[Okta] Add event categories and types

[moxarth-rathod]

Proposed commit message

okta: add missing event categories

[git-generate]
MAPPINGS=https://gist.github.com/moxarth-rathod/a0f59f128a207deb162ab31b64eb19d4#file-okta_event_categories_with_ecs-json
SCRIPT=https://gist.github.com/moxarth-rathod/a0f59f128a207deb162ab31b64eb19d4#file-main-go
curl -o okta_event_categories_with_ecs.json $MAPPINGS
curl -o main.go $SCRIPT
go run main.go > /packages/okta/data_stream/system/elasticsearch/ingest_pipeline/ecs_category_type.yml
rm -i main.go okta_event_categories_with_ecs.json go.mod go.sum

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

• Clone integrations repo.
• Install elastic package locally.
• Start elastic stack using elastic-package.
• Move to integrations/packages/okta directory.
• Run the following command to run tests.

elastic-package test -v

Related issues

• Closes [Okta] Add Missing Event Categories #15235

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[ShourieG]

@moxarth-rathod, looks good, majority of the pipeline was autogenerated so looks fine, please fix the PR no. and i'll approve.

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: c95a593

History

• 💔 Build #33803 failed 0e6bbac
• 💚 Build #33649 succeeded 799e6ea

cc @moxarth-rathod

[moxarth-rathod]

@terrancedejesus @ShourieG @efd6 fyi, I had to adjust some of the suggested mappings because certain event categories contained invalid event types. For example, the access.request.cancel event category was set to iam with event types access and deletion, but iam only allows the following event types: admin, change, creation, deletion, group, info, and user. Therefore, I removed access to align with the allowed values.

[efd6]

Can you confirm that you have used the generator shown in #15235 (comment) with the definitions in #15235 (comment)?

[moxarth-rathod]

Can you confirm that you have used the generator shown in #15235 (comment) with the definitions in #15235 (comment)?

Yes, but I made a few changes during testing, including adding null handling. Also, some event types were invalid for their respective categories, so I've updated those definitions accordingly.

[andrewkroh]

Can you please share the exact code used to produce this in a gist for me to replicate and validate .

[efd6]

My preferred approach would be to have something like (until we can commit this kind of data) (exact text depends on how the definition data is ingested by the generator and will require some additions to handle dep modules):

informative commit message title

[git-generate]
MAPPINGS=<link to git or other stable location for the JSON definitions>
curl -o okta_event_categories_with_ecs.json $MAPPINGS
cat >main.go <<END
package main
…
END
go run main.go > packages/okta/…
rm -i main.go okta_event_categories_with_ecs.json

[moxarth-rathod]

@andrewkroh i've prepared a gist for the script to generate a pipeline. I'll also update the commit message with gist and proper steps to run it.

[andrewkroh]

Thanks. And how is the Okta JSON file created? It looks like it is a conversion of the CSV given at the link below to JSON, and then some categories were assigned?

It would be good to be able to easily identify when our pipeline is no longer in sync with the Okta event types (i.e. there are new event types that need to be added and manually categorized). So it might be better if the inputs to the Go script were the raw CSV from okta.com plus a table of event types to ECS categories. And the script fails when there are uncategorized event types.

For an example, we already need to update that Okta JSON content because there are new events types in the 2025.10 okta release.

https://developer.okta.com/docs/reference/api/event-types/
https://developer.okta.com/docs/okta-event-types.csv

[terrancedejesus]

@terrancedejesus @ShourieG @efd6 fyi, I had to adjust some of the suggested mappings because certain event categories contained invalid event types. For example, the access.request.cancel event category was set to iam with event types access and deletion, but iam only allows the following event types: admin, change, creation, deletion, group, info, and user. Therefore, I removed access to align with the allowed values.

Thank you for doing so and sharing why. I reviewed the docs briefly this morning. I am surprised iam does not allow at least allowed and denied event types? For example:

• OAuth request for token (IAM) - access was allowed to this resource
• SAML request for access (IAM) - access was denied to this resource

Especially when we consider IAM covering behavior such as token issuance. Are these boundaries set within the elasticsearch codebase or at an integration level? Understandably it is out-of-scope for this PR but I can carry the conversation forward to the appropriate team.