There is a field called logOnlySecurityData
in the Okta.SystemLog schema nested under debugContext:debugData:logOnlySecurityData
which is not parsed.
This field should be treated as a String
type field. To query this field, you can use the LIKE
operator.
For example, if you want to extract the events with a MEDIUM
risk level, you can try running the following query:
SELECT *
FROM panther_logs.public.okta_systemlog
WHERE debugContext:debugData:logOnlySecurityData LIKE '%"level":"MEDIUM"%'
ORDER by p_event_time DESC
LIMIT 100
This subfield is received as String
from Okta. When a field is defined asJSON
in Panther (i.e. the field debugContext
), Panther does not proceed with any further modifications to the data.