Issue

There is a field called logOnlySecurityData in the Okta.SystemLog schema nested under debugContext:debugData:logOnlySecurityData which is not parsed. 

Resolution

This field should be treated as a String type field. To query this field, you can use the LIKE operator.

For example, if you want to extract the events with a MEDIUM risk level, you can try running the following query:

SELECT *
FROM panther_logs.public.okta_systemlog
WHERE debugContext:debugData:logOnlySecurityData LIKE '%"level":"MEDIUM"%'
ORDER by p_event_time DESC
LIMIT 100

Cause

This subfield is received as String from Okta. When a field is defined asJSONin Panther (i.e. the field debugContext), Panther does not proceed with any further modifications to the data.