diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationOktaOSS.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationOktaOSS.yaml index 0bf2ecf25f0..5dfdc3f9526 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationOktaOSS.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationOktaOSS.yaml @@ -92,11 +92,22 @@ ParserQuery: | , TargetUserIdType=column_ifexists('ActorUserIdType',"") , TargetUsernameType=column_ifexists('ActorUsernameType',"") , SrcIpAddr = column_ifexists('SrcIpAddr',"") + //** extend non-normalized fields to be projected-away + , ActorDetailEntry, ActorDisplayName, AuthenticationContextAuthenticationProvider, AuthenticationContextAuthenticationStep + , AuthenticationContextCredentialProvider, AuthenticationContextInterface, AuthenticationContextIssuerId, AuthenticationContextIssuerType + , DebugData, DvcAction, OriginalActorAlternateId, OriginalClientDevice, OriginalOutcomeResult, OriginalSeverity, OriginalTarget + , OriginalUserId, OriginalUserType, Request, SecurityContextAsNumber, SecurityContextAsOrg, SecurityContextDomain, SecurityContextIsProxy + , TransactionDetail, TransactionId, TransactionType // ** Aliases | extend User=TargetUsername , Dvc=EventVendor - , IpAddr=SrcIpAddr; + , IpAddr=SrcIpAddr + | project-away ActorDetailEntry, ActorDisplayName, AuthenticationContextAuthenticationProvider, AuthenticationContextAuthenticationStep + , AuthenticationContextCredentialProvider, AuthenticationContextInterface, AuthenticationContextIssuerId, AuthenticationContextIssuerType + , DebugData, DvcAction, OriginalActorAlternateId, OriginalClientDevice, OriginalOutcomeResult, OriginalSeverity, OriginalTarget + , OriginalUserId, OriginalUserType, Request, SecurityContextAsNumber, SecurityContextAsOrg, SecurityContextDomain, SecurityContextIsProxy + , TransactionDetail, TransactionId, TransactionType; union isfuzzy=true OktaV1, OktaV2; }; parser(disabled=disabled)