There is a field called
logOnlySecurityData in the Okta.SystemLog schema nested under
debugContext:debugData:logOnlySecurityData which is not parsed.
This field should be treated as a
String type field. To query this field, you can use the
For example, if you want to extract the events with a
MEDIUM risk level, you can try running the following query:
SELECT * FROM panther_logs.public.okta_systemlog WHERE debugContext:debugData:logOnlySecurityData LIKE '%"level":"MEDIUM"%' ORDER by p_event_time DESC LIMIT 100
This subfield is received as
String from Okta. When a field is defined as
JSONin Panther (i.e. the field
debugContext), Panther does not proceed with any further modifications to the data.