Rules (XIF)
[MODEL: dataset=okta_okta_raw]
filter
eventType in ("app.ad.api.user_import.account_locked","app.app_instance.csr.generate","app.app_instance.csr.publish","app.app_instance.csr.revoke","app.app_instance.provision_sync_job.completed","app.app_instance.provision_sync_job.failed","app.app_instance.provision_sync_job.started","app.audit_report.download.local.active","app.audit_report.download.local.deprov","app.audit_report.download.rogue.report","app.generic.unauth_app_access_attempt","app.inbound_del_auth.login_success","app.keys.clone","app.keys.generate","app.keys.rotate","app.ldap.password.change.failed","app.office365.api.change.domain.federation.success","app.office365.api.error.ad.user","app.office365.api.error.check.user.exists","app.office365.api.error.create.user","app.office365.api.error.deactivate.user","app.office365.api.error.download.custom.objects","app.office365.api.error.download.groups","app.office365.api.error.download.users","app.office365.api.error.endpoint.unavailable","app.office365.api.error.get.company.dirsync.failure","app.office365.api.error.get.company.dirsync.status.failure","app.office365.api.error.get.company.dirsync.status.pending","app.office365.api.error.get.object.ids.by.group.id","app.office365.api.error.group.create.failure","app.office365.api.error.group.create.failure.name.in.use","app.office365.api.error.group.delete.failure","app.office365.api.error.group.membership.update.assignment.failure","app.office365.api.error.group.membership.update.failure","app.office365.api.error.group.membership.update.group.not.found.failure","app.office365.api.error.group.membership.update.removal.failure","app.office365.api.error.group.update.failure","app.office365.api.error.group.update.failure.not.found","app.office365.api.error.import.profile","app.office365.api.error.no.endpoints.found","app.office365.api.error.push.password","app.office365.api.error.push.profile","app.office365.api.error.reactivate.user","app.office365.api.error.remove.domain.federation.failure","app.office365.api.error.remove.domain.federation.failure.access.denied","app.office365.api.error.remove.domain.federation.failure.domain.not.found","app.office365.api.error.revoke.refresh.token","app.office365.api.error.set.company.dirsync.failure","app.office365.api.error.set.company.dirsync.status.failure","app.office365.api.error.set.domain.federation.failure","app.office365.api.error.set.domain.federation.failure.access.denied","app.office365.api.error.set.domain.federation.failure.domain.default","app.office365.api.error.set.domain.federation.failure.domain.not.found","app.office365.api.error.sync.contact","app.office365.api.error.sync.finalize","app.office365.api.error.sync.group","app.office365.api.error.sync.not.activated","app.office365.api.error.sync.set.attribute","app.office365.api.error.sync.user","app.office365.api.error.unable.to.create.graph.client","app.office365.api.error.validate.admin.creds","app.office365.api.error.validate.creds","app.office365.api.error.validate.creds.unknown.exception","app.office365.api.error.x-ms-forwarded-client-ip-header.absent","app.office365.api.remove.domain.federation.success","app.office365.api.set.domain.federation.success","app.office365.api.sync.complete","app.office365.api.sync.heartbeat.sent","app.office365.api.sync.job.complete","app.office365.api.sync.job.complete.contact","app.office365.api.sync.job.complete.group","app.office365.api.sync.job.complete.user","app.office365.clientplatform.conversion.job.processing.app.instance","app.office365.clientplatform.conversion.job.skipping.migration","app.office365.dirsync.skipping.conflict-object","app.office365.dirsync.skipping.critical-system-object","app.office365.dirsync.skipping.non-security-group-invalid-mail","app.office365.dirsync.skipping.reserved-attribute-value","app.office365.dirsync.skipping.systemmailbox","app.office365.dirsync.skipping.without-name-and-displayname","app.office365.error.importing.user","app.office365.graph.api.error.no.mailbox.found","app.office365.graph.api.error.rate-limit.exceeded","app.office365.graph.api.error.service.principal.creation.failed","app.office365.service.principal.cleanup.job.complete","app.office365.service.principal.cleanup.job.invalid.credentials","app.office365.service.principal.cleanup.job.processing","app.office365.service.principal.cleanup.job.skipping.missing.creds","app.office365.service.principal.cleanup.job.skipping.no.service.principal","app.office365.service.principal.cleanup.job.unable.to.delete.service.principal","app.office365.user.delete.success","app.office365.user.lifecycle.action.failed","app.office365.user.remove.licenses.success","app.radius.agent.listener.failed","app.radius.agent.listener.succeeded","app.radius.agent.port_inaccessible","app.radius.agent.port_reaccessible","app.radius.info_access.no_permission","app.radius.info_access.partial_permission","app.realtimesync.import.details.add_user","app.realtimesync.import.details.delete_user","app.realtimesync.import.details.update_user","app.saml.sensitive.attribute.update","app.user_management.grouppush.mapping.created.from.rule","app.user_management.grouppush.mapping.created.from.rule.error.duplicate","app.user_management.grouppush.mapping.created.from.rule.error.validation","app.user_management.grouppush.mapping.created.from.rule.errors","app.user_management.grouppush.mapping.okta.users.ignored","app.user_management.push_new_user_success","app.user_management.update_from_master_failed","app.user_management.user_group_import.create_failure","app.user_management.user_group_import.delete_success","app.user_management.user_group_import.update_failure","app.user_management.user_group_import.upsert_fail","app.user_management.user_group_import.upsert_success","application.configuration.disable_delauth_outbound","application.configuration.disable_fed_broker_mode","application.configuration.enable_delauth_outbound","application.configuration.enable_fed_broker_mode","application.configuration.reset_logo","application.configuration.update","application.configuration.update_api_credentials_for_pass_change","application.configuration.update_logo","application.lifecycle.activate","application.lifecycle.create","application.lifecycle.deactivate","application.lifecycle.delete","application.lifecycle.update","application.policy.sign_on.deny_access","application.policy.sign_on.rule.create","application.policy.sign_on.rule.delete","application.policy.sign_on.update","application.provision.field_mapping_rule.change","application.provision.group.add","application.provision.group.import","application.provision.group.remove","application.provision.group.update","application.provision.group.verify_exists","application.provision.group_membership.add","application.provision.group_membership.import","application.provision.group_membership.remove","application.provision.group_membership.update","application.provision.group_push.activate_mapping","application.provision.group_push.delete_appgroup","application.provision.group_push.mapping.and.groups.deleted.rule.deleted","application.provision.group_push.mapping.app.group.renamed","application.provision.group_push.mapping.app.group.renamed.failed","application.provision.group_push.mapping.created","application.provision.group_push.mapping.created.from.rule.warning.duplicate.name","application.provision.group_push.mapping.created.from.rule.warning.duplicate.name.tobecreated","application.provision.group_push.mapping.created.from.rule.warning.upsertGroup.duplicate.name","application.provision.group_push.mapping.deactivated.source.group.renamed","application.provision.group_push.mapping.deactivated.source.group.renamed.failed","application.provision.group_push.mapping.update.or.delete.failed","application.provision.group_push.mapping.update.or.delete.failed.with.error","application.provision.group_push.push_memberships","application.provision.group_push.pushed","application.provision.group_push.removed","application.provision.group_push.updated","application.provision.integration.call_api","application.provision.user.activate","application.provision.user.deactivate","application.provision.user.deprovision","application.provision.user.import","application.provision.user.import_profile","application.provision.user.password","application.provision.user.push","application.provision.user.push_okta_password","application.provision.user.push_password","application.provision.user.push_profile","application.provision.user.reactivate","application.provision.user.sync","application.provision.user.verify_exists","application.registration_policy.lifecycle.create","application.registration_policy.lifecycle.update","application.user_membership.add","application.user_membership.approve","application.user_membership.change_password","application.user_membership.change_username","application.user_membership.deprovision","application.user_membership.provision","application.user_membership.remove","application.user_membership.restore","application.user_membership.restore_password","application.user_membership.revoke","application.user_membership.show_password","application.user_membership.update","credential.register","credential.revoke","device.enrollment.create","device.lifecycle.activate","device.lifecycle.deactivate","device.lifecycle.delete","device.lifecycle.suspend","device.lifecycle.unsuspend","device.platform.add","device.platform.delete","device.platform.update","device.user.add","device.user.remove","directory.app_user_profile.update","directory.mapping.update","directory.non_default_user_profile.create","directory.user_profile.update","event_hook.activated","event_hook.created","event_hook.deactivated","event_hook.deleted","event_hook.delivery","event_hook.updated","event_hook.verified","group.application_assignment.add","group.application_assignment.remove","group.application_assignment.update","group.lifecycle.create","group.lifecycle.delete","group.privilege.grant","group.privilege.revoke","group.profile.update","group.user_membership.add","group.user_membership.remove","group.user_membership.rule.add_exclusion","group.user_membership.rule.deactivated","iam.resourceset.bindings.add","iam.resourceset.bindings.delete","iam.resourceset.create","iam.resourceset.delete","iam.resourceset.resources.add","iam.resourceset.resources.delete","iam.role.create","iam.role.delete","iam.role.permissions.add","iam.role.permissions.delete","inline_hook.activated","inline_hook.created","inline_hook.deactivated","inline_hook.deleted","inline_hook.executed","master_application.user_membership.add","mim.createEnrollment.ANDROID","mim.createEnrollment.IOS","mim.createEnrollment.OSX","mim.createEnrollment.UNKNOWN","mim.createEnrollment.WINDOWS","network_zone.rule.disabled","omm.app.VPN.settings.changed","omm.app.WIFI.settings.changed","omm.app.eas.cert_based.settings.changed","omm.app.eas.disabled","omm.app.eas.settings.changed","omm.cma.created","omm.cma.deleted","omm.cma.updated","omm.enrollment.changed","pki.ca.add","pki.ca.delete","pki.cert.bind","pki.cert.issue","pki.cert.lifecycle.activate","pki.cert.lifecycle.delete","pki.cert.lifecycle.hold","pki.cert.lifecycle.revoke","pki.cert.lifecycle.suspend","pki.cert.renew","pki.cert.revoke","policy.evaluate_sign_on","policy.execute.user.start","policy.lifecycle.activate","policy.lifecycle.create","policy.lifecycle.deactivate","policy.lifecycle.delete","policy.lifecycle.overwrite","policy.lifecycle.update","policy.mapping.create","policy.rule.action.execute","policy.rule.activate","policy.rule.add","policy.rule.deactivate","policy.rule.delete","policy.rule.invalidate","policy.rule.update","policy.scheduled.execute","scheduled_action.user_suspension.canceled","scheduled_action.user_suspension.completed","scheduled_action.user_suspension.scheduled","scheduled_action.user_suspension.updated","security.authenticator.lifecycle.activate","security.authenticator.lifecycle.deactivate","security.device.add_request_blacklist_policy","security.device.remove_request_blacklist_policy","security.device.temporarily_disable_blacklisting","security.request.blocked","security.threat.configuration.update","security.threat.detected","security.voice.add_country_blacklist","security.voice.remove_country_blacklist","security.zone.make_blacklist","security.zone.remove_blacklist","self_service.disabled","self_service.enabled","system.agent.ad.connect","system.agent.ad.create","system.agent.ad.deactivate","system.agent.ad.delete","system.agent.ad.import_ou","system.agent.ad.import_user","system.agent.ad.invoke_dir","system.agent.ad.reactivate","system.agent.ad.read_dirsync","system.agent.ad.read_ldap","system.agent.ad.read_schema","system.agent.ad.read_topology","system.agent.ad.realtimesync","system.agent.ad.reset_user_password","system.agent.ad.start","system.agent.ad.unlock_user_account","system.agent.ad.update","system.agent.ad.update_user","system.agent.ad.upgrade","system.agent.ad.upload_iwa_log","system.agent.ad.upload_log","system.agent.ad.write_ldap","system.agent.auto_update","system.agent.connector.connect","system.agent.connector.deactivate","system.agent.connector.delete","system.agent.connector.reactivate","system.agent.ldap.change_user_password","system.agent.ldap.create_user_JIT","system.agent.ldap.disconnect","system.agent.ldap.reconnect","system.agent.ldap.reset_user_password","system.agent.ldap.unlock_user_account","system.agent_pools.auto_update","system.api_token.create","system.api_token.enable","system.api_token.revoke","system.brand.update","system.captcha.create","system.captcha.delete","system.captcha.update","system.custom_error.update","system.custom_signin.update","system.custom_url_domain.cert_renew","system.custom_url_domain.cert_upload","system.custom_url_domain.delete","system.custom_url_domain.initiate","system.directory.debugger.extend","system.directory.debugger.grant","system.directory.debugger.query_executed","system.directory.debugger.revoke","system.email.template.create","system.email.template.delete","system.email.template.update","system.idp.lifecycle.activate","system.idp.lifecycle.create","system.idp.lifecycle.deactivate","system.idp.lifecycle.delete","system.idp.lifecycle.update","system.import.clear.unconfirmed.users.summary","system.import.complete","system.import.complete_batch","system.import.custom_object.complete","system.import.custom_object.create","system.import.custom_object.delete","system.import.custom_object.update","system.import.download.complete","system.import.download.start","system.import.group.complete","system.import.group.create","system.import.group.delete","system.import.group.start","system.import.group.update","system.import.group_membership.complete","system.import.implicit_deletion.complete","system.import.implicit_deletion.start","system.import.import_profile","system.import.import_provisioning_info","system.import.membership_processing.complete","system.import.membership_processing.start","system.import.object_creation.complete","system.import.object_creation.start","system.import.roadblock","system.import.roadblock.reschedule_and_resume","system.import.roadblock.resume","system.import.roadblock.updated","system.import.start","system.import.user.complete","system.import.user.create","system.import.user.delete","system.import.user.match","system.import.user.start","system.import.user.suspend","system.import.user.unsuspend","system.import.user.unsuspend_after_confirm","system.import.user.update","system.import.user.update_user_lifecycle_from_master","system.import.user_csv.complete","system.import.user_csv.start","system.import.user_matching.complete","system.import.user_matching.start","system.iwa.create","system.iwa.go_offline","system.iwa.go_online","system.iwa.promote_primary","system.iwa.remove","system.iwa.update","system.iwa.use_default","system.ldapi.bind","system.ldapi.search","system.ldapi.unbind","system.log_stream.lifecycle.activate","system.log_stream.lifecycle.create","system.log_stream.lifecycle.deactivate","system.log_stream.lifecycle.delete","system.log_stream.lifecycle.update","system.mfa.factor.activate","system.mfa.factor.deactivate","system.org.captcha.activate","system.org.captcha.deactivate","system.org.lifecycle.create","system.org.rate_limit.warning","system.org.task.remove","system.theme.update","task.lifecycle.activate","task.lifecycle.create","task.lifecycle.deactivate","task.lifecycle.delete","task.lifecycle.update","user.account.access_super_user_app","user.account.lock","user.account.lock.limit","user.account.privilege.grant","user.account.privilege.revoke","user.account.report_suspicious_activity_by_enduser","user.account.reset_password","user.account.unlock","user.account.unlock_by_admin","user.account.unlock_failure","user.account.unlock_token","user.account.update_password","user.account.update_primary_email","user.account.update_profile","user.account.update_secondary_email","user.account.update_user_type","user.account.use_token","user.credential.enroll","user.identity_snapshot.attestation.create","user.lifecycle.activate","user.lifecycle.create","user.lifecycle.deactivate","user.lifecycle.delete.completed","user.lifecycle.delete.initiated","user.lifecycle.jit.error.read_only","user.lifecycle.password_mass_expiry","user.lifecycle.reactivate","user.lifecycle.suspend","user.lifecycle.unsuspend","user.session.access_admin_app","user.session.clear","user.session.end","user.session.expire","user.session.impersonation.end","user.session.impersonation.extend","user.session.impersonation.grant","user.session.impersonation.initiate","user.session.impersonation.revoke","workflows.user.connection.create","workflows.user.connection.delete","workflows.user.connection.reauthorize","workflows.user.connection.revoke","workflows.user.flow.activate","workflows.user.flow.create","workflows.user.flow.deactivate","workflows.user.flow.delete","workflows.user.flow.export","workflows.user.flow.import","workflows.user.flow.save","workflows.user.table.create","workflows.user.table.delete","workflows.user.table.export","workflows.user.table.import","workflows.user.table.update","workflows.user.table.view","zone.activate","zone.create","zone.deactivate","zone.delete","zone.make_blacklist","zone.remove_blacklist","zone.update","system.push.send_factor_verify_push")
| alter
outcome_result = json_extract_scalar(outcome, "$.result"),
actor_type = json_extract_scalar(actor, "$.type")
| alter
xdm.source.user.identifier = json_extract_scalar(actor, "$.id"),
xdm.source.user.user_type = if(actor_type in("User"), XDM_CONST.USER_TYPE_REGULAR, actor_type in("SystemPrincipal"), XDM_CONST.USER_TYPE_SERVICE_ACCOUNT,actor_type in("IP address"), XDM_CONST.USER_TYPE_MACHINE_ACCOUNT, to_string(actor_type)),
xdm.source.user.username = json_extract_scalar(actor, "$.alternateId"),
xdm.target.cloud.zone = json_extract_scalar(client, "$.zone"),
xdm.source.ipv4 = json_extract_scalar(client,"$.ipAddress"),
xdm.target.ipv4="",
xdm.source.port=to_integer(0),
xdm.target.port=to_integer(0),
xdm.source.location.city = json_extract_scalar(client, "$.geographicalContext.city"),
xdm.source.location.country = json_extract_scalar(client, "$.geographicalContext.country"),
xdm.source.location.latitude = to_float(json_extract_scalar(client, "$.geographicalContext.geolocation.lat")),
xdm.source.location.longitude = to_float(json_extract_scalar(client, "$.geographicalContext.geolocation.lon")),
xdm.event.type = eventType,
xdm.event.outcome = if(outcome_result="SUCCESS", XDM_CONST.OUTCOME_SUCCESS, outcome_result="FAILURE", XDM_CONST.OUTCOME_FAILED, outcome_result="ALLOW", XDM_CONST.OUTCOME_SUCCESS, outcome_result="DENY", XDM_CONST.OUTCOME_FAILED, outcome_result="CHALLENGE", XDM_CONST.OUTCOME_PARTIAL, XDM_CONST.OUTCOME_UNKNOWN),
xdm.event.outcome_reason = json_extract_scalar(outcome, "$.reason"),
xdm.target.resource.id = arraystring (arraymap (json_extract_array (`target`,"$."), json_extract_scalar ("@element", "$.alternateId")),","),
xdm.target.resource.type = arraystring (arraymap (json_extract_array (`target`,"$."), json_extract_scalar ("@element", "$.type")),","),
xdm.source.user_agent = json_extract_scalar(client, "$.userAgent.rawUserAgent"),
xdm.source.host.os = json_extract_scalar(client, "$.userAgent.os"),
xdm.source.application.name = json_extract_scalar(client, "$.userAgent.browser"),
xdm.event.id = uuid,
xdm.source.asn.as_name = json_extract_scalar(securityContext,"$.asOrg")
//First and last name extraction
| alter displayName = json_extract_scalar(actor, "$.displayName")
| alter
lastName = arrayindex(regextract(displayName, "\s([\S]*)"),0),
firstName= arrayindex(regextract(displayName, "([\S]*)\s"),0)
| alter
xdm.source.user.first_name = firstName,
xdm.source.user.last_name = lastName;
filter
eventType in ("user.session.start","user.mfa.okta_verify.deny_push_upgrade_needed","user.mfa.okta_verify.deny_push","user.mfa.okta_verify","user.mfa.factor.update","user.mfa.factor.unsuspend","user.mfa.factor.suspend","user.mfa.factor.reset_all","user.mfa.factor.deactivate","user.mfa.factor.activate","user.mfa.attempt_bypass","app.access_request.approver.approve","app.access_request.approver.deny","app.access_request.delete","app.access_request.deny","app.access_request.expire","app.access_request.grant","app.access_request.request","app.kerberos_rich_client.account_not_found","app.kerberos_rich_client.instance_not_found","app.kerberos_rich_client.multiple_accounts_found","app.kerberos_rich_client.user_authentication_successful","app.oauth2.admin.consent.grant","app.oauth2.admin.consent.revoke","app.oauth2.as.authorize","app.oauth2.as.authorize.code","app.oauth2.as.authorize.implicit.access_token","app.oauth2.as.authorize.implicit.id_token","app.oauth2.as.authorize.scope_denied","app.oauth2.as.consent.grant","app.oauth2.as.consent.revoke","app.oauth2.as.consent.revoke.implicit.as","app.oauth2.as.consent.revoke.implicit.client","app.oauth2.as.consent.revoke.implicit.scope","app.oauth2.as.consent.revoke.implicit.user","app.oauth2.as.consent.revoke.user","app.oauth2.as.consent.revoke.user.client","app.oauth2.as.evaluate.claim","app.oauth2.as.interact.interaction_code","app.oauth2.as.interact.interaction_handle","app.oauth2.as.key.rollover","app.oauth2.as.token.detect_reuse","app.oauth2.as.token.grant","app.oauth2.as.token.grant.access_token","app.oauth2.as.token.grant.device_secret","app.oauth2.as.token.grant.id_token","app.oauth2.as.token.grant.refresh_token","app.oauth2.as.token.revoke","app.oauth2.authorize","app.oauth2.authorize.code","app.oauth2.authorize.implicit.access_token","app.oauth2.authorize.implicit.id_token","app.oauth2.client.lifecycle.activate","app.oauth2.client.lifecycle.create","app.oauth2.client.lifecycle.deactivate","app.oauth2.client.lifecycle.delete","app.oauth2.client.lifecycle.update","app.oauth2.client_id_rate_limit_warning","app.oauth2.consent.grant","app.oauth2.interact.interaction_code","app.oauth2.interact.interaction_handle","app.oauth2.invalid_client_credentials","app.oauth2.invalid_client_ids","app.oauth2.key.rollover","app.oauth2.signon","app.oauth2.token.detect_reuse","app.oauth2.token.grant","app.oauth2.token.grant.access_token","app.oauth2.token.grant.id_token","app.oauth2.token.grant.refresh_token","app.oauth2.token.revoke","app.oauth2.token.revoke.implicit.as","app.oauth2.token.revoke.implicit.client","app.oauth2.token.revoke.implicit.user","app.office365.graph.api.error.service.principal.msgraph.authentication.failure","application.integration.authentication_failure","oauth2.as.activated","oauth2.as.created","oauth2.as.deactivated","oauth2.as.deleted","oauth2.as.updated","oauth2.claim.created","oauth2.claim.deleted","oauth2.claim.updated","oauth2.scope.created","oauth2.scope.deleted","oauth2.scope.updated","system.agent.ldap.realtimesync","system.agent.ldap.update_user","system.agent.ldap.update_user_password","system.iwa_agentless.auth","system.iwa_agentless.redirect","system.iwa_agentless.update","system.iwa_agentless.user.not_found","system.iwa_agentless_kerberos.update","user.authentication.auth","user.authentication.auth_via_AD_agent","user.authentication.auth_via_IDP","user.authentication.auth_via_LDAP_agent","user.authentication.auth_via_inbound_SAML","user.authentication.auth_via_inbound_delauth","user.authentication.auth_via_iwa","user.authentication.auth_via_mfa","user.authentication.auth_via_radius","user.authentication.auth_via_richclient","user.authentication.auth_via_social","user.authentication.authenticate","user.authentication.slo","user.authentication.sso","user.authentication.verify","user.import.password")
| alter
outcome_result = json_extract_scalar(outcome, "$.result"),
actor_type = lowercase(json_extract_scalar(actor, "$.type")),
actor_alternateId = json_extract_scalar(actor, "$.alternateId"),
actor_displayName = json_extract_scalar(actor, "$.displayName"),
actor_id = json_extract_scalar(actor, "$.id"),
target_id = trim(json_extract(`target`, "$[0].id"), "\""),
target_type = trim(json_extract(`target`, "$[0].type"), "\""),
target_alternateId = trim(json_extract(`target`, "$[0].alternateId"), "\""),
target_displaynames = trim(json_extract(`target`, "$[0].displayName"), "\""),
debugdata_factor = lowercase(json_extract_scalar(debugContext, "$.debugData.factor")),
get_reason = json_extract_scalar(outcome, "$.reason"),
debugdata_errorcode = to_string(json_extract(debugContext, "$.debugData.errorCode")),
source_ip = json_extract_scalar(client, "$.ipAddress"),
client_device = json_extract_scalar(client, "$.device"),
client_ua_os = lowercase(json_extract_scalar(client, "$.userAgent.os")),
userAgent_rawUserAgent = json_extract_scalar(client, "$.userAgent.rawUserAgent"),
securityContext_isProxy = json_extract_scalar(securityContext, "$.isProxy"),
debugContext_debugData_risk_reasons = json_extract(debugContext, "$.debugData.risk.reasons"),
debugContext_debugData_behaviors = json_extract(debugContext, "$.debugData.behaviors"),
debugContext_debugData_threatSuspected = lowercase(to_string(json_extract(debugContext, "$.debugData.threatSuspected"))),
debugContext_debugData_originalPrincipal_type = json_extract(debugContext, "$.debugData.originalPrincipal.type"),
securityContext_domain = json_extract_scalar(securityContext, "$.domain"),
request_ipChain = request -> ipChain[]
| alter
source_ipv4 = if(source_ip !~= ":", source_ip, null),
source_ipv6 = if(source_ip ~= ":", source_ip, null),
convert_behaviors_array = arraymap(split(debugContext_debugData_behaviors, ","), rtrim(ltrim("@element", "{"), "}")),
lowercase_user_type = lowercase(debugContext_debugData_originalPrincipal_type),
check_debugData_threatSuspected = if(debugContext_debugData_threatSuspected = "false", "risky_signin: FALSE", "risky_signin: TRUE"),
check_actor_type = if(actor_type = "user", XDM_CONST.USER_TYPE_REGULAR, actor_type = "appuser", XDM_CONST.USER_TYPE_REGULAR, null),
check_target_type = if(target_type !~= "User", null, target_type = null, null, XDM_CONST.USER_TYPE_REGULAR),
check_actor_alternateId = if(actor_type = "user", actor_alternateId, actor_type = "appuser", actor_alternateId, null),
check_target_alternateId = if(target_type !~= "User", null, target_alternateId = null, null, target_alternateId),
check_actor_displayName = if(actor_type = "user", actor_displayName, actor_type = "appuser", actor_displayName, null),
check_target_displayName = if(target_type !~= "User", null, target_displaynames = null, null, target_displaynames),
check_actor_first_name = if(actor_type = "user", arrayindex(split(actor_displayName), 0) , actor_type = "appuser", arrayindex(split(actor_displayName), 0), null),
check_target_first_name = if(target_type ~= "User", arrayindex(split(target_displaynames), 0) , null),
check_actor_last_name = if(actor_type = "user", arrayindex(split(actor_displayName), 1) , actor_type = "appuser", arrayindex(split(actor_displayName), 1), null),
check_target_last_name = if(target_type ~= "User", arrayindex(split(target_displaynames), 1) , null),
check_actor_id = if(actor_type = "user", actor_id, actor_type = "appuser", actor_id, null),
check_target_id = if(target_type !~= "User", null, target_id = null, null, target_id),
check_securityContext_isProxy = if(securityContext_isProxy = "true", to_boolean("TRUE"), to_boolean("FALSE")),
check_debugData_risk_reasons1 = if(debugContext_debugData_risk_reasons ~= "Anonymizing Proxy", to_boolean("TRUE"), to_boolean("FALSE")),
check_debugData_risk_reasons2 = if(debugContext_debugData_risk_reasons ~= "Anonymizing Proxy", "anonymized_ip: TRUE", "anonymized_ip: FALSE"),
check_ipChain_v4 = arraymap(request_ipChain, if("@element" -> ip !~= ":", "@element" -> ip, null)),
check_securityContext_domain = if(securityContext_domain = ".", null, securityContext_domain),
check_ipChain_v6 = arraymap(request_ipChain, if("@element" -> ip ~= ":", "@element" -> ip, null))
| alter
xdm.event.log_level = if(severity = "DEBUG", XDM_CONST.LOG_LEVEL_DEBUG, severity = "INFO", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "WARN", XDM_CONST.LOG_LEVEL_WARNING, severity = "ERROR", XDM_CONST.LOG_LEVEL_ERROR, severity = null, null, to_string(severity)),
xdm.event.operation_sub_type = if(eventType != "user.authentication.auth_via_mfa", null, debugdata_factor ~= "yubikey", "hardware_token", target_displaynames ~= "touch id", "hardware_token", target_displaynames ~= "hardware", "hardware_token", debugdata_factor = "fido_webauthn", "hardware_token", debugdata_factor = "password_as_factor", "password", target_displaynames = "authenticator", "application", target_displaynames = "android authenticator with safetyNet attestation", "application", target_displaynames = "okta verify", "application", target_displaynames = "windows hello software authenticator", "application", debugdata_factor = "okta_soft_token", "application", debugdata_factor = "okta_verify_push", "application", debugdata_factor = "email_factor", "email", debugdata_factor = "sms_factor", "sms", debugdata_factor = "call_factor", "voice", null),
xdm.event.type = if(eventType in ("user.authentication.sso", "user.session.start", "user.mfa.okta_verify.deny_push", "user.mfa.factor.update", "user.authentication.auth_via_mfa", "user.authentication.auth_via_AD_agent", "user.authentication.verify", "user.authentication.auth_via_radius", "user.authentication.auth_via_richclient", "system.push.send_factor_verify_push"), "authentication", ""),
xdm.event.description = displayMessage,
xdm.event.operation = if(eventType ~= "authentication|oauth2|mfa", XDM_CONST.OPERATION_TYPE_AUTH_MFA, eventType ~= "session|access_request|import|kerberos_rich_client|iwa|ldap", XDM_CONST.OPERATION_TYPE_AUTH_LOGIN, eventType = null, null, to_string(eventType)),
xdm.logon.type = if(actor_type = "user", XDM_CONST.LOGON_TYPE_INTERACTIVE, actor_type ~= "network", XDM_CONST.LOGON_TYPE_NETWORK, actor_type ~= "batch", XDM_CONST.LOGON_TYPE_BATCH, actor_type ~= "service", XDM_CONST.LOGON_TYPE_SERVICE, actor_type ~= "proxy", XDM_CONST.LOGON_TYPE_PROXY, actor_type ~= "unlock", XDM_CONST.LOGON_TYPE_UNLOCK, actor_type = "systemprincipal", null, actor_type = null, null, to_string(actor_type)),
xdm.auth.service = if(eventType = "user.authentication.auth_via_AD_agent", "IDP", eventType = "user.authentication.auth_via_radius", "IDP", eventType = "user.authentication.auth_via_richclient", "IDP", eventType = "user.session.start", "IDP", eventType = "policy.evaluate_sign_on", "IDP", eventType = "system.push.send_factor_verify_push", "IDP", eventType = "user.authentication.auth_via_mfa", "IDP", eventType = "user.authentication.verify", "IDP", eventType = "user.mfa.okta_verify.deny_push", "IDP", eventType = "user.authentication.sso", "SP", null),
xdm.source.host.os_family = if(client_ua_os ~= "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, client_ua_os ~= "linux", XDM_CONST.OS_FAMILY_LINUX, client_ua_os ~= "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, client_ua_os ~= "windows|ms", XDM_CONST.OS_FAMILY_WINDOWS, client_ua_os ~= "mac", XDM_CONST.OS_FAMILY_MACOS, client_ua_os ~= "android", XDM_CONST.OS_FAMILY_ANDROID, client_ua_os ~= "ios", XDM_CONST.OS_FAMILY_IOS, client_ua_os ~= "debian", XDM_CONST.OS_FAMILY_DEBIAN, client_ua_os ~= "fedora", XDM_CONST.OS_FAMILY_FEDORA, client_ua_os ~= "centos", XDM_CONST.OS_FAMILY_CENTOS, client_ua_os ~= "centos", XDM_CONST.OS_FAMILY_CENTOS, client_ua_os ~= "solaris", XDM_CONST.OS_FAMILY_SOLARIS, client_ua_os ~= "scada", XDM_CONST.OS_FAMILY_SCADA, client_ua_os = null, null, to_string(client_ua_os)),
xdm.source.host.device_category = client_device,
xdm.source.location.region = json_extract_scalar(client, "$.geographicalContext.state"),
xdm.source.user.upn = check_actor_alternateId,
xdm.target.user.upn = check_target_alternateId,
xdm.source.user.username = check_actor_displayName,
xdm.target.user.username = check_target_displayName,
xdm.source.user.first_name = check_actor_first_name,
xdm.target.user.first_name = check_target_first_name,
xdm.source.user.last_name = check_actor_last_name,
xdm.target.user.last_name = check_target_last_name,
xdm.source.user.identifier = check_actor_id,
xdm.target.user.identifier = check_target_id,
xdm.source.user.user_type = check_actor_type,
xdm.target.user.user_type = check_target_type,
xdm.target.resource.id = if(target_type = "AppInstance", target_id, null),
xdm.target.resource.name = if(target_type = "AppInstance", target_alternateId, null),
xdm.source.asn.as_number = to_integer(json_extract_scalar(securityContext, "$.asNumber")),
xdm.source.asn.isp = json_extract_scalar(securityContext, "$.isp"),
xdm.source.asn.domain = check_securityContext_domain,
xdm.source.asn.is_proxy = check_securityContext_isProxy,
xdm.intermediate.is_proxy = check_debugData_risk_reasons1,
xdm.event.tags = arraycreate(XDM_CONST.EVENT_TAG_AUTHENTICATION),
xdm.alert.severity = json_extract(debugContext, "$.debugData.risk.level"),
xdm.alert.risks = arrayconcat(convert_behaviors_array, arraycreate(check_debugData_threatSuspected), arraycreate(check_debugData_risk_reasons2)),
xdm.session_context_id = json_extract_scalar(`transaction`, "$.id"),
xdm.observer.action = legacyEventType,
xdm.source.zone = json_extract_scalar(client, "$.zone"),
xdm.observer.type = json_extract_scalar(`transaction`, "$.type"),
xdm.observer.unique_identifier = json_extract_scalar(debugContext, "$.debugData.deviceFingerprint"),
xdm.auth.mfa.client_details = json_extract_scalar(`transaction`, "$.detail.requestApiTokenId"),
xdm.intermediate.application.name = json_extract_scalar(debugContext, "$.debugData.proxyType"),
xdm.network.http.referrer = json_extract_scalar(debugContext, "$.debugData.origin"),
xdm.network.rule = json_extract_scalar(debugContext, "$.debugData.threatDetections"),
xdm.network.http.url = json_extract_scalar(debugContext, "$.debugData.url"),
xdm.auth.privilege_level = if(lowercase_user_type = "user", XDM_CONST.PRIVILEGE_LEVEL_USER, lowercase_user_type = "guest", XDM_CONST.PRIVILEGE_LEVEL_GUEST, lowercase_user_type = "admin", XDM_CONST.PRIVILEGE_LEVEL_ADMIN, lowercase_user_type = "system", XDM_CONST.PRIVILEGE_LEVEL_SYSTEM, lowercase_user_type = null, null, to_string(lowercase_user_type)),
xdm.auth.mfa.provider = json_extract_scalar(authenticationContext, "$.authenticationProvider.credentialProvider"),
xdm.auth.mfa.method = json_extract_scalar(authenticationContext, "$.authenticationProvider.credentialType"),
xdm.source.host.ipv4_addresses = check_ipChain_v4,
xdm.source.host.ipv6_addresses = check_ipChain_v6,
xdm.source.host.device_id = json_extract_scalar(client, "$.id"),
xdm.source.ipv4 = source_ipv4,
xdm.source.ipv6 = source_ipv6,
xdm.target.ipv4 = "",
xdm.target.ipv6 = "",
xdm.source.port = 0,
xdm.target.port = 0,
xdm.source.location.city = json_extract_scalar(client, "$.geographicalContext.city"),
xdm.source.location.country = json_extract_scalar(client, "$.geographicalContext.country"),
xdm.source.location.latitude = to_float(json_extract_scalar(client, "$.geographicalContext.geolocation.lat")),
xdm.source.location.longitude = to_float(json_extract_scalar(client, "$.geographicalContext.geolocation.lon")),
xdm.network.session_id = json_extract_scalar(authenticationContext, "$.authenticationProvider.externalSessionId"),
xdm.event.original_event_type = eventType,
xdm.event.outcome = if(outcome_result = "SUCCESS",XDM_CONST.OUTCOME_SUCCESS, outcome_result = "FAILURE", XDM_CONST.OUTCOME_FAILED, outcome_result = "ALLOW", XDM_CONST.OUTCOME_SUCCESS, outcome_result = "DENY", XDM_CONST.OUTCOME_FAILED, outcome_result = "CHALLENGE", XDM_CONST.OUTCOME_PARTIAL, outcome_result = "UNKNOWN", XDM_CONST.OUTCOME_UNKNOWN, outcome_result = "SKIPPED", XDM_CONST.OUTCOME_PARTIAL, outcome_result = null, null, to_string(outcome_result)),
xdm.event.outcome_reason = if(get_reason ~= "UNKNOWN_USER", "user_does_not_exist", get_reason ~= "Login denied. No matching user is assigned to Radius App RADIUS Application.", "user_does_not_exist", get_reason ~= "Login denied. No matching user", "user_does_not_exist", get_reason ~= "INVALID_CREDENTIALS", "bad_credentials", get_reason ~= "Authentication failed: bad username or password", "bad_credentials", debugdata_errorcode ~= "1326", "bad_credentials", get_reason ~= "Authentication failed: account is expired", "account_expired_or_disabled", get_reason ~= "USER_ACCOUNT_EXPIRE", "account_expired_or_disabled", get_reason ~= "GENERAL_NONSUCCESS", "account_expired_or_disabled", get_reason ~= "Authentication failed: password has expired", "account_expired_or_disabled", debugdata_errorcode ~= "1331", "account_expired_or_disabled", debugdata_errorcode ~= "1793", "account_expired_or_disabled", get_reason ~= "Authentication failed: account is locked", "account_locked", get_reason ~= "LOCKED_OUT", "account_locked", get_reason ~= "Login failed.", "failed_login", get_reason ~= "Login Failed", "failed_login", get_reason ~= "PASSWORD_BASED_LOGIN_DISALLOWED", "auth_policy_access_violation", get_reason ~= "login denied", "auth_policy_access_violation", get_reason ~= "VERIFICATION_ERROR", "mfa_failure", get_reason ~= "DEL_AUTH_TIMEOUT", "mfa_expired", get_reason ~= "User rejected Okta push verify", "user_reject", get_reason ~= "Login aborted", "user_cancelled", get_reason ~= "Login aborted.", "user_cancelled", get_reason ~= "NOT_SPECIFIED", "OTHER", get_reason = null, null, to_string(get_reason)),
xdm.target.host.device_category = target_type,
xdm.source.user_agent = if(lowercase(userAgent_rawUserAgent) = "unknown", null, userAgent_rawUserAgent),
xdm.source.host.os = json_extract_scalar(client, "$.userAgent.os"),
xdm.source.application.name = json_extract_scalar(client, "$.userAgent.browser"),
xdm.event.id = uuid,
xdm.source.asn.as_name = json_extract_scalar(securityContext,"$.asOrg");
[MODEL: dataset=okta_sso_raw]
alter
outcome_result = json_extract_scalar(outcome, "$.result"),
actor_type = lowercase(json_extract_scalar(actor, "$.type")),
actor_alternateId = json_extract_scalar(actor, "$.alternateId"),
actor_displayName = json_extract_scalar(actor, "$.displayName"),
actor_id = json_extract_scalar(actor, "$.id"),
target_id = trim(json_extract(`target`, "$[0].id"), "\""),
target_type = trim(json_extract(`target`, "$[0].type"), "\""),
target_alternateId = trim(json_extract(`target`, "$[0].alternateId"), "\""),
target_displaynames = trim(json_extract(`target`, "$[0].displayName"), "\""),
debugdata_factor = lowercase(json_extract_scalar(debugContext, "$.debugData.factor")),
get_reason = json_extract_scalar(outcome, "$.reason"),
debugdata_errorcode = to_string(json_extract(debugContext, "$.debugData.errorCode")),
source_ip = json_extract_scalar(client, "$.ipAddress"),
client_device = json_extract_scalar(client, "$.device"),
client_ua_os = lowercase(json_extract_scalar(client, "$.userAgent.os")),
userAgent_rawUserAgent = json_extract_scalar(client, "$.userAgent.rawUserAgent"),
securityContext_isProxy = json_extract_scalar(securityContext, "$.isProxy"),
debugContext_debugData_risk_reasons = json_extract(debugContext, "$.debugData.risk.reasons"),
debugContext_debugData_behaviors = json_extract(debugContext, "$.debugData.behaviors"),
debugContext_debugData_threatSuspected = lowercase(to_string(json_extract(debugContext, "$.debugData.threatSuspected"))),
debugContext_debugData_originalPrincipal_type = json_extract(debugContext, "$.debugData.originalPrincipal.type"),
securityContext_domain = json_extract_scalar(securityContext, "$.domain"),
request_ipChain = request -> ipChain[]
| alter
source_ipv4 = if(source_ip !~= ":", source_ip, null),
source_ipv6 = if(source_ip ~= ":", source_ip, null),
convert_behaviors_array = arraymap(split(debugContext_debugData_behaviors, ","), rtrim(ltrim("@element", "{"), "}")),
lowercase_user_type = lowercase(debugContext_debugData_originalPrincipal_type),
check_debugData_threatSuspected = if(debugContext_debugData_threatSuspected = "false", "risky_signin: FALSE", "risky_signin: TRUE"),
check_actor_type = if(actor_type = "user", XDM_CONST.USER_TYPE_REGULAR, actor_type = "appuser", XDM_CONST.USER_TYPE_REGULAR, null),
check_target_type = if(target_type !~= "User", null, target_type = null, null, XDM_CONST.USER_TYPE_REGULAR),
check_actor_alternateId = if(actor_type = "user", actor_alternateId, actor_type = "appuser", actor_alternateId, null),
check_target_alternateId = if(target_type !~= "User", null, target_alternateId = null, null, target_alternateId),
check_actor_displayName = if(actor_type = "user", actor_displayName, actor_type = "appuser", actor_displayName, null),
check_target_displayName = if(target_type !~= "User", null, target_displaynames = null, null, target_displaynames),
check_actor_first_name = if(actor_type in("user", "appuser"), arrayindex(regextract(actor_displayName, "(^[^,\s]+)"), 0), null),
check_target_first_name = if(target_type ~= "User", arrayindex(split(target_displaynames), 0) , null),
check_actor_last_name = if(actor_type in("user", "appuser"), arrayindex(regextract(actor_displayName, "^[^,\s]+[,\s]+(.*)$"), 0), null),
check_target_last_name = if(target_type ~= "User", arrayindex(split(target_displaynames), 1) , null),
check_actor_id = if(actor_type = "user", actor_id, actor_type = "appuser", actor_id, null),
check_target_id = if(target_type !~= "User", null, target_id = null, null, target_id),
check_securityContext_isProxy = if(securityContext_isProxy = "true", to_boolean("TRUE"), to_boolean("FALSE")),
check_debugData_risk_reasons1 = if(debugContext_debugData_risk_reasons ~= "Anonymizing Proxy", to_boolean("TRUE"), to_boolean("FALSE")),
check_debugData_risk_reasons2 = if(debugContext_debugData_risk_reasons ~= "Anonymizing Proxy", "anonymized_ip: TRUE", "anonymized_ip: FALSE"),
check_ipChain_v4 = arraymap(request_ipChain, if("@element" -> ip !~= ":", "@element" -> ip, null)),
check_securityContext_domain = if(securityContext_domain = ".", null, securityContext_domain),
check_ipChain_v6 = arraymap(request_ipChain, if("@element" -> ip ~= ":", "@element" -> ip, null))
| alter
xdm.event.log_level = if(severity = "DEBUG", XDM_CONST.LOG_LEVEL_DEBUG, severity = "INFO", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "WARN", XDM_CONST.LOG_LEVEL_WARNING, severity = "ERROR", XDM_CONST.LOG_LEVEL_ERROR, severity = null, null, to_string(severity)),
xdm.event.operation_sub_type = if(eventType != "user.authentication.auth_via_mfa", null, debugdata_factor ~= "yubikey", "hardware_token", target_displaynames ~= "touch id", "hardware_token", target_displaynames ~= "hardware", "hardware_token", debugdata_factor = "fido_webauthn", "hardware_token", debugdata_factor = "password_as_factor", "password", target_displaynames = "authenticator", "application", target_displaynames = "android authenticator with safetyNet attestation", "application", target_displaynames = "okta verify", "application", target_displaynames = "windows hello software authenticator", "application", debugdata_factor = "okta_soft_token", "application", debugdata_factor = "okta_verify_push", "application", debugdata_factor = "email_factor", "email", debugdata_factor = "sms_factor", "sms", debugdata_factor = "call_factor", "voice", null),
xdm.event.type = if(eventType in ("user.authentication.sso", "user.session.start", "user.mfa.okta_verify.deny_push", "user.mfa.factor.update", "user.authentication.auth_via_mfa", "user.authentication.auth_via_AD_agent", "user.authentication.verify", "user.authentication.auth_via_radius", "user.authentication.auth_via_richclient", "system.push.send_factor_verify_push"), "authentication", ""),
xdm.event.description = displayMessage,
xdm.event.operation = if(eventType ~= "authentication|oauth2|mfa", XDM_CONST.OPERATION_TYPE_AUTH_MFA, eventType ~= "session|access_request|import|kerberos_rich_client|iwa|ldap", XDM_CONST.OPERATION_TYPE_AUTH_LOGIN, eventType = null, null, to_string(eventType)),
xdm.logon.type = if(actor_type = "user", XDM_CONST.LOGON_TYPE_INTERACTIVE, actor_type ~= "network", XDM_CONST.LOGON_TYPE_NETWORK, actor_type ~= "batch", XDM_CONST.LOGON_TYPE_BATCH, actor_type ~= "service", XDM_CONST.LOGON_TYPE_SERVICE, actor_type ~= "proxy", XDM_CONST.LOGON_TYPE_PROXY, actor_type ~= "unlock", XDM_CONST.LOGON_TYPE_UNLOCK, actor_type = "systemprincipal", null, actor_type = null, null, to_string(actor_type)),
xdm.auth.service = if(eventType = "user.authentication.auth_via_AD_agent", "IDP", eventType = "user.authentication.auth_via_radius", "IDP", eventType = "user.authentication.auth_via_richclient", "IDP", eventType = "user.session.start", "IDP", eventType = "policy.evaluate_sign_on", "IDP", eventType = "system.push.send_factor_verify_push", "IDP", eventType = "user.authentication.auth_via_mfa", "IDP", eventType = "user.authentication.verify", "IDP", eventType = "user.mfa.okta_verify.deny_push", "IDP", eventType = "user.authentication.sso", "SP", null),
xdm.source.host.os_family = if(client_ua_os ~= "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, client_ua_os ~= "linux", XDM_CONST.OS_FAMILY_LINUX, client_ua_os ~= "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, client_ua_os ~= "windows|ms", XDM_CONST.OS_FAMILY_WINDOWS, client_ua_os ~= "mac", XDM_CONST.OS_FAMILY_MACOS, client_ua_os ~= "android", XDM_CONST.OS_FAMILY_ANDROID, client_ua_os ~= "ios", XDM_CONST.OS_FAMILY_IOS, client_ua_os ~= "debian", XDM_CONST.OS_FAMILY_DEBIAN, client_ua_os ~= "fedora", XDM_CONST.OS_FAMILY_FEDORA, client_ua_os ~= "centos", XDM_CONST.OS_FAMILY_CENTOS, client_ua_os ~= "centos", XDM_CONST.OS_FAMILY_CENTOS, client_ua_os ~= "solaris", XDM_CONST.OS_FAMILY_SOLARIS, client_ua_os ~= "scada", XDM_CONST.OS_FAMILY_SCADA, client_ua_os = null, null, to_string(client_ua_os)),
xdm.source.host.device_category = client_device,
xdm.source.location.region = json_extract_scalar(client, "$.geographicalContext.state"),
xdm.source.user.upn = check_actor_alternateId,
xdm.target.user.upn = check_target_alternateId,
xdm.source.user.username = check_actor_displayName,
xdm.target.user.username = check_target_displayName,
xdm.source.user.first_name = check_actor_first_name,
xdm.target.user.first_name = check_target_first_name,
xdm.source.user.last_name = check_actor_last_name,
xdm.target.user.last_name = check_target_last_name,
xdm.source.user.identifier = check_actor_id,
xdm.target.user.identifier = check_target_id,
xdm.source.user.user_type = check_actor_type,
xdm.target.user.user_type = check_target_type,
xdm.target.resource.id = if(target_type = "AppInstance", target_id, null),
xdm.target.resource.name = if(target_type = "AppInstance", target_alternateId, null),
xdm.source.asn.as_number = to_integer(json_extract_scalar(securityContext, "$.asNumber")),
xdm.source.asn.isp = json_extract_scalar(securityContext, "$.isp"),
xdm.source.asn.domain = check_securityContext_domain,
xdm.source.asn.is_proxy = check_securityContext_isProxy,
xdm.intermediate.is_proxy = check_debugData_risk_reasons1,
xdm.event.tags = arraycreate(XDM_CONST.EVENT_TAG_AUTHENTICATION),
xdm.alert.severity = json_extract(debugContext, "$.debugData.risk.level"),
xdm.alert.risks = arrayconcat(convert_behaviors_array, arraycreate(check_debugData_threatSuspected), arraycreate(check_debugData_risk_reasons2)),
xdm.session_context_id = json_extract_scalar(`transaction`, "$.id"),
xdm.observer.action = legacyEventType,
xdm.source.zone = json_extract_scalar(client, "$.zone"),
xdm.observer.type = json_extract_scalar(`transaction`, "$.type"),
xdm.observer.unique_identifier = json_extract_scalar(debugContext, "$.debugData.deviceFingerprint"),
xdm.auth.mfa.client_details = json_extract_scalar(`transaction`, "$.detail.requestApiTokenId"),
xdm.intermediate.application.name = json_extract_scalar(debugContext, "$.debugData.proxyType"),
xdm.network.http.referrer = json_extract_scalar(debugContext, "$.debugData.origin"),
xdm.network.rule = json_extract_scalar(debugContext, "$.debugData.threatDetections"),
xdm.network.http.url = json_extract_scalar(debugContext, "$.debugData.url"),
xdm.auth.privilege_level = if(lowercase_user_type = "user", XDM_CONST.PRIVILEGE_LEVEL_USER, lowercase_user_type = "guest", XDM_CONST.PRIVILEGE_LEVEL_GUEST, lowercase_user_type = "admin", XDM_CONST.PRIVILEGE_LEVEL_ADMIN, lowercase_user_type = "system", XDM_CONST.PRIVILEGE_LEVEL_SYSTEM, lowercase_user_type = null, null, to_string(lowercase_user_type)),
xdm.auth.mfa.provider = json_extract_scalar(authenticationContext, "$.authenticationProvider.credentialProvider"),
xdm.auth.mfa.method = json_extract_scalar(authenticationContext, "$.authenticationProvider.credentialType"),
xdm.source.host.ipv4_addresses = check_ipChain_v4,
xdm.source.host.ipv6_addresses = check_ipChain_v6,
xdm.source.host.device_id = json_extract_scalar(client, "$.id"),
xdm.source.ipv4 = source_ipv4,
xdm.source.ipv6 = source_ipv6,
xdm.target.ipv4 = "",
xdm.target.ipv6 = "",
xdm.source.port = 0,
xdm.target.port = 0,
xdm.source.location.city = json_extract_scalar(client, "$.geographicalContext.city"),
xdm.source.location.country = json_extract_scalar(client, "$.geographicalContext.country"),
xdm.source.location.latitude = to_float(json_extract_scalar(client, "$.geographicalContext.geolocation.lat")),
xdm.source.location.longitude = to_float(json_extract_scalar(client, "$.geographicalContext.geolocation.lon")),
xdm.network.session_id = json_extract_scalar(authenticationContext, "$.authenticationProvider.externalSessionId"),
xdm.event.original_event_type = eventType,
xdm.event.outcome = if(outcome_result = "SUCCESS",XDM_CONST.OUTCOME_SUCCESS, outcome_result = "FAILURE", XDM_CONST.OUTCOME_FAILED, outcome_result = "ALLOW", XDM_CONST.OUTCOME_SUCCESS, outcome_result = "DENY", XDM_CONST.OUTCOME_FAILED, outcome_result = "CHALLENGE", XDM_CONST.OUTCOME_PARTIAL, outcome_result = "UNKNOWN", XDM_CONST.OUTCOME_UNKNOWN, outcome_result = "SKIPPED", XDM_CONST.OUTCOME_PARTIAL, outcome_result = null, null, to_string(outcome_result)),
xdm.event.outcome_reason = if(get_reason ~= "UNKNOWN_USER", "user_does_not_exist", get_reason ~= "Login denied. No matching user is assigned to Radius App RADIUS Application.", "user_does_not_exist", get_reason ~= "Login denied. No matching user", "user_does_not_exist", get_reason ~= "INVALID_CREDENTIALS", "bad_credentials", get_reason ~= "Authentication failed: bad username or password", "bad_credentials", debugdata_errorcode ~= "1326", "bad_credentials", get_reason ~= "Authentication failed: account is expired", "account_expired_or_disabled", get_reason ~= "USER_ACCOUNT_EXPIRE", "account_expired_or_disabled", get_reason ~= "GENERAL_NONSUCCESS", "account_expired_or_disabled", get_reason ~= "Authentication failed: password has expired", "account_expired_or_disabled", debugdata_errorcode ~= "1331", "account_expired_or_disabled", debugdata_errorcode ~= "1793", "account_expired_or_disabled", get_reason ~= "Authentication failed: account is locked", "account_locked", get_reason ~= "LOCKED_OUT", "account_locked", get_reason ~= "Login failed.", "failed_login", get_reason ~= "Login Failed", "failed_login", get_reason ~= "PASSWORD_BASED_LOGIN_DISALLOWED", "auth_policy_access_violation", get_reason ~= "login denied", "auth_policy_access_violation", get_reason ~= "VERIFICATION_ERROR", "mfa_failure", get_reason ~= "DEL_AUTH_TIMEOUT", "mfa_expired", get_reason ~= "User rejected Okta push verify", "user_reject", get_reason ~= "Login aborted", "user_cancelled", get_reason ~= "Login aborted.", "user_cancelled", get_reason ~= "NOT_SPECIFIED", "OTHER", get_reason = null, null, to_string(get_reason)),
xdm.target.host.device_category = target_type,
xdm.source.user_agent = if(lowercase(userAgent_rawUserAgent) = "unknown", null, userAgent_rawUserAgent),
xdm.source.host.os = json_extract_scalar(client, "$.userAgent.os"),
xdm.source.application.name = json_extract_scalar(client, "$.userAgent.browser"),
xdm.event.id = uuid,
xdm.source.asn.as_name = json_extract_scalar(securityContext,"$.asOrg"),
xdm.network.ip_protocol=XDM_CONST.IP_PROTOCOL_TCP;