entityanalytics_okta: record whether a user's credentials include a r…

…ecovery question (#10702)

packages/entityanalytics_okta/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.3.0"
+  changes:
+    - description: Record whether a user's credentials include a recovery question.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/10702
 - version: "1.2.0"
   changes:
     - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

packages/entityanalytics_okta/data_stream/user/_dev/test/pipeline/test-user.json

@@ -40,7 +40,8 @@
                     "provider": {
                         "type": "OKTA",
                         "name": "OKTA"
-                    }
+                    },
+                    "recovery_question": {}
                 }
             },
             "user": {

packages/entityanalytics_okta/data_stream/user/_dev/test/pipeline/test-user.json-expected.json

@@ -26,6 +26,9 @@
                         "provider": {
                             "name": "OKTA",
                             "type": "OKTA"
+                        },
+                        "recovery_question": {
+                            "is_set": true
                         }
                     },
                     "id": "00ub0oNGTSWTBKOLGLNR",

packages/entityanalytics_okta/data_stream/user/elasticsearch/ingest_pipeline/default.yml

@@ -548,6 +548,19 @@ processors:
       tag: append_user_profile_manager_name_into_related_user
       allow_duplicates: false
       if: ctx.entityanalytics_okta?.user?.profile?.manager?.name != null
+  - set:
+      field: okta.credentials.recovery_question.is_set
+      value: true
+      if: ctx.okta?.credentials?.recovery_question != null
+  - set:
+      field: okta.credentials.recovery_question.is_set
+      value: false
+      if: ctx.okta?.credentials?.recovery_question == null
+  - rename:
+      field: okta.credentials.recovery_question
+      target_field: entityanalytics_okta.user.credentials.recovery_question
+      tag: rename_user_credentials_recovery_question
+      ignore_missing: true
   - rename:
       field: okta.credentials.provider.type
       target_field: entityanalytics_okta.user.credentials.provider.type

packages/entityanalytics_okta/data_stream/user/fields/fields.yml

@@ -26,6 +26,8 @@
                   type: keyword
                 - name: type
                   type: keyword
+            - name: recovery_question.is_set
+              type: boolean
         - name: id
           type: keyword
           description: unique key for user.

packages/entityanalytics_okta/docs/README.md

@@ -280,6 +280,7 @@ An example event for `user` looks as following:
 | entityanalytics_okta.user.created | timestamp when user was created. | date |
 | entityanalytics_okta.user.credentials.provider.name |  | keyword |
 | entityanalytics_okta.user.credentials.provider.type |  | keyword |
+| entityanalytics_okta.user.credentials.recovery_question.is_set |  | boolean |
 | entityanalytics_okta.user.id | unique key for user. | keyword |
 | entityanalytics_okta.user.last_login | timestamp of last login. | date |
 | entityanalytics_okta.user.last_updated | timestamp when user was last updated. | date |

packages/entityanalytics_okta/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.2"
 name: entityanalytics_okta
 title: Okta Entity Analytics
-version: "1.2.0"
+version: "1.3.0"
 description: "Collect User Identities from Okta with Elastic Agent."
 type: integration
 categories: