Start free trial Contact Sales

The Search AI Company

Search, Security, Observability

Build tailored experiences with Elastic.

Elastic Search AI Platform overview

Scale your business with Elastic Partners

Partner overview

ELK Stack

Search and analytics, data ingestion, and visualization – all at your fingertips.

ELK Stack overview

By developers, for developers

Elastic Cloud

Unlock the power of real-time insights with Elastic on your preferred cloud provider.

Elastic Cloud overview

Generative AI

Prototype and integrate with LLMs faster using search AI.

Generative AI overview

Search

Discover a world of AI possibilities — built with the power of search.

Search Labs

Search overview

Security

Protect, investigate, and respond to cyber threats with AI-driven security analytics.

Security Labs

Security overview

Observability

Unify app and infrastructure visibility to proactively resolve issues.

Observability Labs

Observability overview

By solution

See how customers search, solve, and succeed — all on one Search AI Platform.

All customer stories

Industries

Exceed customer expectations and go to market faster.

Industries overview

Customer spotlight

Cisco saves 5,000 support engineer hours per month

Sitecore automates 96 percent of security workflows with Elastic

Comcast transforms customer experiences with Elastic Observability

Research

Stay at the forefront of innovation with technical tips from the experts.

Build

Code with other developers to create a better Elastic, together.

Learn

Unleash the possibilities of your data and grow your skill set.

Connect

Keep informed about the latest tech and news from Elastic.

Have questions?

New

The executive guide to generative AI

About us Partners Support|Login

Okta Integration


Version	3.6.0 (View all)
Compatible Kibana version(s)	8.18.0 or higher 9.0.0 or higher
Supported Serverless project types What's this?	Security Observability
Subscription level What's this?	Basic
Level of support What's this?	Elastic

The Okta integration collects events from the Okta API, specifically reading from the Okta System Log API.

Agentless Enabled Integration

Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to Agentless integrations and the Agentless integrations FAQ.

Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.

Logs

System

The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. This module is implemented using the httpjson input and is configured to paginate through the logs while honoring any rate-limiting headers sent by Okta.

Types Of Authentication

API Key

In this type of authentication, we only require an API Key for authenticating the client and polling for Okta System Logs.

Oauth2

In this type of authentication, we require the following information:

Your Okta domain URL. [ Example: https://dev-123456.okta.com ]
Your Okta service app Client ID.
Your Okta service app JWK Private Key
The Okta scope that is required for OAuth2. [ By default this is set to okta.logs.read which should suffice for most use cases ]

Steps to acquire Okta Oauth2 credentials:

Acquire an Okta dev or user account with privileges to mint tokens with the okta.* scopes.
Log into your Okta account, navigate to Applications on the left-hand side, click on the Create App Integration button and create an API Services application.
Click on the created app, note down the Client ID and select the option for Public key/Private key.
Generate your own Private/Public key pair in the JWK format (PEM is not supported at the moment) and save it in a credentials JSON file or copy it to use directly in the config.

Okta Integration Network (OIN)

The Okta Integration Network provides a simple integration authentication based on OAuth2, but using an API key. In this type of authentication, we only require an API Key for authenticating the client and polling for Okta System Logs.

Your Okta domain URL. [ Example: https://dev-123456.okta.com ]
Your Okta service app Client ID.
Your Okta service app Client Secret.

Steps to configure Okta OIN authenticaton:

Log into your Okta account, navigate to Applications on the left-hand side, click on the Browse App Catalog button and search for "Elastic".
Click on the Elastic app card and then click Add Integration, and then Install & Authorize.
Copy the Client Secret.
Navigate to the Fleet integration configuration page for the integration.
Set the "Okta System Log API URL" field from the value of the Okta app with the URL path "/api/v1/logs" added as shown in the UI documentation
Set the "Okta Domain URL" field from the value of the Okta app
Set the "Client ID" field with the Client ID provided by the Okta app
Set the "API Key" field to the Client Secret provided by the Okta app
Set the "Use OIN Authentication" toggle to true

NOTE: Tokens with okta.* Scopes are generally minted from the Okta Org Auth server and not the default/custom authorization server. The standard Okta Org Auth server endpoint to mint tokens is https://<your_okta_org>.okta.com/oauth2/v1/token

		{
    "@timestamp": "2020-02-14T20:18:57.718Z",
    "agent": {
        "ephemeral_id": "2314526d-0d90-4c35-ba8f-5a48507e7dac",
        "id": "4bff512b-da80-4d11-9e9c-477b723e11d4",
        "name": "elastic-agent-20826",
        "type": "filebeat",
        "version": "8.17.3"
    },
    "client": {
        "geo": {
            "city_name": "Dublin",
            "country_name": "United States",
            "location": {
                "lat": 37.7201,
                "lon": -121.919
            },
            "region_name": "California"
        },
        "ip": "108.255.197.247",
        "user": {
            "full_name": "xxxxxx",
            "id": "00u1abvz4pYqdM8ms4x6",
            "name": "xxxxxx@elastic.co"
        }
    },
    "data_stream": {
        "dataset": "okta.system",
        "namespace": "54167",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "4bff512b-da80-4d11-9e9c-477b723e11d4",
        "snapshot": false,
        "version": "8.17.3"
    },
    "event": {
        "action": "user.session.start",
        "agent_id_status": "verified",
        "category": [
            "authentication",
            "session"
        ],
        "created": "2025-04-03T02:49:51.730Z",
        "dataset": "okta.system",
        "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546",
        "ingested": "2025-04-03T02:49:52Z",
        "kind": "event",
        "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}",
        "outcome": "success",
        "type": [
            "start",
            "info"
        ]
    },
    "input": {
        "type": "httpjson"
    },
    "okta": {
        "actor": {
            "alternate_id": "xxxxxx@elastic.co",
            "display_name": "xxxxxx",
            "id": "00u1abvz4pYqdM8ms4x6",
            "type": "User"
        },
        "authentication_context": {
            "authentication_step": 0,
            "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ"
        },
        "client": {
            "device": "Computer",
            "ip": "108.255.197.247",
            "user_agent": {
                "browser": "FIREFOX",
                "os": "Mac OS X",
                "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"
            },
            "zone": "null"
        },
        "debug_context": {
            "debug_data": {
                "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0",
                "flattened": {
                    "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0",
                    "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0",
                    "requestUri": "/api/v1/authn",
                    "threatSuspected": "false",
                    "url": "/api/v1/authn?"
                },
                "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0",
                "request_uri": "/api/v1/authn",
                "threat_suspected": "false",
                "url": "/api/v1/authn?"
            }
        },
        "display_message": "User login to Okta",
        "event_type": "user.session.start",
        "outcome": {
            "result": "SUCCESS"
        },
        "request": {
            "ip_chain": [
                {
                    "geographical_context": {
                        "city": "Dublin",
                        "country": "United States",
                        "geolocation": {
                            "lat": 37.7201,
                            "lon": -121.919
                        },
                        "postal_code": "94568",
                        "state": "California"
                    },
                    "ip": "108.255.197.247",
                    "version": "V4"
                }
            ]
        },
        "transaction": {
            "id": "XkcAsWb8WjwDP76xh@1v8wAABp0",
            "type": "WEB"
        },
        "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546"
    },
    "related": {
        "ip": [
            "108.255.197.247"
        ],
        "user": [
            "xxxxxx",
            "xxxxxx@elastic.co"
        ]
    },
    "source": {
        "ip": "108.255.197.247",
        "user": {
            "full_name": "xxxxxx",
            "id": "00u1abvz4pYqdM8ms4x6",
            "name": "xxxxxx@elastic.co"
        }
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "okta-system"
    ],
    "user": {
        "full_name": "xxxxxx",
        "name": "xxxxxx@elastic.co"
    },
    "user_agent": {
        "device": {
            "name": "Mac"
        },
        "name": "Firefox",
        "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0",
        "os": {
            "full": "Mac OS X 10.15",
            "name": "Mac OS X",
            "version": "10.15"
        },
        "version": "72.0"
    }
}

	

Field	Description	Type
@timestamp	Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.	date
cloud.image.id	Image ID for the cloud instance.	keyword
data_stream.dataset	The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: * Must not contain `-` * No longer than 100 characters	constant_keyword
data_stream.namespace	A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: * Must not contain `-` * No longer than 100 characters	constant_keyword
data_stream.type	An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.	constant_keyword
event.dataset	Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.	constant_keyword
event.module	Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.	constant_keyword
host.containerized	If the host is a container.	boolean
host.os.build	OS build information.	keyword
host.os.codename	OS codename, if any.	keyword
input.type	Type of Filebeat input.	keyword
log.flags	Flags for the log file.	keyword
log.offset	Offset of the entry in the log file.	long
okta.actor.alternate_id	Alternate identifier of the actor.	keyword
okta.actor.display_name	Display name of the actor.	keyword
okta.actor.id	Identifier of the actor.	keyword
okta.actor.type	Type of the actor.	keyword
okta.authentication_context.authentication_provider	The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER.	keyword
okta.authentication_context.authentication_step	The authentication step.	integer
okta.authentication_context.credential_provider	The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY.	keyword
okta.authentication_context.credential_type	The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID.	keyword
okta.authentication_context.external_session_id	The session identifer of the external session if any.	keyword
okta.authentication_context.interface	The interface used. e.g., Outlook, Office365, wsTrust	keyword
okta.authentication_context.issuer.id	The identifier of the issuer.	keyword
okta.authentication_context.issuer.type	The type of the issuer.	keyword
okta.client.device	The information of the client device.	keyword
okta.client.id	The identifier of the client.	keyword
okta.client.ip	The IP address of the client.	ip
okta.client.user_agent.browser	The browser informaton of the client.	keyword
okta.client.user_agent.os	The OS informaton.	keyword
okta.client.user_agent.raw_user_agent	The raw informaton of the user agent.	keyword
okta.client.zone	The zone information of the client.	keyword
okta.debug_context.debug_data		object
okta.debug_context.debug_data.authnRequestId	The authorization request ID.	keyword
okta.debug_context.debug_data.behaviors		keyword
okta.debug_context.debug_data.behaviors.New_City		keyword
okta.debug_context.debug_data.behaviors.New_Country		keyword
okta.debug_context.debug_data.behaviors.New_Device		keyword
okta.debug_context.debug_data.behaviors.New_Geo_Location		keyword
okta.debug_context.debug_data.behaviors.New_IP		keyword
okta.debug_context.debug_data.behaviors.New_State		keyword
okta.debug_context.debug_data.behaviors.Velocity		keyword
okta.debug_context.debug_data.behaviors.Velocity_Behavior		keyword
okta.debug_context.debug_data.client_secret		keyword
okta.debug_context.debug_data.device_fingerprint	The fingerprint of the device.	keyword
okta.debug_context.debug_data.dt_hash	The device token hash	keyword
okta.debug_context.debug_data.factor	The factor used for authentication.	keyword
okta.debug_context.debug_data.flattened	The complete debug_data object.	flattened
okta.debug_context.debug_data.grant_type		keyword
okta.debug_context.debug_data.granted_scopes		keyword
okta.debug_context.debug_data.logOnlySecurityData		keyword
okta.debug_context.debug_data.logOnlySecurityData.behaviors		keyword
okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_City		keyword
okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_Country		keyword
okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_Device		keyword
okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_Geo_Location		keyword
okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_IP		keyword
okta.debug_context.debug_data.logOnlySecurityData.behaviors.New_State		keyword
okta.debug_context.debug_data.logOnlySecurityData.behaviors.Velocity		keyword
okta.debug_context.debug_data.logOnlySecurityData.risk		keyword
okta.debug_context.debug_data.logOnlySecurityData.risk.level		keyword
okta.debug_context.debug_data.logOnlySecurityData.risk.reasons		keyword
okta.debug_context.debug_data.originalPrincipal		keyword
okta.debug_context.debug_data.originalPrincipal.alternateId		keyword
okta.debug_context.debug_data.originalPrincipal.displayName		keyword
okta.debug_context.debug_data.originalPrincipal.id		keyword
okta.debug_context.debug_data.originalPrincipal.type		keyword
okta.debug_context.debug_data.promptingPolicyTypes		keyword
okta.debug_context.debug_data.request_id	The identifier of the request.	keyword
okta.debug_context.debug_data.request_uri	The request URI.	keyword
okta.debug_context.debug_data.requested_scopes		keyword
okta.debug_context.debug_data.risk		keyword
okta.debug_context.debug_data.risk.level		keyword
okta.debug_context.debug_data.risk.reasons		keyword
okta.debug_context.debug_data.risk_behaviors	The set of behaviors that contribute to a risk assessment.	keyword
okta.debug_context.debug_data.risk_level	The risk level assigned to the sign in attempt.	keyword
okta.debug_context.debug_data.risk_object		keyword
okta.debug_context.debug_data.risk_reasons	The reasons for the risk.	keyword
okta.debug_context.debug_data.threat_suspected	Threat suspected.	keyword
okta.debug_context.debug_data.tunnels		object
okta.debug_context.debug_data.url	The URL.	keyword
okta.device.device_integrator		flattened
okta.device.disk_encryption_type	The value of the device profile’s disk encryption type. One of "NONE", "FULL", "USER", "ALL_INTERNAL_VOLUMES" or "SYSTEM_VOLUME".	keyword
okta.device.id	Identifier of the device.	keyword
okta.device.managed	Whether the device is managed.	boolean
okta.device.name	The name of the device.	keyword
okta.device.os_platform	The OS of the device.	keyword
okta.device.os_version	The device's OS version.	keyword
okta.device.registered	Whether the device is registered.	boolean
okta.device.screen_lock_type	The mechanism for locking the device's screen. One of "NONE", "PASSCODE" or "BIOMETRIC".	keyword
okta.device.secure_hardware_present	Whether there is secure hardware present on the device. This is a checks for chip presence: trusted platform module (TPM) or secure enclave. It does not mark whether there are tokens on the secure hardware.	boolean
okta.display_message	The display message of the LogEvent.	keyword
okta.event_type	The type of the LogEvent.	keyword
okta.outcome.reason	The reason of the outcome.	keyword
okta.outcome.result	The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.	keyword
okta.request.ip_chain		flattened
okta.security_context.as.number	The AS number.	integer
okta.security_context.as.organization.name	The organization name.	keyword
okta.security_context.domain	The domain name.	keyword
okta.security_context.is_proxy	Whether it is a proxy or not.	boolean
okta.security_context.isp	The Internet Service Provider.	keyword
okta.severity	The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR.	keyword
okta.target.alternate_id	The alternate ID of the target.	keyword
okta.target.changeDetails.from.*		object
okta.target.changeDetails.to.*		object
okta.target.detailEntry.*		object
okta.target.display_name	The display name of the target.	keyword
okta.target.id	The ID of the target.	keyword
okta.target.type	The type of target.	keyword
okta.transaction.detail.request_api_token_id	ID of the API token used in a request.	keyword
okta.transaction.id	Identifier of the transaction.	keyword
okta.transaction.type	The type of transaction. Must be one of "WEB", "JOB".	keyword
okta.uuid	The unique identifier of the Okta LogEvent.	keyword
okta.version	The version of the LogEvent.	keyword

Changelog

Version	Details	Kibana version(s)
3.6.0	Enhancement (View pull request) Set `user.name` from Okta `actor.alternateId` field without modification.	8.18.0 or higher 9.0.0 or higher
3.5.1	Bug fix (View pull request) Fix request trace log removal.	8.18.0 or higher 9.0.0 or higher
3.5.0	Enhancement (View pull request) Add agentless deployment.	8.18.0 or higher 9.0.0 or higher
3.4.2	Bug fix (View pull request) Updated SSL description in package manifest.yml to be uniform and to include links to documentation.	8.15.0 or higher
3.4.1	Bug fix (View pull request) Fix ECS event.category and event.type mappings.	8.15.0 or higher
3.4.0	Enhancement (View pull request) Do not remove `event.original` in main ingest pipeline.	8.15.0 or higher
3.3.0	Enhancement (View pull request) Add "preserve_original_event" tag to documents with `event.kind` set to "pipeline_error".	8.15.0 or higher
3.2.0	Enhancement (View pull request) Parse JSON string in `okta.debug_context.debug_data.tunnels`.	8.15.0 or higher
3.1.0	Enhancement (View pull request) Add support for deleting request trace files.	8.15.0 or higher
3.0.0	Enhancement (View pull request) Make `okta.target` use dynamic objects instead of flattened.	8.15.0 or higher
2.13.0	Enhancement (View pull request) Include `grantedScopes`, `grantType`, `clientSecret` and `requestedScopes` fields from debug data.	8.15.0 or higher
2.12.2	Bug fix (View pull request) Use triple-brace Mustache templating when referencing variables in ingest pipelines.	8.15.0 or higher
2.12.1	Bug fix (View pull request) Use triple-brace Mustache templating when referencing variables in ingest pipelines.	8.15.0 or higher
2.12.0	Enhancement (View pull request) Allow user configuration of debug_data flattened use.	8.15.0 or higher
2.11.0	Enhancement (View pull request) Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.	8.13.0 or higher
2.10.0	Enhancement (View pull request) Support OIN service application authentication.	8.13.0 or higher
2.9.0	Enhancement (View pull request) Allow private key to be supplied as a PEM block.	8.13.0 or higher
2.8.0	Enhancement (View pull request) Set sensitive values as secret.	8.12.0 or higher
2.7.1	Enhancement (View pull request) Changed owners	8.10.1 or higher
2.7.0	Enhancement (View pull request) Add okta.transaction.detail.request_api_token_id field.	8.10.1 or higher
2.6.0	Enhancement (View pull request) Limit request tracer log count to five.	8.10.1 or higher
2.5.0	Enhancement (View pull request) ECS version updated to 8.11.0.	8.10.1 or higher
2.4.0	Enhancement (View pull request) Improve 'event.original' check to avoid errors if set.	8.10.1 or higher
2.3.1-next	Bug fix (View pull request) Fix mapping of group fields	—
2.3.0	Enhancement (View pull request) Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.	8.10.1 or higher
2.2.0	Enhancement (View pull request) Update the package format_version to 3.0.0.	8.10.1 or higher
2.1.0	Enhancement (View pull request) Update package to ECS 8.10.0, align ECS categorization fields, and updated stack version to ^8.10.1 per security fix.	8.10.1 or higher
2.0.0	Enhancement (View pull request) Added Okta Oauth2 support, refactored the UI accordingly & updated stack version to ^8.10.0.	8.10.0 or higher
1.28.0	Enhancement (View pull request) Retain `okta.debug_context.debug_data.dt_hash` field.	8.7.1 or higher
1.27.0	Enhancement (View pull request) Update package-spec 2.9.0.	8.7.1 or higher
1.26.0	Enhancement (View pull request) Update package to ECS 8.9.0.	8.7.1 or higher
1.25.0	Enhancement (View pull request) Document duration units.	8.7.1 or higher
1.24.0	Enhancement (View pull request) Convert visualizations to lens.	8.7.1 or higher
1.23.0	Enhancement (View pull request) Document valid duration units.	8.7.1 or higher
1.22.1	Bug fix (View pull request) Fix a concurrent modification exception that occurred while modifying okta.target[].detailEntry.	8.7.1 or higher
1.22.0	Enhancement (View pull request) Update package to ECS 8.8.0.	8.7.1 or higher
1.21.0	Enhancement (View pull request) Add support for okta.device field group. Enhancement (View pull request) Retain `okta.target.detailEntry.methodTypeUsed` and `okta.target.detailEntry.methodUsedVerifiedProperties`.	8.7.1 or higher
1.20.0	Enhancement (View pull request) Add a new flag to enable request tracing	8.7.1 or higher
1.19.1	Enhancement (View pull request) Remove redundant rename processors.	8.6.0 or higher
1.19.0	Enhancement (View pull request) Retain target information.	8.6.0 or higher
1.18.0	Enhancement (View pull request) Update package to ECS 8.7.0.	8.6.0 or higher
1.17.0	Enhancement (View pull request) Extract username from email	8.6.0 or higher
1.16.1	Enhancement (View pull request) Added categories and/or subcategories.	8.6.0 or higher
1.16.0	Enhancement (View pull request) Allow configuration of HTTP keep-alive to allow for connection reuse.	8.6.0 or higher
1.15.1	Bug fix (View pull request) Fix documentation typo.	8.1.0 or higher
1.15.0	Enhancement (View pull request) Make debug_data risk factors and behaviors visible to search.	8.1.0 or higher
1.14.0	Enhancement (View pull request) Update package to ECS 8.6.0.	8.1.0 or higher
1.13.0	Enhancement (View pull request) Make debug_data risk reasons visible to search.	8.1.0 or higher
1.12.1	Bug fix (View pull request) Make extra efforts to extract risk information from debug_data.	8.1.0 or higher
1.12.0	Enhancement (View pull request) Handle already set event.original more robustly.	8.1.0 or higher
1.11.2	Enhancement (View pull request) Migrate the visualizations to by value in dashboards to minimize the saved object clutter and reduce time to load	8.1.0 or higher
1.11.1	Bug fix (View pull request) Remove duplicate fields.	7.14.0 or higher 8.0.0 or higher
1.11.0	Enhancement (View pull request) Update package to ECS 8.5.0.	7.14.0 or higher 8.0.0 or higher
1.10.3	Bug fix (View pull request) Mark url config option as a required field	7.14.0 or higher 8.0.0 or higher
1.10.2	Enhancement (View pull request) Use ECS geo.location definition.	7.14.0 or higher 8.0.0 or higher
1.10.1	Bug fix (View pull request) Mark api_key config option as a required field	7.14.0 or higher 8.0.0 or higher
1.10.0	Enhancement (View pull request) Update package to ECS 8.4.0	7.14.0 or higher 8.0.0 or higher
1.9.2	Bug fix (View pull request) Fix proxy URL documentation rendering.	7.14.0 or higher 8.0.0 or higher
1.9.1	Enhancement (View pull request) Update package name and description to align with standard wording	7.14.0 or higher 8.0.0 or higher
1.9.0	Enhancement (View pull request) Update package to ECS 8.3.0.	7.14.0 or higher 8.0.0 or higher
1.8.0	Enhancement (View pull request) Add `okta.debug_context.debug_data.risk_level` field Enhancement (View pull request) Add flattened `okta.debug_context.debug_data.flattened.log_only_security_data.` fields Bug fix* (View pull request) Fix mapping type for `client.as.number`	7.14.0 or higher 8.0.0 or higher
1.7.0	Enhancement (View pull request) Add flattened `okta.request.ip_chain.*` fields	7.14.0 or higher 8.0.0 or higher
1.6.0	Enhancement (View pull request) Update to ECS 8.2	7.14.0 or higher 8.0.0 or higher
1.5.2	Bug fix (View pull request) Handle invalid values in client.ipAddress	7.14.0 or higher 8.0.0 or higher
1.5.1	Enhancement (View pull request) Add documentation for multi-fields	7.14.0 or higher 8.0.0 or higher
1.5.0	Enhancement (View pull request) Increase the limit for the number of results in an API response.	7.14.0 or higher 8.0.0 or higher
1.4.1	Enhancement (View pull request) Add missing field mapping for event.created.	—
1.4.0	Enhancement (View pull request) Update to ECS 8.0	7.14.0 or higher 8.0.0 or higher
1.3.2	Bug fix (View pull request) Regenerate test files using the new GeoIP database	7.14.0 or higher 8.0.0 or higher
1.3.1	Bug fix (View pull request) Change test public IPs to the supported subset	—
1.3.0	Enhancement (View pull request) Add 8.0.0 version constraint	7.14.0 or higher 8.0.0 or higher
1.2.3	Enhancement (View pull request) Uniform with guidelines	7.14.0 or higher
1.2.2	Enhancement (View pull request) Update Title and Description.	—
1.2.1	Bug fix (View pull request) Fix logic that checks for the 'forwarded' tag	—
1.2.0	Enhancement (View pull request) Update to ECS 1.12.0	7.14.0 or higher
1.1.3	Enhancement (View pull request) Add proxy config	—
1.1.2	Enhancement (View pull request) Convert to generated ECS fields	—
1.1.1	Enhancement (View pull request) update to ECS 1.11.0	—
1.1.0	Enhancement (View pull request) Update integration description	7.14.0 or higher
1.0.1	Bug fix (View pull request) add missing `initial_interval` option to the manifest	—
1.0.0	Enhancement (View pull request) make GA Enhancement (View pull request) Set "event.module" and "event.dataset"	7.14.0 or higher
0.6.0	Enhancement (View pull request) Update to ECS 1.10.0 and add event.original options	—
0.5.2	Enhancement (View pull request) Add httpjson system tests and remove log input.	—
0.5.1	Enhancement (View pull request) Make event.original optional	—
0.5.0	Enhancement (View pull request) change okta.target to flattened type	—
0.4.2	Bug fix (View pull request) add fail_on_template_error on pagination	—
0.4.1	Enhancement (View pull request) update to ECS 1.9.0	—
0.4.0	Enhancement (View pull request) Moves edge processing to ingest pipeline	—
0.3.1	Bug fix (View pull request) Change kibana.version constraint to be more conservative.	—
0.1.0	Enhancement (View pull request) initial release	—