[ASIM] Make changes to Authentication ASIM OktaSSO and OktaV2 parser #13401
Conversation
oshezaf
left a comment
oshezaf
left a comment
There was a problem hiding this comment.
The column_if_exists statements are very expensive as they imply calculated columns later on. There is a reason to why they are used (needed only for V1 tables. I can explain more). It certainly makes prefiltering ineffective. The way around it is to use a union and s datatable:
let empty = datatable (uni_s:string) [];
(Syslog | union empty)
| where uni_s == ""
Parsers/ASimAuthentication/Parsers/vimAuthenticationOktaOSS.yaml
Outdated
Show resolved
Hide resolved
Parsers/ASimAuthentication/Parsers/vimAuthenticationOktaOSS.yaml
Outdated
Show resolved
Hide resolved
Parsers/ASimAuthentication/Parsers/vimAuthenticationOktaOSS.yaml
Outdated
Show resolved
Hide resolved
yummyblabla
changed the title
oshezaf
left a comment
oshezaf
left a comment
There was a problem hiding this comment.
Thanks! looks good. Two small comments.
| | where not(disabled) | ||
| | lookup OutcomeReasonLookup on outcome_reason_s | ||
| | extend EventResultDetails = iif(outcome_result_s in (OktaFailedOutcome), coalesce(EventResultDetails, "Other"), "") | ||
| | extend |
There was a problem hiding this comment.
Split between extend for calculated fields and project-rename for just mapping.
There was a problem hiding this comment.
Agreed. Updated in latest iteration
| EventOriginalSubType=legacyEventType_s, | ||
| EventMessage=displayMessage_s, | ||
| EventOriginalResultDetails=outcome_reason_s, | ||
| EventOriginalUid=coalesce(uuid_g, ""), |
There was a problem hiding this comment.
No need for coalesce I think, so can be project-renamed.
There was a problem hiding this comment.
By product of initial testing. Removed.
Changes to Authentication OktaSSO parser:
EventSubType --> EventOriginalSubtype Change Rationale:
TargetUserType mapping addition Rationale: