | `string` | None | Client Geographical Postal Code |
47-
| `okta.client.geo.lat` | `string` | None | Client Geographical Latitude |
48-
| `okta.client.geo.lon` | `string` | None | Client Geographical Longitude |
49-
| `okta.useragent.os` | `string` | None | Useragent OS |
50-
| `okta.useragent.browser` | `string` | None | Useragent Browser |
51-
| `okta.useragent.raw` | `string` | None | Raw Useragent |
52-
| `okta.result` | `string` | None | Outcome Result |
53-
| `okta.reason` | `string` | None | Outcome Reason |
54-
| `okta.transaction.id` | `string` | None | Transaction ID |
55-
| `okta.transaction.type` | `string` | None | Transaction Type |
56-
| `okta.requesturi` | `string` | None | Request URI |
57-
| `okta.principal.id` | `string` | None | Principal ID |
58-
| `okta.principal.alternateid` | `string` | None | Principal Alternate ID |
59-
| `okta.principal.type` | `string` | None | Principal Type |
60-
| `okta.principal.name` | `string` | None | Principal Name |
61-
| `okta.authentication.step` | `string` | None | Authentication Step |
62-
| `okta.authentication.sessionid` | `string` | None | External Session ID |
63-
| `okta.security.asnumber` | `uint64` | None | Security AS Number |
64-
| `okta.security.asorg` | `string` | None | Security AS Org |
65-
| `okta.security.isp` | `string` | None | Security ISP |
66-
| `okta.security.domain` | `string` | None | Security Domain |
67-
| `okta.target.user.id` | `string` | None | Target User ID |
68-
| `okta.target.user.alternateid` | `string` | None | Target User Alternate ID |
69-
| `okta.target.user.name` | `string` | None | Target User Name |
70-
| `okta.target.group.id` | `string` | None | Target Group ID |
71-
| `okta.target.group.alternateid` | `string` | None | Target Group Alternate ID |
72-
| `okta.target.group.name` | `string` | None | Target Group Name |
73-
| `okta.target.app.alternateid` | `string` | None | Target App Alternate ID |
74-
| `okta.mfa.failure.countlast` | `uint64` | Index, Required | Count of MFA failures in last seconds |
75-
| `okta.mfa.deny.countlast` | `uint64` | Index, Required | Count of MFA denies in last seconds |
26+
| NAME | TYPE | ARG | DESCRIPTION |
27+
|------------------------------------------|----------|-----------------|---------------------------------------|
28+
| `okta.app` | `string` | None | Application |
29+
| `okta.behaviors` | `string` | None | Behaviors |
30+
| `okta.org` | `string` | None | Organization |
31+
| `okta.evt.type` | `string` | None | Event Type |
32+
| `okta.evt.legacytype` | `string` | None | Event Legacy Type |
33+
| `okta.severity` | `string` | None | Severity |
34+
| `okta.message` | `string` | None | Message |
35+
| `okta.published` | `string` | None | Event Source Timestamp |
36+
| `okta.logonlysecuritydata` | `string` | None | Log Only Security Data |
37+
| `okta.actor.id` | `string` | None | Actor ID |
38+
| `okta.actor.Type` | `string` | None | Actor Type |
39+
| `okta.actor.alternateid` | `string` | None | Actor Alternate ID |
40+
| `okta.actor.name` | `string` | None | Actor Display Name |
41+
| `okta.client.zone` | `string` | None | Client Zone |
42+
| `okta.client.ip` | `string` | None | Client IP Address |
43+
| `okta.client.device` | `string` | None | Client Device |
44+
| `okta.client.id` | `string` | None | Client ID |
45+
| `okta.client.geo.city` | `string` | None | Client Geographical City |
46+
| `okta.client.geo.state` | `string` | None | Client Geographical State |
47+
| `okta.client.geo.country` | `string` | None | Client Geographical Country |
48+
| `okta.client.geo.postalcode` | `string` | None | Client Geographical Postal Code |
49+
| `okta.client.geo.lat` | `string` | None | Client Geographical Latitude |
50+
| `okta.client.geo.lon` | `string` | None | Client Geographical Longitude |
51+
| `okta.useragent.os` | `string` | None | Useragent OS |
52+
| `okta.useragent.browser` | `string` | None | Useragent Browser |
53+
| `okta.useragent.raw` | `string` | None | Raw Useragent |
54+
| `okta.result` | `string` | None | Outcome Result |
55+
| `okta.reason` | `string` | None | Outcome Reason |
56+
| `okta.transaction.id` | `string` | None | Transaction ID |
57+
| `okta.transaction.type` | `string` | None | Transaction Type |
58+
| `okta.requesturi` | `string` | None | Request URI |
59+
| `okta.principal.id` | `string` | None | Principal ID |
60+
| `okta.principal.alternateid` | `string` | None | Principal Alternate ID |
61+
| `okta.principal.type` | `string` | None | Principal Type |
62+
| `okta.principal.name` | `string` | None | Principal Name |
63+
| `okta.authentication.step` | `string` | None | Authentication Step |
64+
| `okta.authentication.sessionid` | `string` | None | External Session ID |
65+
| `okta.authentication.provider` | `string` | None | Authentication Provider |
66+
| `okta.authentication.credentialprovider` | `string` | None | Credential Provider |
67+
| `okta.security.asnumber` | `uint64` | None | Security AS Number |
68+
| `okta.security.asorg` | `string` | None | Security AS Org |
69+
| `okta.security.isp` | `string` | None | Security ISP |
70+
| `okta.security.domain` | `string` | None | Security Domain |
71+
| `okta.security.isproxy` | `string` | None | Is Proxy |
72+
| `okta.target.user.id` | `string` | None | Target User ID |
73+
| `okta.target.user.alternateid` | `string` | None | Target User Alternate ID |
74+
| `okta.target.user.name` | `string` | None | Target User Name |
75+
| `okta.target.group.id` | `string` | None | Target Group ID |
76+
| `okta.target.group.alternateid` | `string` | None | Target Group Alternate ID |
77+
| `okta.target.group.name` | `string` | None | Target Group Name |
78+
| `okta.target.app.alternateid` | `string` | None | Target App Alternate ID |
79+
| `okta.targets.displayName` | `string` | Index | Targets Display Names |
80+
| `okta.mfa.failure.countlast` | `uint64` | Index, Required | Count of MFA failures in last seconds |
81+
| `okta.mfa.deny.countlast` | `uint64` | Index, Required | Count of MFA denies in last seconds |
7682
<!-- /README-PLUGIN-FIELDS -->
7783

7884
# Development

plugins/okta/pkg/okta/okta.go

Lines changed: 14 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -232,7 +232,7 @@ func (oktaPlugin *Plugin) Fields() []sdk.FieldEntry {
232232
{Type: "string", Name: "okta.target.group.alternateid", Desc: "Target Group Alternate ID"},
233233
{Type: "string", Name: "okta.target.group.name", Desc: "Target Group Name"},
234234
{Type: "string", Name: "okta.target.app.alternateid", Desc: "Target App Alternate ID"},
235-
{Type: "string", Name: "okta.target.displayName", Desc: "Target Display Name"},
235+
{Type: "string", Name: "okta.targets.displayName", Desc: "Targets Display Names", Arg: sdk.FieldEntryArg{IsRequired: false, IsIndex: true}},
236236
{Type: "uint64", Name: "okta.mfa.failure.countlast", Desc: "Count of MFA failures in last seconds", Arg: sdk.FieldEntryArg{IsRequired: true, IsIndex: true}},
237237
{Type: "uint64", Name: "okta.mfa.deny.countlast", Desc: "Count of MFA denies in last seconds", Arg: sdk.FieldEntryArg{IsRequired: true, IsIndex: true}},
238238
}
@@ -375,9 +375,20 @@ func (oktaPlugin *Plugin) Extract(req sdk.ExtractRequest, evt sdk.EventReader) e
375375
req.SetValue(data.SecurityContext.Domain)
376376
case "okta.security.isproxy":
377377
req.SetValue(data.SecurityContext.IsProxy)
378-
case "okta.target.displayName":
378+
case "okta.targets.displayName":
379379
if len(data.Target) > 0 {
380-
req.SetValue(data.Target[0].DisplayName)
380+
if !req.ArgPresent() {
381+
var displayNames []string
382+
for _, target := range data.Target {
383+
displayNames = append(displayNames, target.DisplayName)
384+
}
385+
req.SetValue("(" + strings.Join(displayNames, ",") + ")")
386+
} else {
387+
arg := int(req.ArgIndex())
388+
if arg < len(data.Target) {
389+
req.SetValue(data.Target[arg].DisplayName)
390+
}
391+
}
381392
}
382393
case "okta.target.user.id":
383394
for _, i := range data.Target {

0 commit comments

Comments
 (0)