Updated to 3.0.1

Azure · Oct 23, 2023 · 56e42d9 · 56e42d9
1 parent 6a66839
commit 56e42d9
Show file tree

Hide file tree

Showing 13 changed files with 4,397 additions and 4,246 deletions.
diff --git a/Solutions/Okta Single Sign-On/Analytic Rules/DeviceRegistrationMaliciousIP.yaml b/Solutions/Okta Single Sign-On/Analytic Rules/DeviceRegistrationMaliciousIP.yaml
@@ -1,7 +1,7 @@
 id: e36c6bd6-f86a-4282-93a5-b4a1b48dd849
 name: Device Registration from Malicious IP
 description: |
-  'This query identifies Device Registration from IP addresses identified as malicious by Okta ThreatInsight'
+  'This query identifies Device Registration from IP addresses identified as malicious by Okta ThreatInsight.'
 severity: High
 status: Available
 requiredDataConnectors:

diff --git a/Solutions/Okta Single Sign-On/Analytic Rules/FailedLoginsFromUnknownOrInvalidUser.yaml b/Solutions/Okta Single Sign-On/Analytic Rules/FailedLoginsFromUnknownOrInvalidUser.yaml
@@ -1,7 +1,7 @@
 id: 884be6e7-e568-418e-9c12-89229865ffde
 name: Failed Logins from Unknown or Invalid User
 description: |
-  'This query searches for numerous login attempts to the management console with an unknown or invalid user name'
+  'This query searches for numerous login attempts to the management console with an unknown or invalid user name.'
 severity: Medium
 status: Available
 requiredDataConnectors:

diff --git a/Solutions/Okta Single Sign-On/Analytic Rules/HighRiskAdminActivity.yaml b/Solutions/Okta Single Sign-On/Analytic Rules/HighRiskAdminActivity.yaml
@@ -1,7 +1,7 @@
 id: 9f82a735-ae43-4c03-afb4-d5d153e1ace1
 name: High-Risk Admin Activity
 description: |
-  'The Okta risk engine auto-assigns risk levels to each login attempt. This query identifies admin operations originating from events associated with high-risk profiles. '
+  'The Okta risk engine auto-assigns risk levels to each login attempt. This query identifies admin operations originating from events associated with high-risk profiles.'
 severity: Medium
 status: Available
 requiredDataConnectors:

diff --git a/.../Okta Single Sign-On/Analytic Rules/LoginfromUsersfromDifferentCountrieswithin3hours.yaml b/.../Okta Single Sign-On/Analytic Rules/LoginfromUsersfromDifferentCountrieswithin3hours.yaml
@@ -1,7 +1,7 @@
 id: 2954d424-f786-4677-9ffc-c24c44c6e7d5
 name: User Login from Different Countries within 3 hours
 description: |
-  'This query searches for successful user logins to the Okta Console from different countries within 3 hours'
+  'This query searches for successful user logins to the Okta Console from different countries within 3 hours.'
 severity: High
 status: Available
 requiredDataConnectors:

diff --git a/Solutions/Okta Single Sign-On/Analytic Rules/MFAFatigue.yaml b/Solutions/Okta Single Sign-On/Analytic Rules/MFAFatigue.yaml
@@ -2,7 +2,7 @@ id: c2697b81-7fe9-4f57-ba1d-de46c6f91f9c
 name: MFA Fatigue (OKTA)
 description: |
     'MFA fatigue attack is a cybersecurity threat where attackers exploit user exhaustion from multi-factor authentication prompts to trick them into providing their MFA details thus compromising their own security. The query identifies MFA fatigue attempts in the Okta data. 
-     Ref: https://sec.okta.com/everythingisyes'
+     Ref: https://sec.okta.com/everythingisyes.'
 severity: Medium
 status: Available
 requiredDataConnectors:

diff --git a/Solutions/Okta Single Sign-On/Analytic Rules/NewDeviceLocationCriticalOperation.yaml b/Solutions/Okta Single Sign-On/Analytic Rules/NewDeviceLocationCriticalOperation.yaml
@@ -1,7 +1,7 @@
 id: 41e843a8-92e7-444d-8d72-638f1145d1e1
 name: New Device/Location sign-in along with critical operation
 description: |
-  'This query identifies users seen login from new geo location/country as well as a new device and performing critical operations'
+  'This query identifies users seen login from new geo location/country as well as a new device and performing critical operations.'
 severity: Medium
 status: Available
 requiredDataConnectors:

diff --git a/Solutions/Okta Single Sign-On/Analytic Rules/PasswordSpray.yaml b/Solutions/Okta Single Sign-On/Analytic Rules/PasswordSpray.yaml
@@ -1,7 +1,7 @@
 id: e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508
 name: Potential Password Spray Attack
 description: |
-  'This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack'
+  'This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack.'
 severity: Medium
 status: Available
 requiredDataConnectors:

diff --git a/Solutions/Okta Single Sign-On/Analytic Rules/PhishingDetection.yaml b/Solutions/Okta Single Sign-On/Analytic Rules/PhishingDetection.yaml
@@ -1,7 +1,7 @@
 id: 78d2b06c-8dc0-40e1-91c8-66d916c186f3
 name: Okta Fast Pass phishing Detection
 description: |
-  'This query detects cases in which Okta FastPass effectively prevented access to a known phishing website'
+  'This query detects cases in which Okta FastPass effectively prevented access to a known phishing website.'
 severity: Medium
 status: Available
 requiredDataConnectors:

diff --git a/Solutions/Okta Single Sign-On/Package/3.0.1.zip b/Solutions/Okta Single Sign-On/Package/3.0.1.zip
diff --git a/Solutions/Okta Single Sign-On/Package/createUiDefinition.json b/Solutions/Okta Single Sign-On/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/okta_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Okta%20Single%20Sign-On/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Okta Single Sign-On (SSO)](https://www.okta.com/products/single-sign-on) solution for Microsoft Sentinel provides the capability to ingest [audit and event logs](https://www.okta.com/integrate/documentation/isv-syslog-references/) into Microsoft Sentinel using the Okta API.\r\n  \r\n  **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n  a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n\r\n\n  b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\n\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 8, **Hunting Queries:** 10, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/okta_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Okta%20Single%20Sign-On/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Okta Single Sign-On (SSO)](https://www.okta.com/products/single-sign-on) solution for Microsoft Sentinel provides the capability to ingest [audit and event logs](https://www.okta.com/integrate/documentation/isv-syslog-references/) into Microsoft Sentinel using the Okta API.\r\n  \r\n  **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n  a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n\r\n\n  b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\n\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 8, **Hunting Queries:** 10, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -63,6 +63,13 @@
               "text": "This Solution installs the data connector for Okta Single Sign-On. You can get Okta Single Sign-On custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
+          {
+            "name": "dataconnectors-parser-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
+            }
+          },
           {
             "name": "dataconnectors-link2",
             "type": "Microsoft.Common.TextBlock",
@@ -288,7 +295,7 @@
                 "name": "huntingquery1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query checks for admin permissions granted to users/groups, often used by adversaries for access and privilege elevation. This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)"
+                  "text": "Query checks for admin permissions granted to users/groups, often used by adversaries for access and privilege elevation. This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)."
                 }
               }
             ]
@@ -302,7 +309,7 @@
                 "name": "huntingquery2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Okta API tokens are used to authenticate requests to Okta APIs. This query searches for attempts to create new API Token.\n Refrence: https://developer.okta.com/docs/reference/api/event-types/ This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)"
+                  "text": "Okta API tokens are used to authenticate requests to Okta APIs. This query searches for attempts to create new API Token.\n Refrence: https://developer.okta.com/docs/reference/api/event-types/ This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)."
                 }
               }
             ]
@@ -316,7 +323,7 @@
                 "name": "huntingquery3-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "User.session.impersonation, usually triggered by Okta Support, are rare. This query checks for impersonation events used in LAPSUS$ breach. This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)"
+                  "text": "User.session.impersonation, usually triggered by Okta Support, are rare. This query checks for impersonation events used in LAPSUS$ breach. This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)."
                 }
               }
             ]
@@ -330,7 +337,7 @@
                 "name": "huntingquery4-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "MFA prevents credential compromise. This query checks for rare MFA operations like deactivation, update, reset, and bypass attempts often used by adversaries to compromise networks/accounts. This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)"
+                  "text": "MFA prevents credential compromise. This query checks for rare MFA operations like deactivation, update, reset, and bypass attempts often used by adversaries to compromise networks/accounts. This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)."
                 }
               }
             ]
@@ -344,7 +351,7 @@
                 "name": "huntingquery5-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Adversaries often manipulate accounts for access. This query checks for admin attempts to reset user passwords in Okta logs. This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)"
+                  "text": "Adversaries often manipulate accounts for access. This query checks for admin attempts to reset user passwords in Okta logs. This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)."
                 }
               }
             ]
@@ -358,7 +365,7 @@
                 "name": "huntingquery6-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This query identifies new device being registered from a location where the user does not normally login from This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)"
+                  "text": "This query identifies new device being registered from a location where the user does not normally login from This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)."
                 }
               }
             ]
@@ -372,7 +379,7 @@
                 "name": "huntingquery7-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This query searches for successful logons from known VPS provider network ranges.\n This is not an exhaustive list of VPS provider ranges but covers some of the most prevalent providers observed. This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)"
+                  "text": "This query searches for successful logons from known VPS provider network ranges.\n This is not an exhaustive list of VPS provider ranges but covers some of the most prevalent providers observed. This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)."
                 }
               }
             ]
@@ -386,7 +393,7 @@
                 "name": "huntingquery8-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This query searches for sign-in activity from Nord VPN providers.\nThe purpose is to identify any unfamiliar sign-in attempts from VPN providers, that are not typically observed among users in the organization. This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)"
+                  "text": "This query searches for sign-in activity from Nord VPN providers.\nThe purpose is to identify any unfamiliar sign-in attempts from VPN providers, that are not typically observed among users in the organization. This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)."
                 }
               }
             ]
@@ -400,7 +407,7 @@
                 "name": "huntingquery9-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This query identifies accounts associated with multiple authentications from different geographical locations in a short period of time. This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)"
+                  "text": "This query identifies accounts associated with multiple authentications from different geographical locations in a short period of time. This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)."
                 }
               }
             ]
@@ -414,7 +421,7 @@
                 "name": "huntingquery10-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This query identifies use of legacy authentication protocol in the Okta Logs. This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)"
+                  "text": "This query identifies use of legacy authentication protocol in the Okta Logs. This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)."
                 }
               }
             ]