[Filebeat][Okta] Parse invalid risk kv data sent by Okta and add keyword fields from flattened field

[ynirk]

Describe the enhancement:

This request is a follow-up of #30961

1. debugContext.debugData.risk data sent by Okta is not valid kv

When Okta send the risk information directly in debugContext.debugData structure (not using logOnlySecurityData field) the risk field is not a proper kv and breaks the ingest pipeline.

Example of data value: "{reasons=Anomalous Device, Anomalous Location, level=MEDIUM}" reasons have several comma separated values and breaks the KV processor.

It would be better to parse as "{reasons=*, level=*}" or at least ignore the kv processor failure ?

2. revisit okta: add extended okta.debug_context.debug_data handling integrations#3362 (comment)

As the pipeline will likely be updated it would be nice to include the proposal made in elastic/integrations#3362 (comment)

3. Parse behaviors as keyword fields

Okta provides interesting data as part of the debug_data. Similarly as okta.debug_context.debug_data. risk_level it would be nice to have the risk.reasons and behaviors parsed as keywords.

Describe a specific use case for the enhancement or feature:

The information is used by security analyst to create detection on anomalous login. The detection could be more specific or filtered based on the new keywords fields

[botelastic]

This issue doesn't have a Team:<team> label.

[ynirk]

@efd6 Thank you for the quick fix.
The PR only covers point 1 (and not the 2 others) Do you prefer re-opening this or creating a separate issue ?

[efd6]

Reopening for 2. and 3. as enhancements.