Auth0 Okta Modeling Rule

Modeling Rule

Okta Auth0

Details

IDauth0_okta_ModelingRule
From Version8.2.0
Tagsauth0

Rules (XIF)

[MODEL: dataset=okta_auth0_raw]
alter
	extracted_ip = json_extract_scalar(details, "$.request.ip"),
	method = json_extract_scalar(details, "$.request.method"),
	status_code = json_extract_scalar(details, "$.response.statusCode")
| alter
	ip_v4 = if(ip !~= ":", ip, null),
    ip_v6 = if(ip ~= ":", ip, null),
	extracted_ipv4 = if(extracted_ip !~= ":", extracted_ip, null),
	extracted_ipv6 = if(extracted_ip ~= ":", extracted_ip, null)
| alter
	xdm.event.type = type,
	xdm.event.description = description,
	xdm.event.operation_sub_type = connection,
	xdm.session_context_id = connection_id,
	xdm.source.agent.identifier = client_id,
	xdm.source.agent.content_version = client_name,
	xdm.source.ipv4 = ip_v4,
	xdm.source.ipv6 = ip_v6,
	xdm.source.host.hostname = hostname,
	xdm.source.user.identifier = user_id,
	xdm.source.user.username = coalesce(user_name, json_extract_scalar(details, "$.request.auth.user.name"), json_extract_scalar(details, "$.request.auth.user.email")),
	xdm.observer.content_version = coalesce(audience, json_extract_scalar(details, "$.response.body.audience")),
	xdm.source.user.scope = to_string(scope),
	xdm.observer.name = coalesce(strategy, json_extract_scalar(details, "$.request.auth.strategy")),
	xdm.observer.type = strategy_type,
	xdm.event.id = log_id,
	xdm.source.host.device_category = if(isMobile = true, "mobile", isMobile = false, "desktop/laptop/server", null),
    xdm.network.http.method = if(method = "ACL", XDM_CONST.HTTP_METHOD_ACL, method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL , method = "BIND", XDM_CONST.HTTP_METHOD_BIND, method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, method = "COPY", XDM_CONST.HTTP_METHOD_COPY, method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, method = "GET", XDM_CONST.HTTP_METHOD_GET, method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, method = "LINK", XDM_CONST.HTTP_METHOD_LINK, method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, method = "POST", XDM_CONST.HTTP_METHOD_POST, method = "PRI", XDM_CONST.HTTP_METHOD_PRI, method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, method = "PUT", XDM_CONST.HTTP_METHOD_PUT, method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, method = null, null, to_string(method)),
	xdm.source.user_agent = coalesce(json_extract_scalar(details, "$.request.userAgent"), user_agent),
	xdm.network.http.url = json_extract_scalar(details, "$.request.channel"),
	xdm.source.host.ipv4_addresses = arraycreate(extracted_ipv4),
	xdm.source.host.ipv6_addresses = arraycreate(extracted_ipv6),
	xdm.target.host.hostname = coalesce(json_extract_scalar(details, "$.response.body.name"), json_extract_scalar(details, "$.response.body.friendly_name")),
	xdm.auth.auth_method = json_extract_scalar(details, "$.response.body.default_directory"),
	xdm.network.http.content_type = arraystring(json_extract_scalar_array(details, "$.response.body.enabled_locales"), ", "),
	xdm.network.rule = details -> response.body.flags{},
	xdm.network.http.response_code = if(status_code = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, status_code = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, status_code = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, status_code = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, status_code = "200", XDM_CONST.HTTP_RSP_CODE_OK, status_code = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, status_code = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, status_code = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, status_code = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, status_code = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, status_code = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, status_code = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, status_code = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, status_code = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, status_code = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, status_code = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, status_code = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, status_code = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, status_code = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, status_code = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, status_code = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, status_code = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, status_code = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, status_code = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, status_code = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, status_code = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, status_code = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, status_code = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, status_code = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, status_code = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, status_code = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, status_code = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, status_code = "410", XDM_CONST.HTTP_RSP_CODE_GONE, status_code = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, status_code = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, status_code = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, status_code = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, status_code = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, status_code = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, status_code = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, status_code = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, status_code = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, status_code = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, status_code = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, status_code = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, status_code = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, status_code = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, status_code = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, status_code = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, status_code = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, status_code = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, status_code = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, status_code = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, status_code = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, status_code = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, status_code = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, status_code = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, status_code = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, status_code = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, status_code = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, status_code = null, null, to_string(status_code)),
	xdm.target.module.directory = json_extract_scalar(details, "$.request.path");

Schema

okta_auth0_raw

Field Type Array?
audience string
client_id string
client_name string
connection string
connection_id string
description string
details string
hostname string
ip string
isMobile boolean
log_id string
scope string
strategy string
strategy_type string
type string
user_agent string
user_id string
user_name string
Raw JSON
{
    "okta_auth0_raw": {
        "type": {
            "type": "string",
            "is_array": false
        },
        "description": {
            "type": "string",
            "is_array": false
        },
        "connection": {
            "type": "string",
            "is_array": false
        },
        "connection_id": {
            "type": "string",
            "is_array": false
        },
        "client_id": {
            "type": "string",
            "is_array": false
        },
        "client_name": {
            "type": "string",
            "is_array": false
        },
        "ip": {
            "type": "string",
            "is_array": false
        },
        "hostname": {
            "type": "string",
            "is_array": false
        },
        "user_id": {
            "type": "string",
            "is_array": false
        },
        "user_name": {
            "type": "string",
            "is_array": false
        },
        "audience": {
            "type": "string",
            "is_array": false
        },
        "details": {
            "type": "string",
            "is_array": false
        },
        "scope": {
            "type": "string",
            "is_array": false
        },
        "strategy": {
            "type": "string",
            "is_array": false
        },
        "strategy_type": {
            "type": "string",
            "is_array": false
        },
        "log_id": {
            "type": "string",
            "is_array": false
        },
        "isMobile": {
            "type": "boolean",
            "is_array": false
        },
        "user_agent": {
            "type": "string",
            "is_array": false
        }
    }
}