diff --git a/Solutions/Okta Single Sign-On/Data Connectors/Okta Single Sign-On/AzureFunctionOktaSSO_V2/AzureFunctionOktaSSO.zip b/Solutions/Okta Single Sign-On/Data Connectors/OktaSingleSign-On/AzureFunctionOktaSSO_V2/AzureFunctionOktaSSO.zip similarity index 100% rename from Solutions/Okta Single Sign-On/Data Connectors/Okta Single Sign-On/AzureFunctionOktaSSO_V2/AzureFunctionOktaSSO.zip rename to Solutions/Okta Single Sign-On/Data Connectors/OktaSingleSign-On/AzureFunctionOktaSSO_V2/AzureFunctionOktaSSO.zip diff --git a/Solutions/Okta Single Sign-On/Data Connectors/Okta Single Sign-On/AzureFunctionOktaSSO_V2/AzureFunctionOktaSSO/function.json b/Solutions/Okta Single Sign-On/Data Connectors/OktaSingleSign-On/AzureFunctionOktaSSO_V2/AzureFunctionOktaSSO/function.json similarity index 100% rename from Solutions/Okta Single Sign-On/Data Connectors/Okta Single Sign-On/AzureFunctionOktaSSO_V2/AzureFunctionOktaSSO/function.json rename to Solutions/Okta Single Sign-On/Data Connectors/OktaSingleSign-On/AzureFunctionOktaSSO_V2/AzureFunctionOktaSSO/function.json diff --git a/Solutions/Okta Single Sign-On/Data Connectors/Okta Single Sign-On/AzureFunctionOktaSSO_V2/AzureFunctionOktaSSO/run.ps1 b/Solutions/Okta Single Sign-On/Data Connectors/OktaSingleSign-On/AzureFunctionOktaSSO_V2/AzureFunctionOktaSSO/run.ps1 similarity index 100% rename from Solutions/Okta Single Sign-On/Data Connectors/Okta Single Sign-On/AzureFunctionOktaSSO_V2/AzureFunctionOktaSSO/run.ps1 rename to Solutions/Okta Single Sign-On/Data Connectors/OktaSingleSign-On/AzureFunctionOktaSSO_V2/AzureFunctionOktaSSO/run.ps1 diff --git a/Solutions/Okta Single Sign-On/Data Connectors/Okta Single Sign-On/AzureFunctionOktaSSO_V2/host.json b/Solutions/Okta Single Sign-On/Data Connectors/OktaSingleSign-On/AzureFunctionOktaSSO_V2/host.json similarity index 100% rename from Solutions/Okta Single Sign-On/Data Connectors/Okta Single Sign-On/AzureFunctionOktaSSO_V2/host.json rename to Solutions/Okta Single Sign-On/Data Connectors/OktaSingleSign-On/AzureFunctionOktaSSO_V2/host.json diff --git a/Solutions/Okta Single Sign-On/Data Connectors/Okta Single Sign-On/AzureFunctionOktaSSO_V2/profile.ps1 b/Solutions/Okta Single Sign-On/Data Connectors/OktaSingleSign-On/AzureFunctionOktaSSO_V2/profile.ps1 similarity index 100% rename from Solutions/Okta Single Sign-On/Data Connectors/Okta Single Sign-On/AzureFunctionOktaSSO_V2/profile.ps1 rename to Solutions/Okta Single Sign-On/Data Connectors/OktaSingleSign-On/AzureFunctionOktaSSO_V2/profile.ps1 diff --git a/Solutions/Okta Single Sign-On/Data Connectors/Okta Single Sign-On/AzureFunctionOktaSSO_V2/requirements.psd1 b/Solutions/Okta Single Sign-On/Data Connectors/OktaSingleSign-On/AzureFunctionOktaSSO_V2/requirements.psd1 similarity index 100% rename from Solutions/Okta Single Sign-On/Data Connectors/Okta Single Sign-On/AzureFunctionOktaSSO_V2/requirements.psd1 rename to Solutions/Okta Single Sign-On/Data Connectors/OktaSingleSign-On/AzureFunctionOktaSSO_V2/requirements.psd1 diff --git a/Solutions/Okta Single Sign-On/Data Connectors/Okta Single Sign-On/CHANGELOG.md b/Solutions/Okta Single Sign-On/Data Connectors/OktaSingleSign-On/CHANGELOG.md similarity index 100% rename from Solutions/Okta Single Sign-On/Data Connectors/Okta Single Sign-On/CHANGELOG.md rename to Solutions/Okta Single Sign-On/Data Connectors/OktaSingleSign-On/CHANGELOG.md diff --git a/Solutions/Okta Single Sign-On/Data Connectors/Okta Single Sign-On/Connector_REST_API_FunctionApp_Okta.json b/Solutions/Okta Single Sign-On/Data Connectors/OktaSingleSign-On/Connector_REST_API_FunctionApp_Okta.json similarity index 73% rename from Solutions/Okta Single Sign-On/Data Connectors/Okta Single Sign-On/Connector_REST_API_FunctionApp_Okta.json rename to Solutions/Okta Single Sign-On/Data Connectors/OktaSingleSign-On/Connector_REST_API_FunctionApp_Okta.json index 8559e6aad93..455aa584fc4 100644 --- a/Solutions/Okta Single Sign-On/Data Connectors/Okta Single Sign-On/Connector_REST_API_FunctionApp_Okta.json +++ b/Solutions/Okta Single Sign-On/Data Connectors/OktaSingleSign-On/Connector_REST_API_FunctionApp_Okta.json @@ -117,25 +117,45 @@ } ] }, + { + "instructions": [ + { + "parameters":{ + + "instructionSteps": [ { "title": "Option 1 - Azure Resource Manager (ARM) Template", "description": "This method provides an automated deployment of the Okta SSO connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentineloktaazuredeployv2-solution)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Token** and **URI**. \n - Use the following schema for the `uri` value: `https:///api/v1/logs?since=` Replace `` with your domain. [Click here](https://developer.okta.com/docs/reference/api-overview/#url-namespace) for further details on how to identify your Okta domain namespace. There is no need to add a time value to the URI, the Function App will dynamically append the inital start time of logs to UTC 0:00 for the current UTC date as time value to the URI in the proper format. \n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." }, { "title": "Option 2 - Manual Deployment of Azure Functions", - "description": "Use the following step-by-step instructions to deploy the Okta SSO connector manually with Azure Functions." - }, - { - "title": "", - "description": "**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**." - }, - { - "title": "", - "description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ Add**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and change the default cron schedule to every 10 minutes, then click **Create**.\n4. Click on **Code + Test** on the left pane. \n5. Copy the [Function App Code](https://aka.ms/sentineloktaazurefunctioncodev2) and paste into the Function App `run.ps1` editor.\n5. Click **Save**." - }, - { - "title": "", - "description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following five (5) application settings individually, with their respective string values (case-sensitive): \n\t\tapiToken\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tlogAnalyticsUri (optional)\n - Use the following schema for the `uri` value: `https:///api/v1/logs?since=` Replace `` with your domain. [Click here](https://developer.okta.com/docs/reference/api-overview/#url-namespace) for further details on how to identify your Okta domain namespace. There is no need to add a time value to the URI, the Function App will dynamically append the inital start time of logs to UTC 0:00 for the current UTC date as time value to the URI in the proper format.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://.ods.opinsights.azure.us. \n4. Once all application settings have been entered, click **Save**." + "description": "Use the following step-by-step instructions to deploy the Okta SSO connector manually with Azure Functions (Deployment via Visual Studio Code).", + "instructions": [ + { + "parameters": { + + "instructionSteps": [ + { + "title": "Step 1 - Deploy a Function App", + "description": "1. Download the [Azure Function App](https://aka.ms/sentineloktaazurefunctioncodev2) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." + }, + { + "title": "Step 2 - Configure the Function App", + "description": "1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select **+ New application setting**.\n4. Add each of the following five (5) application settings individually, with their respective string values (case-sensitive): \n\t\tapiToken\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tlogAnalyticsUri (optional)\n - Use the following schema for the `uri` value: `https:///api/v1/logs?since=` Replace `` with your domain. [Click here](https://developer.okta.com/docs/reference/api-overview/#url-namespace) for further details on how to identify your Okta domain namespace. There is no need to add a time value to the URI, the Function App will dynamically append the inital start time of logs to UTC 0:00 for the current UTC date as time value to the URI in the proper format.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://.ods.opinsights.azure.us. \n5. Once all application settings have been entered, click **Save**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] } + + ] + }, + "type": "InstructionStepsGroup" + } + ] +} + ] } diff --git a/Solutions/Okta Single Sign-On/Data Connectors/Okta Single Sign-On/azuredeploy_OktaSingleSignOn_API_FunctionApp_V2.json b/Solutions/Okta Single Sign-On/Data Connectors/OktaSingleSign-On/azuredeploy_OktaSingleSignOn_API_FunctionApp_V2.json similarity index 100% rename from Solutions/Okta Single Sign-On/Data Connectors/Okta Single Sign-On/azuredeploy_OktaSingleSignOn_API_FunctionApp_V2.json rename to Solutions/Okta Single Sign-On/Data Connectors/OktaSingleSign-On/azuredeploy_OktaSingleSignOn_API_FunctionApp_V2.json diff --git a/Solutions/Okta Single Sign-On/Hunting Queries/AdminPrivilegeGrant.yaml b/Solutions/Okta Single Sign-On/Hunting Queries/AdminPrivilegeGrant.yaml index a5ee4ced0a6..6a6daaa85a1 100644 --- a/Solutions/Okta Single Sign-On/Hunting Queries/AdminPrivilegeGrant.yaml +++ b/Solutions/Okta Single Sign-On/Hunting Queries/AdminPrivilegeGrant.yaml @@ -1,6 +1,8 @@ id: 5309ea6b-463c-4449-a3c4-2fc8ee0080ee name: Admin privilege granted (Okta) description: | + 'Query checks for admin permissions granted to users/groups, often used by adversaries for access and privilege elevation.' +description-detailed: | 'This query searches for successful grant of administrator permissions to user/groups. Adversaries often attempt to assign administrator permission to users/group to maintain access as well as to elevate privileges. Please verify that the behavior is known and filter out anything that is expected. Refrence: https://developer.okta.com/docs/reference/api/event-types/' diff --git a/Solutions/Okta Single Sign-On/Hunting Queries/ImpersonationSession.yaml b/Solutions/Okta Single Sign-On/Hunting Queries/ImpersonationSession.yaml index 7aa231d0c64..8ed6ff6b556 100644 --- a/Solutions/Okta Single Sign-On/Hunting Queries/ImpersonationSession.yaml +++ b/Solutions/Okta Single Sign-On/Hunting Queries/ImpersonationSession.yaml @@ -1,6 +1,8 @@ id: 96fb9b37-e2b7-45f6-9b2a-cb9cdfd2b0fc name: Initiate impersonation session (Okta) description: | + 'User.session.impersonation, usually triggered by Okta Support, are rare. This query checks for impersonation events used in LAPSUS$ breach.' +description-detailed: | 'User.session.impersonation are generally speaking rare events normally triggered when an Okta Support person requests admin access for troubleshooting. This query searches for impersonation events used in LAPSUS$ breach. Please review user.session.impersonation events and co-relate that with legitimate opened Okta support tickets to determine if these are anomalous. Refrence: https://developer.okta.com/docs/reference/api/event-types/ diff --git a/Solutions/Okta Single Sign-On/Hunting Queries/RareMFAOperation.yaml b/Solutions/Okta Single Sign-On/Hunting Queries/RareMFAOperation.yaml index 06fa7ce9256..d4294bd2a57 100644 --- a/Solutions/Okta Single Sign-On/Hunting Queries/RareMFAOperation.yaml +++ b/Solutions/Okta Single Sign-On/Hunting Queries/RareMFAOperation.yaml @@ -1,6 +1,8 @@ id: 18667b4a-18e5-4982-ba75-92ace62bc79c name: Rare MFA Operations (Okta) description: | + 'MFA prevents credential compromise. This query checks for rare MFA operations like deactivation, update, reset, and bypass attempts often used by adversaries to compromise networks/accounts.' +description-detailed: | 'Multi-Factor Authentication (MFA) helps prevent credential compromise.This query searches for rare MFA operations like deactivating, updating, resetting and attempts to bypass MFA. Adversaries often attempt these operations to compromise networks and high-value accounts.Please verify that the behavior is known and filter out anything that is expected. Refrence: https://developer.okta.com/docs/reference/api/event-types/' diff --git a/Solutions/Okta Single Sign-On/Hunting Queries/UserPasswordReset.yaml b/Solutions/Okta Single Sign-On/Hunting Queries/UserPasswordReset.yaml index 64c408a8e70..888a4128802 100644 --- a/Solutions/Okta Single Sign-On/Hunting Queries/UserPasswordReset.yaml +++ b/Solutions/Okta Single Sign-On/Hunting Queries/UserPasswordReset.yaml @@ -1,6 +1,8 @@ id: 38da2aa3-4778-4d88-9178-3c5c14758b05 name: User password reset(Okta) description: | + 'Adversaries often manipulate accounts for access. This query checks for admin attempts to reset user passwords in Okta logs.' +description-detailed: | 'Adversaries often manipulate accounts to maintain access to victim systems. Account manipulation may consist of actions that preserves adversary access to a compromised account, such as by modifying credentials. This query searches for attempts to reset user passwords in Okta logs by an admin. Since this can also be a known activity, please filter out anything that is expected. Reference: https://developer.okta.com/docs/reference/api/event-types/ diff --git a/Solutions/Okta Single Sign-On/Package/3.0.0.zip b/Solutions/Okta Single Sign-On/Package/3.0.0.zip new file mode 100644 index 00000000000..70ce284a0ca Binary files /dev/null and b/Solutions/Okta Single Sign-On/Package/3.0.0.zip differ diff --git a/Solutions/Okta Single Sign-On/Package/createUiDefinition.json b/Solutions/Okta Single Sign-On/Package/createUiDefinition.json index 61aeefc88c9..dd3737564c2 100644 --- a/Solutions/Okta Single Sign-On/Package/createUiDefinition.json +++ b/Solutions/Okta Single Sign-On/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Okta Single Sign-On (SSO)](https://www.okta.com/products/single-sign-on) solution for Microsoft Sentinel provides the capability to ingest [audit and event logs](https://www.okta.com/integrate/documentation/isv-syslog-references/) into Microsoft Sentinel using the Okta API.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n\r\n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\n\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 3, **Hunting Queries:** 5, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Okta%20Single%20Sign-On/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Okta Single Sign-On (SSO)](https://www.okta.com/products/single-sign-on) solution for Microsoft Sentinel provides the capability to ingest [audit and event logs](https://www.okta.com/integrate/documentation/isv-syslog-references/) into Microsoft Sentinel using the Okta API.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n\r\n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\n\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 8, **Hunting Queries:** 10, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -60,7 +60,7 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This solution installs the data connector for ingesting Okta Single Sign-On audit and event logs into Microsoft Sentinel using the Okta API. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + "text": "This Solution installs the data connector for Okta Single Sign-On. You can get Okta Single Sign-On custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { @@ -88,7 +88,7 @@ "name": "workbooks-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The workbook installed with this solution helps gain insights into Okta Single Sign-On (SSO) audit and event activity for your organization. After installing the solution, start using the workbook in Manage solution view." + "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." } }, { @@ -100,6 +100,20 @@ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" } } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "Okta Single Sign-On", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Gain extensive insight into Okta Single Sign-On (SSO) by analyzing, collecting and correlating Audit and Event events.\nThis workbook provides visibility into message and click events that were permitted, delivered, or blocked" + } + } + ] } ] }, @@ -170,6 +184,76 @@ } } ] + }, + { + "name": "analytic4", + "type": "Microsoft.Common.Section", + "label": "Okta Fast Pass phishing Detection", + "elements": [ + { + "name": "analytic4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query detects cases in which Okta FastPass effectively prevented access to a known phishing website" + } + } + ] + }, + { + "name": "analytic5", + "type": "Microsoft.Common.Section", + "label": "New Device/Location sign-in along with critical operation", + "elements": [ + { + "name": "analytic5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query identifies users seen login from new geo location/country as well as a new device and performing critical operations" + } + } + ] + }, + { + "name": "analytic6", + "type": "Microsoft.Common.Section", + "label": "MFA Fatigue (OKTA)", + "elements": [ + { + "name": "analytic6-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "MFA fatigue attack is a cybersecurity threat where attackers exploit user exhaustion from multi-factor authentication prompts to trick them into providing their MFA details thus compromising their own security. The query identifies MFA fatigue attempts in the Okta data. \n Ref: https://sec.okta.com/everythingisyes" + } + } + ] + }, + { + "name": "analytic7", + "type": "Microsoft.Common.Section", + "label": "High-Risk Admin Activity", + "elements": [ + { + "name": "analytic7-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "The Okta risk engine auto-assigns risk levels to each login attempt. This query identifies admin operations originating from events associated with high-risk profiles. " + } + } + ] + }, + { + "name": "analytic8", + "type": "Microsoft.Common.Section", + "label": "Device Registration from Malicious IP", + "elements": [ + { + "name": "analytic8-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query identifies Device Registration from IP addresses identified as malicious by Okta ThreatInsight" + } + } + ] } ] }, @@ -204,7 +288,7 @@ "name": "huntingquery1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query searches for successful grant of administrator permissions to user/groups. Adversaries often attempt to assign administrator permission to users/group to maintain access as well as to elevate privileges.\n Please verify that the behavior is known and filter out anything that is expected.\n Refrence: https://developer.okta.com/docs/reference/api/event-types/ This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)" + "text": "Query checks for admin permissions granted to users/groups, often used by adversaries for access and privilege elevation. This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)" } } ] @@ -232,7 +316,7 @@ "name": "huntingquery3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "User.session.impersonation are generally speaking rare events normally triggered when an Okta Support person requests admin access for troubleshooting. This query searches for impersonation events used in LAPSUS$ breach.\n Please review user.session.impersonation events and co-relate that with legitimate opened Okta support tickets to determine if these are anomalous.\n Refrence: https://developer.okta.com/docs/reference/api/event-types/\n Refrence: https://twitter.com/JimmyVo/status/1506306703788326915\n Refrence: https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/ This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)" + "text": "User.session.impersonation, usually triggered by Okta Support, are rare. This query checks for impersonation events used in LAPSUS$ breach. This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)" } } ] @@ -246,7 +330,7 @@ "name": "huntingquery4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Multi-Factor Authentication (MFA) helps prevent credential compromise.This query searches for rare MFA operations like deactivating, updating, resetting and attempts to bypass MFA.\n Adversaries often attempt these operations to compromise networks and high-value accounts.Please verify that the behavior is known and filter out anything that is expected.\n Refrence: https://developer.okta.com/docs/reference/api/event-types/ This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)" + "text": "MFA prevents credential compromise. This query checks for rare MFA operations like deactivation, update, reset, and bypass attempts often used by adversaries to compromise networks/accounts. This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)" } } ] @@ -260,7 +344,77 @@ "name": "huntingquery5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Adversaries often manipulate accounts to maintain access to victim systems. Account manipulation may consist of actions that preserves adversary access to a compromised account, such as by modifying credentials. \n This query searches for attempts to reset user passwords in Okta logs by an admin. Since this can also be a known activity, please filter out anything that is expected.\n Reference: https://developer.okta.com/docs/reference/api/event-types/\n Reference: https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/ This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)" + "text": "Adversaries often manipulate accounts for access. This query checks for admin attempts to reset user passwords in Okta logs. This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery6", + "type": "Microsoft.Common.Section", + "label": "New device registration from unfamiliar location", + "elements": [ + { + "name": "huntingquery6-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query identifies new device being registered from a location where the user does not normally login from This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery7", + "type": "Microsoft.Common.Section", + "label": "Logins originating from VPS Providers", + "elements": [ + { + "name": "huntingquery7-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query searches for successful logons from known VPS provider network ranges.\n This is not an exhaustive list of VPS provider ranges but covers some of the most prevalent providers observed. This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery8", + "type": "Microsoft.Common.Section", + "label": "Sign-ins from Nord VPN Providers", + "elements": [ + { + "name": "huntingquery8-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query searches for sign-in activity from Nord VPN providers.\nThe purpose is to identify any unfamiliar sign-in attempts from VPN providers, that are not typically observed among users in the organization. This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery9", + "type": "Microsoft.Common.Section", + "label": "Okta Login from multiple locations", + "elements": [ + { + "name": "huntingquery9-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query identifies accounts associated with multiple authentications from different geographical locations in a short period of time. This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery10", + "type": "Microsoft.Common.Section", + "label": "Okta login attempts using Legacy Auth", + "elements": [ + { + "name": "huntingquery10-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query identifies use of legacy authentication protocol in the Okta Logs. This hunting query depends on OktaSSO data connector (Okta_CL Parser or Table)" } } ] diff --git a/Solutions/Okta Single Sign-On/Package/mainTemplate.json b/Solutions/Okta Single Sign-On/Package/mainTemplate.json index 2ac4c53b821..bc91457375c 100644 --- a/Solutions/Okta Single Sign-On/Package/mainTemplate.json +++ b/Solutions/Okta Single Sign-On/Package/mainTemplate.json @@ -42,189 +42,353 @@ "_solutionId": "[variables('solutionId')]", "email": "support@microsoft.com", "_email": "[variables('email')]", - "analyticRuleVersion1": "1.0.2", - "analyticRulecontentId1": "884be6e7-e568-418e-9c12-89229865ffde", - "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "analyticRuleVersion2": "1.0.2", - "analyticRulecontentId2": "2954d424-f786-4677-9ffc-c24c44c6e7d5", - "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]", - "analyticRuleVersion3": "1.0.2", - "analyticRulecontentId3": "e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508", - "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3')))]", + "_solutionName": "Okta Single Sign-On", + "_solutionVersion": "3.0.0", "uiConfigId1": "OktaSSO", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "OktaSSO", "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", - "huntingQueryVersion1": "1.0.0", - "huntingQuerycontentId1": "5309ea6b-463c-4449-a3c4-2fc8ee0080ee", - "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]", - "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]", - "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1')))]", - "huntingQueryVersion2": "1.0.0", - "huntingQuerycontentId2": "c5134bac-044d-447a-a260-d1d439653ae7", - "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]", - "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]", - "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2')))]", - "huntingQueryVersion3": "1.0.0", - "huntingQuerycontentId3": "96fb9b37-e2b7-45f6-9b2a-cb9cdfd2b0fc", - "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]", - "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]", - "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3')))]", - "huntingQueryVersion4": "1.0.0", - "huntingQuerycontentId4": "18667b4a-18e5-4982-ba75-92ace62bc79c", - "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]", - "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]", - "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4')))]", - "huntingQueryVersion5": "1.0.0", - "huntingQuerycontentId5": "38da2aa3-4778-4d88-9178-3c5c14758b05", - "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]", - "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]", - "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5')))]", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", "OktaCustomConnector": "OktaCustomConnector", "_OktaCustomConnector": "[variables('OktaCustomConnector')]", + "TemplateEmptyArray": "[json('[]')]", + "blanks": "[replace('b', 'b', '')]", "playbookVersion1": "1.0", "playbookContentId1": "OktaCustomConnector", "_playbookContentId1": "[variables('playbookContentId1')]", - "playbookTemplateSpecName1": "[concat(parameters('workspace'),'-lc-',uniquestring(variables('_playbookContentId1')))]", - "blanks": "[replace('b', 'b', '')]", + "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-lc-',uniquestring(variables('_playbookContentId1'))))]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','lc','-', uniqueString(concat(variables('_solutionId'),'-','LogicAppsCustomConnector','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", "Okta-EnrichIncidentWithUserDetails": "Okta-EnrichIncidentWithUserDetails", "_Okta-EnrichIncidentWithUserDetails": "[variables('Okta-EnrichIncidentWithUserDetails')]", "playbookVersion2": "1.0", "playbookContentId2": "Okta-EnrichIncidentWithUserDetails", "_playbookContentId2": "[variables('playbookContentId2')]", "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]", - "playbookTemplateSpecName2": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2')))]", + "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]", + "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]", "Okta-PromptUser": "Okta-PromptUser", "_Okta-PromptUser": "[variables('Okta-PromptUser')]", "playbookVersion3": "1.0", "playbookContentId3": "Okta-PromptUser", "_playbookContentId3": "[variables('playbookContentId3')]", "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]", - "playbookTemplateSpecName3": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3')))]", + "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]", + "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]", "Okta-ResponseFromTeams": "Okta-ResponseFromTeams", "_Okta-ResponseFromTeams": "[variables('Okta-ResponseFromTeams')]", "playbookVersion4": "1.0", "playbookContentId4": "Okta-ResponseFromTeams", "_playbookContentId4": "[variables('playbookContentId4')]", "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]", - "playbookTemplateSpecName4": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4')))]", + "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]", + "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]", "workbookVersion1": "1.2", "workbookContentId1": "OktaSingleSignOnWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]", - "_workbookContentId1": "[variables('workbookContentId1')]" + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", + "_workbookContentId1": "[variables('workbookContentId1')]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "analyticRuleVersion1": "1.0.2", + "analyticRulecontentId1": "884be6e7-e568-418e-9c12-89229865ffde", + "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", + "analyticRuleVersion2": "1.0.2", + "analyticRulecontentId2": "2954d424-f786-4677-9ffc-c24c44c6e7d5", + "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", + "analyticRuleVersion3": "1.0.2", + "analyticRulecontentId3": "e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508", + "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]", + "analyticRuleVersion4": "1.0.0", + "analyticRulecontentId4": "78d2b06c-8dc0-40e1-91c8-66d916c186f3", + "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]", + "analyticRuleVersion5": "1.0.0", + "analyticRulecontentId5": "41e843a8-92e7-444d-8d72-638f1145d1e1", + "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]", + "analyticRuleVersion6": "1.0.0", + "analyticRulecontentId6": "c2697b81-7fe9-4f57-ba1d-de46c6f91f9c", + "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]", + "analyticRuleVersion7": "1.0.0", + "analyticRulecontentId7": "9f82a735-ae43-4c03-afb4-d5d153e1ace1", + "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]", + "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]", + "analyticRuleVersion8": "1.0.0", + "analyticRulecontentId8": "e36c6bd6-f86a-4282-93a5-b4a1b48dd849", + "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]", + "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]", + "huntingQueryVersion1": "1.0.0", + "huntingQuerycontentId1": "5309ea6b-463c-4449-a3c4-2fc8ee0080ee", + "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]", + "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]", + "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]", + "huntingQueryVersion2": "1.0.0", + "huntingQuerycontentId2": "c5134bac-044d-447a-a260-d1d439653ae7", + "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]", + "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]", + "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]", + "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]", + "huntingQueryVersion3": "1.0.0", + "huntingQuerycontentId3": "96fb9b37-e2b7-45f6-9b2a-cb9cdfd2b0fc", + "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]", + "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]", + "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]", + "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]", + "huntingQueryVersion4": "1.0.0", + "huntingQuerycontentId4": "18667b4a-18e5-4982-ba75-92ace62bc79c", + "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]", + "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]", + "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]", + "_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]", + "huntingQueryVersion5": "1.0.0", + "huntingQuerycontentId5": "38da2aa3-4778-4d88-9178-3c5c14758b05", + "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]", + "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]", + "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))))]", + "_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]", + "huntingQueryVersion6": "1.0.0", + "huntingQuerycontentId6": "4355f601-1421-4ac4-b2ce-88f0859cc101", + "_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]", + "huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]", + "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))))]", + "_huntingQuerycontentProductId6": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId6'),'-', variables('huntingQueryVersion6'))))]", + "huntingQueryVersion7": "1.0.0", + "huntingQuerycontentId7": "f262fc3a-0acc-4c8b-9a73-fdc09f55fff2", + "_huntingQuerycontentId7": "[variables('huntingQuerycontentId7')]", + "huntingQueryId7": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId7'))]", + "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7'))))]", + "_huntingQuerycontentProductId7": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId7'),'-', variables('huntingQueryVersion7'))))]", + "huntingQueryVersion8": "1.0.0", + "huntingQuerycontentId8": "708c33ec-22a2-4739-b248-c14919500cdd", + "_huntingQuerycontentId8": "[variables('huntingQuerycontentId8')]", + "huntingQueryId8": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId8'))]", + "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8'))))]", + "_huntingQuerycontentProductId8": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId8'),'-', variables('huntingQueryVersion8'))))]", + "huntingQueryVersion9": "1.0.0", + "huntingQuerycontentId9": "37381608-bcd7-46bc-954e-1fd418023c26", + "_huntingQuerycontentId9": "[variables('huntingQuerycontentId9')]", + "huntingQueryId9": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId9'))]", + "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9'))))]", + "_huntingQuerycontentProductId9": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId9'),'-', variables('huntingQueryVersion9'))))]", + "huntingQueryVersion10": "1.0.0", + "huntingQuerycontentId10": "6a9199ec-bc32-4935-9f82-4aa848edb3fc", + "_huntingQuerycontentId10": "[variables('huntingQuerycontentId10')]", + "huntingQueryId10": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId10'))]", + "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10'))))]", + "_huntingQuerycontentProductId10": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId10'),'-', variables('huntingQueryVersion10'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Okta Single Sign-On Analytics Rule 1 with template", - "displayName": "Okta Single Sign-On Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FailedLoginsFromUnknownOrInvalidUser_AnalyticalRules Analytics Rule with template version 2.0.4", + "description": "Okta Single Sign-On data connector with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion1')]", + "contentVersion": "[variables('dataConnectorVersion1')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId1')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", + "kind": "GenericUI", "properties": { - "description": "This query searches for numerous login attempts to the management console with an unknown or invalid user name", - "displayName": "Failed Logins from Unknown or Invalid User", - "enabled": false, - "query": "let FailureThreshold = 15;\nlet FailedLogins = Okta_CL\n| where eventType_s =~ \"user.session.start\" and outcome_reason_s =~ \"VERIFICATION_ERROR\"\n| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)\n| where count_ > FailureThreshold\n| project client_ipAddress_s, actor_alternateId_s;\nOkta_CL\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\n| where eventType_s =~ \"user.session.start\" and outcome_reason_s =~ \"VERIFICATION_ERROR\"\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = column_ifexists('client_geographicalContext_city_s', \"\"), Country = column_ifexists('client_geographicalContext_country_s', \"\"), column_ifexists('published_t', now())\n| sort by column_ifexists('published_t', now()) desc\n| extend timestamp = column_ifexists('published_t', now()), IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "Okta_CL" - ], - "connectorId": "OktaSSO" - } - ], - "tactics": [ - "CredentialAccess" - ], - "techniques": [ - "T1110" - ], - "entityMappings": [ - { - "fieldMappings": [ + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "Okta Single Sign-On (using Azure Functions)", + "publisher": "Okta", + "descriptionMarkdown": "The [Okta Single Sign-On (SSO)](https://www.okta.com/products/single-sign-on/) connector provides the capability to ingest audit and event logs from the Okta API into Microsoft Sentinel. The connector provides visibility into these log types in Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Okta Logs", + "baseQuery": "Okta_CL" + } + ], + "sampleQueries": [ + { + "description": "Top 10 Active Applications", + "query": "Okta_CL \n| mv-expand todynamic(target_s) \n| where target_s.type == \"AppInstance\" \n| summarize count() by tostring(target_s.alternateId) \n| top 10 by count_" + }, + { + "description": "Top 10 Client IP Addresses", + "query": "Okta_CL \n| summarize count() by client_ipAddress_s \n| top 10 by count_" + } + ], + "dataTypes": [ + { + "name": "Okta_CL", + "lastDataReceivedQuery": "Okta_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Okta_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, { - "columnName": "AccountCustomEntity", - "identifier": "FullName" + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } } ], - "entityType": "Account" - }, - { - "fieldMappings": [ + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, { - "columnName": "IPCustomEntity", - "identifier": "Address" + "name": "Okta API Token", + "description": "An Okta API Token is required. See the documentation to learn more about the [Okta System Log API](https://developer.okta.com/docs/reference/api/system-log/)." } - ], - "entityType": "IP" - } - ] + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to Okta SSO to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**NOTE:** This connector has been updated, if you have previously deployed an earlier version, and want to update, please delete the existing Okta Azure Function before redeploying this version." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - Configuration steps for the Okta SSO API**\n\n [Follow these instructions](https://developer.okta.com/docs/guides/create-an-api-token/create-the-token/) to create an API Token." + }, + { + "description": "**Note** - For more information on the rate limit restrictions enforced by Okta, please refer to the **[documentation](https://developer.okta.com/docs/reference/rl-global-mgmt/)**." + }, + { + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Okta SSO connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Okta SSO API Authorization Token, readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "This method provides an automated deployment of the Okta SSO connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentineloktaazuredeployv2-solution)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Token** and **URI**. \n - Use the following schema for the `uri` value: `https:///api/v1/logs?since=` Replace `` with your domain. [Click here](https://developer.okta.com/docs/reference/api-overview/#url-namespace) for further details on how to identify your Okta domain namespace. There is no need to add a time value to the URI, the Function App will dynamically append the inital start time of logs to UTC 0:00 for the current UTC date as time value to the URI in the proper format. \n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Functions", + "description": "Use the following step-by-step instructions to deploy the Okta SSO connector manually with Azure Functions (Deployment via Visual Studio Code).", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Step 1 - Deploy a Function App", + "description": "1. Download the [Azure Function App](https://aka.ms/sentineloktaazurefunctioncodev2) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." + }, + { + "title": "Step 2 - Configure the Function App", + "description": "1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select **+ New application setting**.\n4. Add each of the following five (5) application settings individually, with their respective string values (case-sensitive): \n\t\tapiToken\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tlogAnalyticsUri (optional)\n - Use the following schema for the `uri` value: `https:///api/v1/logs?since=` Replace `` with your domain. [Click here](https://developer.okta.com/docs/reference/api-overview/#url-namespace) for further details on how to identify your Okta domain namespace. There is no need to add a time value to the URI, the Function App will dynamically append the inital start time of logs to UTC 0:00 for the current UTC date as time value to the URI in the proper format.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://.ods.opinsights.azure.us. \n5. Once all application settings have been entered, click **Save**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "properties": { - "description": "Okta Single Sign-On Analytics Rule 1", - "parentId": "[variables('analyticRuleId1')]", - "contentId": "[variables('_analyticRulecontentId1')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion1')]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", "source": { "kind": "Solution", "name": "Okta Single Sign-On", @@ -243,1190 +407,317 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Okta Single Sign-On (using Azure Functions)", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName2')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "properties": { - "description": "Okta Single Sign-On Analytics Rule 2 with template", - "displayName": "Okta Single Sign-On Analytics Rule template" + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "Okta Single Sign-On", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]" - ], + "kind": "GenericUI", "properties": { - "description": "LoginfromUsersfromDifferentCountrieswithin3hours_AnalyticalRules Analytics Rule with template version 2.0.4", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ + "connectorUiConfig": { + "title": "Okta Single Sign-On (using Azure Functions)", + "publisher": "Okta", + "descriptionMarkdown": "The [Okta Single Sign-On (SSO)](https://www.okta.com/products/single-sign-on/) connector provides the capability to ingest audit and event logs from the Okta API into Microsoft Sentinel. The connector provides visibility into these log types in Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities.", + "graphQueries": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId2')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query searches for successful user logins to the Okta Console from different countries within 3 hours", - "displayName": "User Login from Different Countries within 3 hours", - "enabled": false, - "query": "let timeframe = ago(3h);\nlet threshold = 2;\nOkta_CL\n| where column_ifexists('published_t', now()) >= timeframe\n| where eventType_s =~ \"user.session.start\"\n| where outcome_result_s =~ \"SUCCESS\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(column_ifexists('client_geographicalContext_country_s', int(null))) by actor_alternateId_s\n| where NumOfCountries >= threshold\n| extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s\n", - "queryFrequency": "PT3H", - "queryPeriod": "PT3H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "Okta_CL" - ], - "connectorId": "OktaSSO" - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1078" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountCustomEntity", - "identifier": "FullName" - } - ], - "entityType": "Account" - } - ] + "metricName": "Total data received", + "legend": "Okta Logs", + "baseQuery": "Okta_CL" + } + ], + "dataTypes": [ + { + "name": "Okta_CL", + "lastDataReceivedQuery": "Okta_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Okta_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "Top 10 Active Applications", + "query": "Okta_CL \n| mv-expand todynamic(target_s) \n| where target_s.type == \"AppInstance\" \n| summarize count() by tostring(target_s.alternateId) \n| top 10 by count_" + }, + { + "description": "Top 10 Client IP Addresses", + "query": "Okta_CL \n| summarize count() by client_ipAddress_s \n| top 10 by count_" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "Okta API Token", + "description": "An Okta API Token is required. See the documentation to learn more about the [Okta System Log API](https://developer.okta.com/docs/reference/api/system-log/)." } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to Okta SSO to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", - "properties": { - "description": "Okta Single Sign-On Analytics Rule 2", - "parentId": "[variables('analyticRuleId2')]", - "contentId": "[variables('_analyticRulecontentId2')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion2')]", - "source": { - "kind": "Solution", - "name": "Okta Single Sign-On", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" + "description": ">**NOTE:** This connector has been updated, if you have previously deployed an earlier version, and want to update, please delete the existing Okta Azure Function before redeploying this version." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - Configuration steps for the Okta SSO API**\n\n [Follow these instructions](https://developer.okta.com/docs/guides/create-an-api-token/create-the-token/) to create an API Token." + }, + { + "description": "**Note** - For more information on the rate limit restrictions enforced by Okta, please refer to the **[documentation](https://developer.okta.com/docs/reference/rl-global-mgmt/)**." + }, + { + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Okta SSO connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Okta SSO API Authorization Token, readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" } - } + ] + }, + { + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "This method provides an automated deployment of the Okta SSO connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentineloktaazuredeployv2-solution)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Token** and **URI**. \n - Use the following schema for the `uri` value: `https:///api/v1/logs?since=` Replace `` with your domain. [Click here](https://developer.okta.com/docs/reference/api-overview/#url-namespace) for further details on how to identify your Okta domain namespace. There is no need to add a time value to the URI, the Function App will dynamically append the inital start time of logs to UTC 0:00 for the current UTC date as time value to the URI in the proper format. \n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Functions", + "description": "Use the following step-by-step instructions to deploy the Okta SSO connector manually with Azure Functions (Deployment via Visual Studio Code).", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Step 1 - Deploy a Function App", + "description": "1. Download the [Azure Function App](https://aka.ms/sentineloktaazurefunctioncodev2) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." + }, + { + "title": "Step 2 - Configure the Function App", + "description": "1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select **+ New application setting**.\n4. Add each of the following five (5) application settings individually, with their respective string values (case-sensitive): \n\t\tapiToken\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tlogAnalyticsUri (optional)\n - Use the following schema for the `uri` value: `https:///api/v1/logs?since=` Replace `` with your domain. [Click here](https://developer.okta.com/docs/reference/api-overview/#url-namespace) for further details on how to identify your Okta domain namespace. There is no need to add a time value to the URI, the Function App will dynamically append the inital start time of logs to UTC 0:00 for the current UTC date as time value to the URI in the proper format.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://.ods.opinsights.azure.us. \n5. Once all application settings have been entered, click **Save**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] } - ] + ], + "id": "[variables('_uiConfigId1')]" } } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName3')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Okta Single Sign-On Analytics Rule 3 with template", - "displayName": "Okta Single Sign-On Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName3'),'/',variables('analyticRuleVersion3'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PasswordSpray_AnalyticalRules Analytics Rule with template version 2.0.4", + "description": "OktaCustomConnector Playbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion3')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId3')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack", - "displayName": "Potential Password Spray Attack", - "enabled": false, - "query": "let FailureThreshold = 15;\nlet FailedEvents = Okta_CL\n| where eventType_s =~ \"user.session.start\"and outcome_reason_s in (\"VERIFICATION_ERROR\",\"INVALID_CREDENTIALS\")\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\n| where dcount_actor_alternateId_s > FailureThreshold\n| project client_ipAddress_s, TimeGenerated;\nOkta_CL\n| where eventType_s =~ \"user.session.start\"and outcome_reason_s in (\"VERIFICATION_ERROR\",\"INVALID_CREDENTIALS\")\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = column_ifexists('client_geographicalContext_city_s', \"\"), Country = column_ifexists('client_geographicalContext_country_s', \"\"), bin(TimeGenerated, 5m)\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\n| sort by TimeGenerated desc\n| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "Okta_CL" - ], - "connectorId": "OktaSSO" - } - ], - "tactics": [ - "CredentialAccess" - ], - "techniques": [ - "T1110" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "IPCustomEntity", - "identifier": "Address" - } - ], - "entityType": "IP" - } - ] + "contentVersion": "[variables('playbookVersion1')]", + "parameters": { + "CustomConnectorName": { + "defaultValue": "OktaCustomConnector", + "type": "String", + "metadata": { + "description": "Name of the okta Connector" } }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", - "properties": { - "description": "Okta Single Sign-On Analytics Rule 3", - "parentId": "[variables('analyticRuleId3')]", - "contentId": "[variables('_analyticRulecontentId3')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion3')]", - "source": { - "kind": "Solution", - "name": "Okta Single Sign-On", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } + "Service EndPoint": { + "defaultValue": "https://{yourOktaDomain}", + "type": "String", + "metadata": { + "description": "enter the okta endpoint (ex: https://{yourOktaDomain})" } } - ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "Okta Single Sign-On data connector with template", - "displayName": "Okta Single Sign-On template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" - ], - "properties": { - "description": "Okta Single Sign-On data connector with template version 2.0.4", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, + }, + "variables": { + "operationId-GetUser": "GetUser", + "_operationId-GetUser": "[[variables('operationId-GetUser')]", + "operationId-UpdateUser": "UpdateUser", + "_operationId-UpdateUser": "[[variables('operationId-UpdateUser')]", + "operationId-SuspendUser": "SuspendUser", + "_operationId-SuspendUser": "[[variables('operationId-SuspendUser')]", + "operationId-UnsuspendUser": "UnsuspendUser", + "_operationId-UnsuspendUser": "[[variables('operationId-UnsuspendUser')]", + "operationId-ResetPassword": "ResetPassword", + "_operationId-ResetPassword": "[[variables('operationId-ResetPassword')]", + "operationId-GetUserGroups": "GetUserGroups", + "_operationId-GetUserGroups": "[[variables('operationId-GetUserGroups')]", + "operationId-ClearUserSessions": "ClearUserSessions", + "_operationId-ClearUserSessions": "[[variables('operationId-ClearUserSessions')]", + "operationId-RemoveMemberfromGroup": "RemoveMemberfromGroup", + "_operationId-RemoveMemberfromGroup": "[[variables('operationId-RemoveMemberfromGroup')]", + "operationId-AddUserToGroup": "AddUserToGroup", + "_operationId-AddUserToGroup": "[[variables('operationId-AddUserToGroup')]", + "operationId-ListGroupMembers": "ListGroupMembers", + "_operationId-ListGroupMembers": "[[variables('operationId-ListGroupMembers')]", + "operationId-ListUserFactors": "ListUserFactors", + "_operationId-ListUserFactors": "[[variables('operationId-ListUserFactors')]", + "operationId-ResetFactor": "ResetFactor", + "_operationId-ResetFactor": "[[variables('operationId-ResetFactor')]", + "operationId-ListGroups": "ListGroups", + "_operationId-ListGroups": "[[variables('operationId-ListGroups')]", + "operationId-ExpirePassword": "ExpirePassword", + "_operationId-ExpirePassword": "[[variables('operationId-ExpirePassword')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "playbookContentId1": "OktaCustomConnector", + "playbookId1": "[[resourceId('Microsoft.Web/customApis', parameters('CustomConnectorName'))]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, "resources": [ { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", + "type": "Microsoft.Web/customApis", + "apiVersion": "2016-06-01", + "name": "[[parameters('CustomConnectorName')]", + "location": "[[variables('workspace-location-inline')]", "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "Okta Single Sign-On (using Azure Function)", - "publisher": "Okta", - "descriptionMarkdown": "The [Okta Single Sign-On (SSO)](https://www.okta.com/products/single-sign-on/) connector provides the capability to ingest audit and event logs from the Okta API into Microsoft Sentinel. The connector provides visibility into these log types in Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Okta Logs", - "baseQuery": "Okta_CL" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Active Applications", - "query": "Okta_CL \n| mv-expand todynamic(target_s) \n| where target_s.type == \"AppInstance\" \n| summarize count() by tostring(target_s.alternateId) \n| top 10 by count_" - }, - { - "description": "Top 10 Client IP Addresses", - "query": "Okta_CL \n| summarize count() by client_ipAddress_s \n| top 10 by count_" - } - ], - "dataTypes": [ - { - "name": "Okta_CL", - "lastDataReceivedQuery": "Okta_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "Okta_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions on the workspace are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - }, - { - "name": "Okta API Token", - "description": "An Okta API Token is required. See the documentation to learn more about the [Okta System Log API](https://developer.okta.com/docs/reference/api/system-log/)." + "connectionParameters": { + "api_key": { + "type": "securestring", + "uiDefinition": { + "displayName": "API Key", + "description": "The API Key for this api", + "tooltip": "Provide your API Key", + "constraints": { + "tabIndex": 2, + "clearText": false, + "required": "true" } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This connector uses Azure Functions to connect to Okta SSO to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." - }, - { - "description": ">**NOTE:** This connector has been updated, if you have previously deployed an earlier version, and want to update, please delete the existing Okta Azure Function before redeploying this version." - }, - { - "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." - }, - { - "description": "**STEP 1 - Configuration steps for the Okta SSO API**\n\n [Follow these instructions](https://developer.okta.com/docs/guides/create-an-api-token/create-the-token/) to create an API Token." - }, - { - "description": "**Note** - For more information on the rate limit restrictions enforced by Okta, please refer to the **[documentation](https://developer.okta.com/docs/reference/rl-global-mgmt/)**." - }, - { - "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Okta SSO connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Okta SSO API Authorization Token, readily available.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" - ], - "label": "Primary Key" - }, - "type": "CopyableLabel" - } - ] - }, - { - "description": "This method provides an automated deployment of the Okta SSO connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentineloktaazuredeployv2-solution)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Token** and **URI**. \n - Use the following schema for the `uri` value: `https:///api/v1/logs?since=` Replace `` with your domain. [Click here](https://developer.okta.com/docs/reference/api-overview/#url-namespace) for further details on how to identify your Okta domain namespace. There is no need to add a time value to the URI, the Function App will dynamically append the inital start time of logs to UTC 0:00 for the current UTC date as time value to the URI in the proper format. \n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", - "title": "Option 1 - Azure Resource Manager (ARM) Template" - }, - { - "description": "Use the following step-by-step instructions to deploy the Okta SSO connector manually with Azure Functions.", - "title": "Option 2 - Manual Deployment of Azure Functions" - }, - { - "description": "**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**." - }, - { - "description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ Add**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and change the default cron schedule to every 10 minutes, then click **Create**.\n4. Click on **Code + Test** on the left pane. \n5. Copy the [Function App Code](https://aka.ms/sentineloktaazurefunctioncodev2) and paste into the Function App `run.ps1` editor.\n5. Click **Save**." - }, - { - "description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following five (5) application settings individually, with their respective string values (case-sensitive): \n\t\tapiToken\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tlogAnalyticsUri (optional)\n - Use the following schema for the `uri` value: `https:///api/v1/logs?since=` Replace `` with your domain. [Click here](https://developer.okta.com/docs/reference/api-overview/#url-namespace) for further details on how to identify your Okta domain namespace. There is no need to add a time value to the URI, the Function App will dynamically append the inital start time of logs to UTC 0:00 for the current UTC date as time value to the URI in the proper format.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://.ods.opinsights.azure.us. \n4. Once all application settings have been entered, click **Save**." - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Okta Single Sign-On", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Okta Single Sign-On", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "Okta Single Sign-On (using Azure Function)", - "publisher": "Okta", - "descriptionMarkdown": "The [Okta Single Sign-On (SSO)](https://www.okta.com/products/single-sign-on/) connector provides the capability to ingest audit and event logs from the Okta API into Microsoft Sentinel. The connector provides visibility into these log types in Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Okta Logs", - "baseQuery": "Okta_CL" - } - ], - "dataTypes": [ - { - "name": "Okta_CL", - "lastDataReceivedQuery": "Okta_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "Okta_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Active Applications", - "query": "Okta_CL \n| mv-expand todynamic(target_s) \n| where target_s.type == \"AppInstance\" \n| summarize count() by tostring(target_s.alternateId) \n| top 10 by count_" - }, - { - "description": "Top 10 Client IP Addresses", - "query": "Okta_CL \n| summarize count() by client_ipAddress_s \n| top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions on the workspace are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - }, - { - "name": "Okta API Token", - "description": "An Okta API Token is required. See the documentation to learn more about the [Okta System Log API](https://developer.okta.com/docs/reference/api/system-log/)." - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This connector uses Azure Functions to connect to Okta SSO to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." - }, - { - "description": ">**NOTE:** This connector has been updated, if you have previously deployed an earlier version, and want to update, please delete the existing Okta Azure Function before redeploying this version." - }, - { - "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." - }, - { - "description": "**STEP 1 - Configuration steps for the Okta SSO API**\n\n [Follow these instructions](https://developer.okta.com/docs/guides/create-an-api-token/create-the-token/) to create an API Token." - }, - { - "description": "**Note** - For more information on the rate limit restrictions enforced by Okta, please refer to the **[documentation](https://developer.okta.com/docs/reference/rl-global-mgmt/)**." - }, - { - "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Okta SSO connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Okta SSO API Authorization Token, readily available.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" - ], - "label": "Primary Key" - }, - "type": "CopyableLabel" - } - ] - }, - { - "description": "This method provides an automated deployment of the Okta SSO connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentineloktaazuredeployv2-solution)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Token** and **URI**. \n - Use the following schema for the `uri` value: `https:///api/v1/logs?since=` Replace `` with your domain. [Click here](https://developer.okta.com/docs/reference/api-overview/#url-namespace) for further details on how to identify your Okta domain namespace. There is no need to add a time value to the URI, the Function App will dynamically append the inital start time of logs to UTC 0:00 for the current UTC date as time value to the URI in the proper format. \n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", - "title": "Option 1 - Azure Resource Manager (ARM) Template" - }, - { - "description": "Use the following step-by-step instructions to deploy the Okta SSO connector manually with Azure Functions.", - "title": "Option 2 - Manual Deployment of Azure Functions" - }, - { - "description": "**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**." - }, - { - "description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ Add**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and change the default cron schedule to every 10 minutes, then click **Create**.\n4. Click on **Code + Test** on the left pane. \n5. Copy the [Function App Code](https://aka.ms/sentineloktaazurefunctioncodev2) and paste into the Function App `run.ps1` editor.\n5. Click **Save**." - }, - { - "description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following five (5) application settings individually, with their respective string values (case-sensitive): \n\t\tapiToken\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tlogAnalyticsUri (optional)\n - Use the following schema for the `uri` value: `https:///api/v1/logs?since=` Replace `` with your domain. [Click here](https://developer.okta.com/docs/reference/api-overview/#url-namespace) for further details on how to identify your Okta domain namespace. There is no need to add a time value to the URI, the Function App will dynamically append the inital start time of logs to UTC 0:00 for the current UTC date as time value to the URI in the proper format.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://.ods.opinsights.azure.us. \n4. Once all application settings have been entered, click **Save**." - } - ], - "id": "[variables('_uiConfigId1')]" - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Okta Single Sign-On Hunting Query 1 with template", - "displayName": "Okta Single Sign-On Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName1'),'/',variables('huntingQueryVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName1'))]" - ], - "properties": { - "description": "AdminPrivilegeGrant_HuntingQueries Hunting Query with template version 2.0.4", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "Okta_Single_Sign-On_Hunting_Query_1", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Admin privilege granted (Okta)", - "category": "Hunting Queries", - "query": "let Events = dynamic([\"group.privilege.grant\", \"user.account.privilege.grant\"]);\nOkta_CL\n| where eventType_s in (Events)\n| where outcome_result_s =~ \"SUCCESS\"\n| extend Target=parsejson(target_s)\n| mvexpand bagexpansion=array (Target)\n| evaluate bag_unpack(Target)\n| extend Target_Id = tostring(column_ifexists('id', \"\")), Target_type = tostring(column_ifexists('type', \"\")), Target_user = tostring(column_ifexists('displayName', \"\")), Target_alternateId = tostring(column_ifexists('alternateId', \"\"))\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by actor_id_s, actor_type_s, actor_alternateId_s, actor_displayName_s, Target_alternateId, Target_Id, Target_type, Target_user,column_ifexists('debugContext_debugData_privilegeGranted_s', \"\"),domain_s,\n authenticationContext_externalSessionId_s, eventType_s, displayMessage_s, transaction_id_s, uuid_g\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "This query searches for successful grant of administrator permissions to user/groups. Adversaries often attempt to assign administrator permission to users/group to maintain access as well as to elevate privileges.\n Please verify that the behavior is known and filter out anything that is expected.\n Refrence: https://developer.okta.com/docs/reference/api/event-types/" - }, - { - "name": "tactics", - "value": "Persistence" - }, - { - "name": "techniques", - "value": "T1098" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]", - "properties": { - "description": "Okta Single Sign-On Hunting Query 1", - "parentId": "[variables('huntingQueryId1')]", - "contentId": "[variables('_huntingQuerycontentId1')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion1')]", - "source": { - "kind": "Solution", - "name": "Okta Single Sign-On", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Okta Single Sign-On Hunting Query 2 with template", - "displayName": "Okta Single Sign-On Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName2'),'/',variables('huntingQueryVersion2'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName2'))]" - ], - "properties": { - "description": "CreateAPIToken_HuntingQueries Hunting Query with template version 2.0.4", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "Okta_Single_Sign-On_Hunting_Query_2", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Create API Token (Okta)", - "category": "Hunting Queries", - "query": "let Events = dynamic([\"system.api_token.create\"]);\nOkta_CL\n| where eventType_s in (Events)\n| where outcome_result_s =~ \"SUCCESS\"\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Okta API tokens are used to authenticate requests to Okta APIs. This query searches for attempts to create new API Token.\n Refrence: https://developer.okta.com/docs/reference/api/event-types/" - }, - { - "name": "tactics", - "value": "PrivilegeEscalation" - }, - { - "name": "techniques", - "value": "T1134" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]", - "properties": { - "description": "Okta Single Sign-On Hunting Query 2", - "parentId": "[variables('huntingQueryId2')]", - "contentId": "[variables('_huntingQuerycontentId2')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion2')]", - "source": { - "kind": "Solution", - "name": "Okta Single Sign-On", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName3')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Okta Single Sign-On Hunting Query 3 with template", - "displayName": "Okta Single Sign-On Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName3'),'/',variables('huntingQueryVersion3'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName3'))]" - ], - "properties": { - "description": "ImpersonationSession_HuntingQueries Hunting Query with template version 2.0.4", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion3')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "Okta_Single_Sign-On_Hunting_Query_3", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Initiate impersonation session (Okta)", - "category": "Hunting Queries", - "query": "let Events = dynamic([\"user.session.impersonation.initiate\", \"user.session.impersonation.grant\", \"user.session.impersonation.extend\", \"user.session.impersonation.end\", \"user.session.impersonation.revoke\"]);\nOkta_CL\n| where eventType_s in (Events)\n| where outcome_result_s =~ \"SUCCESS\"\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "User.session.impersonation are generally speaking rare events normally triggered when an Okta Support person requests admin access for troubleshooting. This query searches for impersonation events used in LAPSUS$ breach.\n Please review user.session.impersonation events and co-relate that with legitimate opened Okta support tickets to determine if these are anomalous.\n Refrence: https://developer.okta.com/docs/reference/api/event-types/\n Refrence: https://twitter.com/JimmyVo/status/1506306703788326915\n Refrence: https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/" - }, - { - "name": "tactics", - "value": "InitialAccess" - }, - { - "name": "techniques", - "value": "T1195" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]", - "properties": { - "description": "Okta Single Sign-On Hunting Query 3", - "parentId": "[variables('huntingQueryId3')]", - "contentId": "[variables('_huntingQuerycontentId3')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion3')]", - "source": { - "kind": "Solution", - "name": "Okta Single Sign-On", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName4')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Okta Single Sign-On Hunting Query 4 with template", - "displayName": "Okta Single Sign-On Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName4'),'/',variables('huntingQueryVersion4'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName4'))]" - ], - "properties": { - "description": "RareMFAOperation_HuntingQueries Hunting Query with template version 2.0.4", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion4')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "Okta_Single_Sign-On_Hunting_Query_4", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Rare MFA Operations (Okta)", - "category": "Hunting Queries", - "query": "let Events = dynamic([\"user.mfa.factor.update\", \"system.mfa.factor.deactivate\", \"user.mfa.attempt_bypass\", \"user.mfa.factor.reset_all\"]);\nOkta_CL\n| where eventType_s in (Events)\n| where outcome_result_s =~ \"SUCCESS\"\n| extend Target=parsejson(target_s)\n| mvexpand bagexpansion=array (Target)\n| evaluate bag_unpack(Target)\n| extend Target_Id = tostring(column_ifexists('id', \"\")), Target_type = tostring(column_ifexists('type', \"\")), Target_user = tostring(column_ifexists('displayName', \"\")), Target_alternateId = tostring(column_ifexists('alternateId', \"\"))\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by actor_id_s, actor_type_s, actor_alternateId_s, actor_displayName_s, Target_alternateId, Target_Id, Target_type, Target_user,debugContext_debugData_requestUri_s,\n debugContext_debugData_requestId_s, domain_s, authenticationContext_externalSessionId_s, eventType_s, displayMessage_s, transaction_id_s, uuid_g, client_userAgent_rawUserAgent_s, client_userAgent_os_s, client_userAgent_browser_s, \n client_ipAddress_s, column_ifexists('client_geographicalContext_city_s', \"\"), column_ifexists('client_geographicalContext_state_s', \"\"), column_ifexists('client_geographicalContext_country_s', \"\"), column_ifexists('securityContext_isp_s', \"\")\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Multi-Factor Authentication (MFA) helps prevent credential compromise.This query searches for rare MFA operations like deactivating, updating, resetting and attempts to bypass MFA.\n Adversaries often attempt these operations to compromise networks and high-value accounts.Please verify that the behavior is known and filter out anything that is expected.\n Refrence: https://developer.okta.com/docs/reference/api/event-types/" - }, - { - "name": "tactics", - "value": "Persistence" - }, - { - "name": "techniques", - "value": "T1098" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]", - "properties": { - "description": "Okta Single Sign-On Hunting Query 4", - "parentId": "[variables('huntingQueryId4')]", - "contentId": "[variables('_huntingQuerycontentId4')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion4')]", - "source": { - "kind": "Solution", - "name": "Okta Single Sign-On", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName5')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Okta Single Sign-On Hunting Query 5 with template", - "displayName": "Okta Single Sign-On Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName5'),'/',variables('huntingQueryVersion5'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName5'))]" - ], - "properties": { - "description": "UserPasswordReset_HuntingQueries Hunting Query with template version 2.0.4", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion5')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "Okta_Single_Sign-On_Hunting_Query_5", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "User password reset(Okta)", - "category": "Hunting Queries", - "query": "let Events = dynamic([\"user.account.reset_password\"]);\nOkta_CL\n| where eventType_s in (Events)\n| where outcome_result_s =~ \"SUCCESS\"\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Adversaries often manipulate accounts to maintain access to victim systems. Account manipulation may consist of actions that preserves adversary access to a compromised account, such as by modifying credentials. \n This query searches for attempts to reset user passwords in Okta logs by an admin. Since this can also be a known activity, please filter out anything that is expected.\n Reference: https://developer.okta.com/docs/reference/api/event-types/\n Reference: https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/" - }, - { - "name": "tactics", - "value": "Persistence" - }, - { - "name": "techniques", - "value": "T1098" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]", - "properties": { - "description": "Okta Single Sign-On Hunting Query 5", - "parentId": "[variables('huntingQueryId5')]", - "contentId": "[variables('_huntingQuerycontentId5')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion5')]", - "source": { - "kind": "Solution", - "name": "Okta Single Sign-On", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('playbookTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "LogicAppsCustomConnector" - }, - "properties": { - "description": "OktaCustomConnector", - "displayName": "OktaCustomConnector" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('playbookTemplateSpecName1'),'/',variables('playbookVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "LogicAppsCustomConnector" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName1'))]" - ], - "properties": { - "description": "OktaCustomConnector Playbook with template version 2.0.4", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion1')]", - "parameters": { - "CustomConnectorName": { - "defaultValue": "OktaCustomConnector", - "type": "String", - "metadata": { - "description": "Name of the okta Connector" - } - }, - "Service EndPoint": { - "defaultValue": "https://{yourOktaDomain}", - "type": "String", - "metadata": { - "description": "enter the okta endpoint (ex: https://{yourOktaDomain})" - } - } - }, - "variables": { - "operationId-GetUser": "GetUser", - "_operationId-GetUser": "[[variables('operationId-GetUser')]", - "operationId-UpdateUser": "UpdateUser", - "_operationId-UpdateUser": "[[variables('operationId-UpdateUser')]", - "operationId-SuspendUser": "SuspendUser", - "_operationId-SuspendUser": "[[variables('operationId-SuspendUser')]", - "operationId-UnsuspendUser": "UnsuspendUser", - "_operationId-UnsuspendUser": "[[variables('operationId-UnsuspendUser')]", - "operationId-ResetPassword": "ResetPassword", - "_operationId-ResetPassword": "[[variables('operationId-ResetPassword')]", - "operationId-GetUserGroups": "GetUserGroups", - "_operationId-GetUserGroups": "[[variables('operationId-GetUserGroups')]", - "operationId-ClearUserSessions": "ClearUserSessions", - "_operationId-ClearUserSessions": "[[variables('operationId-ClearUserSessions')]", - "operationId-RemoveMemberfromGroup": "RemoveMemberfromGroup", - "_operationId-RemoveMemberfromGroup": "[[variables('operationId-RemoveMemberfromGroup')]", - "operationId-AddUserToGroup": "AddUserToGroup", - "_operationId-AddUserToGroup": "[[variables('operationId-AddUserToGroup')]", - "operationId-ListGroupMembers": "ListGroupMembers", - "_operationId-ListGroupMembers": "[[variables('operationId-ListGroupMembers')]", - "operationId-ListUserFactors": "ListUserFactors", - "_operationId-ListUserFactors": "[[variables('operationId-ListUserFactors')]", - "operationId-ResetFactor": "ResetFactor", - "_operationId-ResetFactor": "[[variables('operationId-ResetFactor')]", - "operationId-ListGroups": "ListGroups", - "_operationId-ListGroups": "[[variables('operationId-ListGroups')]", - "operationId-ExpirePassword": "ExpirePassword", - "_operationId-ExpirePassword": "[[variables('operationId-ExpirePassword')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "playbookContentId1": "OktaCustomConnector", - "playbookId1": "[[resourceId('Microsoft.Web/customApis', parameters('CustomConnectorName'))]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "type": "Microsoft.Web/customApis", - "apiVersion": "2016-06-01", - "name": "[[parameters('CustomConnectorName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "connectionParameters": { - "api_key": { - "type": "securestring", - "uiDefinition": { - "displayName": "API Key", - "description": "The API Key for this api", - "tooltip": "Provide your API Key", - "constraints": { - "tabIndex": 2, - "clearText": false, - "required": "true" - } - } - } - }, - "backendService": { - "serviceUrl": "[[parameters('Service EndPoint')]" - }, - "brandColor": "#FFFFFF", - "description": "This is the Okta Custom Connector", - "displayName": "[[parameters('CustomConnectorName')]", - "iconUri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAOAAAADhCAMAAADmr0l2AAAAYFBMVEVUrNL///9PqtFMqdCj0ueGxN55u9rx+PxEps/5+/3p9PlIqNCLxuBar9T2+/3R6fPd7va+3u3l8vhpttdvuNiWzOPI4++p1Oi02ep8v9zW6/SCv9y32urE4vCn0ubf7/Z7cYjhAAAO2UlEQVR4nN2d57qqOhCGwwQBCUWkiLrR+7/LTbGkJ2pwgd9z/pztorykTSaTCfJm1TYL4/2paOs6OAYpuint/6eu2+K0j8NsO+8boPluHZ66f/WmSgkhGABxAsAkImm1qf91p3C+t5gJMMv9c1UijAEJaAwmAoxRWZ39PJvnTdwDZvumTqPIhMZjRlFaN3v3lI4Bs/yQpATbkrHCJE0OrkvSKeCprlJsXW7SssRpVZ9cvpMzwPBao+jNouMKMkL11Vm34whw357BCd2NEc7t3s2bOQHMk/KzmikKcJnkLt7tc8C4KyPHdDfGqOziPweM29Jh1eSFy/ZTxA8BD+UshfcUlIe/A4zblMyLN4ikH5Xi+4DZP+c9i1x9f/Pv/dH/bcCm+grdjbFqvgy4O87TcyoJo+Pui4Chn87YdcqFU/8t6+YdwLz6TuNjBbh6Z+R/HTDefLd2UojR5vX+9GXApvp67XwKv97ZvApYp39UfJMgrWcFzKsvjOx6kRdb4kuA7d8W3yRI25kAs3oBeIPAf8GwsQfcBX9ePe8igf2obw2YzzktelW4tG6ItoD/ltD8noL0n1PA7EIWxdcTkotdQ7QCzPzFNL+niF1XYwOYHRdWfJPgaENoARgeF1h+g8jRYn5hBow3iyy/QWBhfBsB4/KvMXQqjYQmwHhut9lngtJUSw2A4XnRfEMtNRDqARfaf9Iy9aVawGyp/SctoifUAW6XMn3QC3xdHIMO8LAg81onrPPuawD/raB+TiIay1sNmC9r/qATpOrZkxJwt+wBkBWUyhmwCjD85tLD54JK1ZWqAOvVNMBJROVOVAD+W1X5DQJFRyMHPKXmOy5NqTy8Rgq4XVcDnASVdLyXAq6tAU6SN0MZYPfXr/quOjvAeI0VdBBUkumvBDBZiQkqCic2gM0qG+AkIi4fCoDZWivoIIlBIwD6q62gg7BvAjytZw4hEwjDPQ94XnUB9kV41gMWK+5hJpFCBxhWf/1+n6sKNYDrm0SI4qYVDOB+0W56W5V7JeBl9S1wELmoALMfqKCDIFMArnuMf4oZ7SnA/Zr8aDoB3QopwPZH+HrCVgYY/8AYeBc1MXwCrt+IeYoyZ56APzEG3lWKgE301y/lUlEjACY/08UMgoQH3K17HsjrOVLcAQ8/xdcTHljAcPnRBq8J7lFQN8Ddj1hpT+EdA1j/HmDNAP4cX09IA+Y/ZMXcRXIK8LcGwUm3oXAEdORrwjeJmTkkjyd3zdY6Ju/TCJi7WNCFsr4pMd8OkuKu2RYjp9iSEdCJL6Z62Ldm9zgElFdhriF48s0gV6M8pl09piBhCCjn5VwdwDTWD4B7FzWUcYQsAhCl+xtg52KmtEDAqLsBOnnCAgHHgWIAdDJTWiJgOgHGTubyCwREUTwCdk4GoiUCkm4EdDOTWCLgMKPoAQMnD1giIAQDoKM1syUCDitpyFXo8hIBh1Bn5BVubrZEQISKHvDgxpp/H3BD8FNuYcnBQ1vLThR6ofE/+XRPB3i7bLrB+A80YOE/VcuW8OBx8f3yx/0M6QVxvUVWUwmMqqTtdnGvXXc5VxJGDSDUeTxp35UiIK2tsBkMcLm5dKfh6mvXJhXqCzk4xXfpF237CQUKzZ0oRknDLOzvu0RAVAMCPZGarAolYMYBAk6KK/Popk7pRfhMb4aVIdqb8ADXsRAsvN0fOUQlILAbb6IXAAGOV/HRcU3dcWuwM/foavgLfFbkUjwdmdqhAsRs5onsBUASKJKrUO4AA2B0RfrwUIgOyg2IYU03cQUgUz+9e6CDFSBJLNLjGABJg/QLu6ksDPqhlvpLOSBXP73D7Z8tAOFgk/3XBFgg7R7B1JCAJ3+WoRSQq5+PDW0WgPyl7wFCrQMEZEww1GoB+fqZ3zsmC0DLjH9mwKPmV4uPeHl8cRGwH2aZvz09RiQjINSW2alNvehRA2j1kMfILALyGzWoRWQToHoz2euAynEeUqscX3uiAMQJ+5L0hj0G8Jo/1QTj75F1ml8ToMaM4feNbk91VZZBzW+2vGApIK5ZvowOlmZnEyh9aroXv0ln5wdlWdWNWK4mQB07U0GzIh1SFAPgKOiY59wipBhAP0LcO2Yb2ixgAXlzElI2v29znLJ2Y5IWfNV+HxAzsc8xNQADbBjCqZ9hAMOGT5fNLrHo54NsAW4Typ7AAZfb+H3AkrZxQzahE/uYqfMQdywwH4EtJT0gM/pmCftpuH0DbwMC/RWF7Vr4TFeVwAjYcvM2PSC1TtWXH1eBoWLK8H1Aegz0BWOA2Zs/2pc6wIafl2oBmW9bCPM9dnR9GzCl9m3vJcZORLWxE9EDnoSrtYCEtn8lC1+ErqTvAkJKfSaZU4PQRRhpASU78rWAETX+igU4TNMdAFLxiNKviIDeQjP0MkpA2Y58LSD21L9NcgAIm+c9rtK/oHvZwVxQAsq8dlpA6tvGUq87UI9+G5AqoEb6ByXVEo66EtzIapkl4FVqaQFlTM0GyAxWiQ4wdw9IPdoMKF+fp6toLv0DOj2GtgS9Rlwb+BCQqjwmwFQxXaJ7qlj6F/R4q22Dsq6QAeTy8ozrsjeF8jZIPdo8XQrkP9C9qOwzsr2oHlDSz9Cfh3d7EerKj3vRAMlvASn9iSX9YERNpjL9OOix3qnx9nQXxa/fRVQn2UgaMLOZ3OSySJQ+GaqniiXtlKpHXm4E9Fr+RWl7mgunZiaistpDG6Nmn4wiMxVji4pFGNGTKYkt2vDuKnZOwNqyIdsLAV1CotuWMA/a6tfG8EHlF2XmfBlvrGE601dWIR4wwXw+Ny4DMuuUuTKEbDo/PlqenciYIt1IgU7yMgba2vZCdnM2YdwRTSoADi6LhH0RLgkrZqZ1Ozb9esFeRyNg3l0ls1afik5oryhjNllZ6D+iQAFjNvvs5I0XnE70UDpoy9RSYNNOxD4hjzkVMO6qbYvuy6IApOY9Yf2EWFOGZI/U6SfZT7U7pmPEK0oT1mtwq1+i2xCfWbdjxnTYmCuJ8FKl6XDSG2JtsYG+vj86kHnb/BSpVoahjJEy2lfoFq/Fpa4PBZ/gq5Z71caSYCFixrEmpre5du3lMnSbzIRo0L471PWlUDgT4+7iK4qpClGmigFgW+EkiSf4pPKLIrGW0q4dVbK33XA/Ilnz0Xuh+ZH29pAkQ+qdu2CTQje8fzr54suZc/5SfR7Is7tm4w3TVw8GkxrMw0shTXIAZa6yp54JLBXLZ3wtpWa/RJLeZgAcrztbfFzmxtJJA/zrARt1vC82piP36Y8lARRq6Z7yP/GLhxSgrIm+AdjP6ZA2iaFpfYka21RL2Hw1oPd6Y0ku8BugsfpwV0oBhzkd8jJNMB6gi6ZtZ7Q7UR2EwOU3vVLdNm8NUIB9Gepq6eHIBF8oAINsiDbUhSUBJMqFLNZhoomT4cYb2nbCwnFKGbWIqFze6m1HwqbgkgNuxnDKVmuv4rSQIoact1oDyNc22nwEvqCegP395REQWTMc+wRpQRvEspBC0o6AJ0OwGtk0wnPCjj97SRvKxdZS9ldcHuhSpACHo5YKoRSz5m7z4ZoaTKSApyko3eS3ARRcmBq/8wMhSIzp9gTriKYXcoLgMnnWkoyZAQJwZ57u2+CJgsvnjzLAyJsAzdFqADg9Hoo8jpuih5Nuv4JDvB8VX8Xs47gs4unn+CQ6gvvbD5C7OA5DIaMGYBT4RRPHeXHYpNyjoWfshstkVXS0+AZAq4DK8WjnKBqOfVb8BY5ukpr3hNx/VpmGhJC0LKUOIDxeLTtxeji9N1JcNi4vDIC7xWyPVMVqWlwn+VeyuwH+UpoOWuNAMgAKHonf0BQGMfoYfyEZl6gpPdcI+DO5gGjdsj1MXuJfy4Mw6OYWmADXkrb/Fd28ZhNguJiBwp1ISAF6a86aKhfcglFugMVP5QMadF9cuAEu/HCeN3R3ad0Abfe/rEaPcKH7YmK3wuz2Oj2i6e+AWzfbJJciCLYcoMFxsTaRhzvwARj+VD8ahQLgzyTfHEQ5iJ6Aux/qZqh1oyfgD40UdEgpFXPiJG3OIkSvzNFBNUs/is9WTJASDZj/SEca5QrAH5n3sgvgDKB8mXR1ypWAP9GRcnve2Fz3P5BllI+d4I5jWH8R8hu7OMDQkFpg8QIufkk4MaRYOyB3noYAuPiDd/USw0+EU3vWbbCJ4VPiwVJLPHveVkQMOxYBw/U62GQnY0vOPpNvBFmFJPv+ZcfzidsF1yGQxcXLAFd2gutdUMmiaqQnSJoiZ5YpIo2XlR9yusbDQxSBg3JAZRjwcqUKqlOcw7u6xRhF/LD6JOXduqxuQKrDsJWHfa+rGaojd9XHta/J063ZGaYG5PdTLVjy8HYjYFytpAyx7PxdC0Bvt5KTikpVB2MCXMl6jGSHji2g16ygKwV96jA9oGyL+MJkSv1mAHSVIHc2KbZ42QOK24sXJcw70V4H1O1t+nOZ6qcV4IIJLfhsAPu+dJHtEAz9pz2gd1ri5InJpvAhoHcNFtfV4OBqfm9rQG8fLMzyxkfLTbCWgEMmgwVVU4DaNn2lLaDnXRbUmaYX8/u+DOh1SzFqQJ95+G3AwSG8AERQZl/9GNDLfPPzZ+dDkp3NrgCHMf+PxwtsNbq/D+jFyd8C2iQX/wjQ84ryzwoRl8bJgwNA77r5o0GfbOyMl08Bx3n+17tTAJu5gyNAL/a/PSZC6r/a+j4BHBIEqTYbz4IXCRkT5gb0vDz4Vj3th3aT52UOQC9rvzOJwkH70tDuDLC33Yp07ooKkZg8/HuAvQox6YNLPBS8PvK5BfSyYjNXWwTYyDOhfBWwRzxtyAxDPyGb08d4TgB7hYcqddrh4LRSn6bzktwADlle/FKXg+8VASl9yckL78kVoDckqDsqU428QBdFx+49o0Uqh4C9tl1S8SlfXmCDvmYmneVpL5ZyC9grzttzGb1+zB7gqDy3ucOym+QcsFcYn/zjlN/GhnNKxXM8nGI33QqrOQAnXTv/HJRjakyQGQMwZjpCaRmc/e6NiZ6l5gMclF3zovXrY1WmhFNaVsfab4v86qq/lGtewEnbMBwzVjXFTc2QvCoOQ7fdiVz/AaHTvVGGDIbCAAAAAElFTkSuQmCC", - "swagger": { - "swagger": "2.0", - "info": { - "title": "Default title", - "description": "This is a okta connector", - "version": "1.0" + } + } + }, + "backendService": { + "serviceUrl": "[[parameters('Service EndPoint')]" + }, + "brandColor": "#FFFFFF", + "description": "This is the Okta Custom Connector", + "displayName": "[[parameters('CustomConnectorName')]", + "iconUri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAOAAAADhCAMAAADmr0l2AAAAYFBMVEVUrNL///9PqtFMqdCj0ueGxN55u9rx+PxEps/5+/3p9PlIqNCLxuBar9T2+/3R6fPd7va+3u3l8vhpttdvuNiWzOPI4++p1Oi02ep8v9zW6/SCv9y32urE4vCn0ubf7/Z7cYjhAAAO2UlEQVR4nN2d57qqOhCGwwQBCUWkiLrR+7/LTbGkJ2pwgd9z/pztorykTSaTCfJm1TYL4/2paOs6OAYpuint/6eu2+K0j8NsO+8boPluHZ66f/WmSgkhGABxAsAkImm1qf91p3C+t5gJMMv9c1UijAEJaAwmAoxRWZ39PJvnTdwDZvumTqPIhMZjRlFaN3v3lI4Bs/yQpATbkrHCJE0OrkvSKeCprlJsXW7SssRpVZ9cvpMzwPBao+jNouMKMkL11Vm34whw357BCd2NEc7t3s2bOQHMk/KzmikKcJnkLt7tc8C4KyPHdDfGqOziPweM29Jh1eSFy/ZTxA8BD+UshfcUlIe/A4zblMyLN4ikH5Xi+4DZP+c9i1x9f/Pv/dH/bcCm+grdjbFqvgy4O87TcyoJo+Pui4Chn87YdcqFU/8t6+YdwLz6TuNjBbh6Z+R/HTDefLd2UojR5vX+9GXApvp67XwKv97ZvApYp39UfJMgrWcFzKsvjOx6kRdb4kuA7d8W3yRI25kAs3oBeIPAf8GwsQfcBX9ePe8igf2obw2YzzktelW4tG6ItoD/ltD8noL0n1PA7EIWxdcTkotdQ7QCzPzFNL+niF1XYwOYHRdWfJPgaENoARgeF1h+g8jRYn5hBow3iyy/QWBhfBsB4/KvMXQqjYQmwHhut9lngtJUSw2A4XnRfEMtNRDqARfaf9Iy9aVawGyp/SctoifUAW6XMn3QC3xdHIMO8LAg81onrPPuawD/raB+TiIay1sNmC9r/qATpOrZkxJwt+wBkBWUyhmwCjD85tLD54JK1ZWqAOvVNMBJROVOVAD+W1X5DQJFRyMHPKXmOy5NqTy8Rgq4XVcDnASVdLyXAq6tAU6SN0MZYPfXr/quOjvAeI0VdBBUkumvBDBZiQkqCic2gM0qG+AkIi4fCoDZWivoIIlBIwD6q62gg7BvAjytZw4hEwjDPQ94XnUB9kV41gMWK+5hJpFCBxhWf/1+n6sKNYDrm0SI4qYVDOB+0W56W5V7JeBl9S1wELmoALMfqKCDIFMArnuMf4oZ7SnA/Zr8aDoB3QopwPZH+HrCVgYY/8AYeBc1MXwCrt+IeYoyZ56APzEG3lWKgE301y/lUlEjACY/08UMgoQH3K17HsjrOVLcAQ8/xdcTHljAcPnRBq8J7lFQN8Ddj1hpT+EdA1j/HmDNAP4cX09IA+Y/ZMXcRXIK8LcGwUm3oXAEdORrwjeJmTkkjyd3zdY6Ju/TCJi7WNCFsr4pMd8OkuKu2RYjp9iSEdCJL6Z62Ldm9zgElFdhriF48s0gV6M8pl09piBhCCjn5VwdwDTWD4B7FzWUcYQsAhCl+xtg52KmtEDAqLsBOnnCAgHHgWIAdDJTWiJgOgHGTubyCwREUTwCdk4GoiUCkm4EdDOTWCLgMKPoAQMnD1giIAQDoKM1syUCDitpyFXo8hIBh1Bn5BVubrZEQISKHvDgxpp/H3BD8FNuYcnBQ1vLThR6ofE/+XRPB3i7bLrB+A80YOE/VcuW8OBx8f3yx/0M6QVxvUVWUwmMqqTtdnGvXXc5VxJGDSDUeTxp35UiIK2tsBkMcLm5dKfh6mvXJhXqCzk4xXfpF237CQUKzZ0oRknDLOzvu0RAVAMCPZGarAolYMYBAk6KK/Popk7pRfhMb4aVIdqb8ADXsRAsvN0fOUQlILAbb6IXAAGOV/HRcU3dcWuwM/foavgLfFbkUjwdmdqhAsRs5onsBUASKJKrUO4AA2B0RfrwUIgOyg2IYU03cQUgUz+9e6CDFSBJLNLjGABJg/QLu6ksDPqhlvpLOSBXP73D7Z8tAOFgk/3XBFgg7R7B1JCAJ3+WoRSQq5+PDW0WgPyl7wFCrQMEZEww1GoB+fqZ3zsmC0DLjH9mwKPmV4uPeHl8cRGwH2aZvz09RiQjINSW2alNvehRA2j1kMfILALyGzWoRWQToHoz2euAynEeUqscX3uiAMQJ+5L0hj0G8Jo/1QTj75F1ml8ToMaM4feNbk91VZZBzW+2vGApIK5ZvowOlmZnEyh9aroXv0ln5wdlWdWNWK4mQB07U0GzIh1SFAPgKOiY59wipBhAP0LcO2Yb2ixgAXlzElI2v29znLJ2Y5IWfNV+HxAzsc8xNQADbBjCqZ9hAMOGT5fNLrHo54NsAW4Typ7AAZfb+H3AkrZxQzahE/uYqfMQdywwH4EtJT0gM/pmCftpuH0DbwMC/RWF7Vr4TFeVwAjYcvM2PSC1TtWXH1eBoWLK8H1Aegz0BWOA2Zs/2pc6wIafl2oBmW9bCPM9dnR9GzCl9m3vJcZORLWxE9EDnoSrtYCEtn8lC1+ErqTvAkJKfSaZU4PQRRhpASU78rWAETX+igU4TNMdAFLxiNKviIDeQjP0MkpA2Y58LSD21L9NcgAIm+c9rtK/oHvZwVxQAsq8dlpA6tvGUq87UI9+G5AqoEb6ByXVEo66EtzIapkl4FVqaQFlTM0GyAxWiQ4wdw9IPdoMKF+fp6toLv0DOj2GtgS9Rlwb+BCQqjwmwFQxXaJ7qlj6F/R4q22Dsq6QAeTy8ozrsjeF8jZIPdo8XQrkP9C9qOwzsr2oHlDSz9Cfh3d7EerKj3vRAMlvASn9iSX9YERNpjL9OOix3qnx9nQXxa/fRVQn2UgaMLOZ3OSySJQ+GaqniiXtlKpHXm4E9Fr+RWl7mgunZiaistpDG6Nmn4wiMxVji4pFGNGTKYkt2vDuKnZOwNqyIdsLAV1CotuWMA/a6tfG8EHlF2XmfBlvrGE601dWIR4wwXw+Ny4DMuuUuTKEbDo/PlqenciYIt1IgU7yMgba2vZCdnM2YdwRTSoADi6LhH0RLgkrZqZ1Ozb9esFeRyNg3l0ls1afik5oryhjNllZ6D+iQAFjNvvs5I0XnE70UDpoy9RSYNNOxD4hjzkVMO6qbYvuy6IApOY9Yf2EWFOGZI/U6SfZT7U7pmPEK0oT1mtwq1+i2xCfWbdjxnTYmCuJ8FKl6XDSG2JtsYG+vj86kHnb/BSpVoahjJEy2lfoFq/Fpa4PBZ/gq5Z71caSYCFixrEmpre5du3lMnSbzIRo0L471PWlUDgT4+7iK4qpClGmigFgW+EkiSf4pPKLIrGW0q4dVbK33XA/Ilnz0Xuh+ZH29pAkQ+qdu2CTQje8fzr54suZc/5SfR7Is7tm4w3TVw8GkxrMw0shTXIAZa6yp54JLBXLZ3wtpWa/RJLeZgAcrztbfFzmxtJJA/zrARt1vC82piP36Y8lARRq6Z7yP/GLhxSgrIm+AdjP6ZA2iaFpfYka21RL2Hw1oPd6Y0ku8BugsfpwV0oBhzkd8jJNMB6gi6ZtZ7Q7UR2EwOU3vVLdNm8NUIB9Gepq6eHIBF8oAINsiDbUhSUBJMqFLNZhoomT4cYb2nbCwnFKGbWIqFze6m1HwqbgkgNuxnDKVmuv4rSQIoact1oDyNc22nwEvqCegP395REQWTMc+wRpQRvEspBC0o6AJ0OwGtk0wnPCjj97SRvKxdZS9ldcHuhSpACHo5YKoRSz5m7z4ZoaTKSApyko3eS3ARRcmBq/8wMhSIzp9gTriKYXcoLgMnnWkoyZAQJwZ57u2+CJgsvnjzLAyJsAzdFqADg9Hoo8jpuih5Nuv4JDvB8VX8Xs47gs4unn+CQ6gvvbD5C7OA5DIaMGYBT4RRPHeXHYpNyjoWfshstkVXS0+AZAq4DK8WjnKBqOfVb8BY5ukpr3hNx/VpmGhJC0LKUOIDxeLTtxeji9N1JcNi4vDIC7xWyPVMVqWlwn+VeyuwH+UpoOWuNAMgAKHonf0BQGMfoYfyEZl6gpPdcI+DO5gGjdsj1MXuJfy4Mw6OYWmADXkrb/Fd28ZhNguJiBwp1ISAF6a86aKhfcglFugMVP5QMadF9cuAEu/HCeN3R3ad0Abfe/rEaPcKH7YmK3wuz2Oj2i6e+AWzfbJJciCLYcoMFxsTaRhzvwARj+VD8ahQLgzyTfHEQ5iJ6Aux/qZqh1oyfgD40UdEgpFXPiJG3OIkSvzNFBNUs/is9WTJASDZj/SEca5QrAH5n3sgvgDKB8mXR1ypWAP9GRcnve2Fz3P5BllI+d4I5jWH8R8hu7OMDQkFpg8QIufkk4MaRYOyB3noYAuPiDd/USw0+EU3vWbbCJ4VPiwVJLPHveVkQMOxYBw/U62GQnY0vOPpNvBFmFJPv+ZcfzidsF1yGQxcXLAFd2gutdUMmiaqQnSJoiZ5YpIo2XlR9yusbDQxSBg3JAZRjwcqUKqlOcw7u6xRhF/LD6JOXduqxuQKrDsJWHfa+rGaojd9XHta/J063ZGaYG5PdTLVjy8HYjYFytpAyx7PxdC0Bvt5KTikpVB2MCXMl6jGSHji2g16ygKwV96jA9oGyL+MJkSv1mAHSVIHc2KbZ42QOK24sXJcw70V4H1O1t+nOZ6qcV4IIJLfhsAPu+dJHtEAz9pz2gd1ri5InJpvAhoHcNFtfV4OBqfm9rQG8fLMzyxkfLTbCWgEMmgwVVU4DaNn2lLaDnXRbUmaYX8/u+DOh1SzFqQJ95+G3AwSG8AERQZl/9GNDLfPPzZ+dDkp3NrgCHMf+PxwtsNbq/D+jFyd8C2iQX/wjQ84ryzwoRl8bJgwNA77r5o0GfbOyMl08Bx3n+17tTAJu5gyNAL/a/PSZC6r/a+j4BHBIEqTYbz4IXCRkT5gb0vDz4Vj3th3aT52UOQC9rvzOJwkH70tDuDLC33Yp07ooKkZg8/HuAvQox6YNLPBS8PvK5BfSyYjNXWwTYyDOhfBWwRzxtyAxDPyGb08d4TgB7hYcqddrh4LRSn6bzktwADlle/FKXg+8VASl9yckL78kVoDckqDsqU428QBdFx+49o0Uqh4C9tl1S8SlfXmCDvmYmneVpL5ZyC9grzttzGb1+zB7gqDy3ucOym+QcsFcYn/zjlN/GhnNKxXM8nGI33QqrOQAnXTv/HJRjakyQGQMwZjpCaRmc/e6NiZ6l5gMclF3zovXrY1WmhFNaVsfab4v86qq/lGtewEnbMBwzVjXFTc2QvCoOQ7fdiVz/AaHTvVGGDIbCAAAAAElFTkSuQmCC", + "swagger": { + "swagger": "2.0", + "info": { + "title": "Default title", + "description": "This is a okta connector", + "version": "1.0" }, "host": "$substring([parameters('Service EndPoint')],8 )", "basePath": "/", "schemes": [ "https" ], + "consumes": "[variables('TemplateEmptyArray')]", + "produces": "[variables('TemplateEmptyArray')]", "paths": { "/api/v1/users/{userId}": { "get": { @@ -2404,7 +1695,8 @@ "summary": "List Groups", "description": "Action used to fetch list of group details", "operationId": "[[variables('_operationId-ListGroups')]", - "x-ms-visibility": "important" + "x-ms-visibility": "important", + "parameters": "[variables('TemplateEmptyArray')]" } }, "/api/v1/users/{userID}/lifecycle/expire_password": { @@ -2519,55 +1811,397 @@ "description": "credentials" } } - } + } + } + }, + "summary": "Expire Password", + "operationId": "[[variables('_operationId-ExpirePassword')]", + "description": "Action used to change the existing password when current password expired", + "x-ms-visibility": "important", + "parameters": [ + { + "name": "userID", + "in": "path", + "required": true, + "type": "string", + "description": "Please enter user id (Unique identifier of the user)" + }, + { + "name": "tempPassword", + "in": "query", + "required": false, + "type": "string", + "default": false, + "description": "If tempPassword is included in the request, the user's password is reset to a temporary password that is returned, and then the temporary password is expired" + } + ] + } + } + }, + "securityDefinitions": { + "API Key": { + "type": "apiKey", + "in": "header", + "name": "Authorization" + } + }, + "security": [ + { + "API Key": "[variables('TemplateEmptyArray')]" + } + ], + "tags": "[variables('TemplateEmptyArray')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[[concat(variables('workspace-name'),'/Microsoft.SecurityInsights/',concat('LogicAppsCustomConnector-', last(split(variables('playbookId1'),'/'))))]", + "properties": { + "parentId": "[[variables('playbookId1')]", + "contentId": "[variables('_playbookContentId1')]", + "kind": "LogicAppsCustomConnector", + "version": "[variables('playbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Okta Single Sign-On", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ], + "metadata": { + "comments": "This OKTA connector uses okta API to perform different actions on the user accounts.", + "lastUpdateTime": "2023-10-17T07:39:38.624Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId1')]", + "contentKind": "LogicAppsCustomConnector", + "displayName": "OktaCustomConnector", + "contentProductId": "[variables('_playbookcontentProductId1')]", + "id": "[variables('_playbookcontentProductId1')]", + "version": "[variables('playbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Okta-EnrichIncidentWithUserDetails Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion2')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Okta-EnrichIncidentWithUserDetails", + "type": "string", + "metadata": { + "description": "Name of the Logic Apps resource to be created" + } + }, + "CustomConnectorName": { + "defaultValue": "OktaCustomConnector", + "type": "string", + "metadata": { + "description": "Name of the custom connector which interacts with Okta" + } + } + }, + "variables": { + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "OKTAConnectionName": "[[concat('oktaconnector-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('OKTAConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "UserEnrichment-Okta", + "hidden-SentinelTemplateVersion": "1.0", + "LogicAppsCategory": "security", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('OKTAConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered_(Private_Preview_only)": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Entities_-_Get_Accounts": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + } + }, + "For_each-risky_account_received_from_the_incident": { + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "actions": { + "Add_a_comment_to_the_incident_with_the_information_collected": { + "runAfter": { + "Create_HTML_table_format_of_user_group_details": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

OKTA Playbook performed the following actions:
\n
\nGot User information from OKTA :
\n
\nUser id:  @{body('Get_User')?['id']}
\nUser name:   @{body('Get_User')?['credentials']?['provider']?['name']}
\nUser login: @{body('Get_User')?['profile']?['login']}
\nUser email: @{body('Get_User')?['profile']?['email']}
\nUser status: @{body('Get_User')?['status']}
\nUser created: @{body('Get_User')?['created']}
\nUser activated: @{body('Get_User')?['activated']}
\nUser statusChanged: @{body('Get_User')?['statusChanged']}
\nUser lastLogin: @{body('Get_User')?['lastLogin']}
\nUser lastUpdated: @{body('Get_User')?['lastUpdated']}
\nUser passwordChanged: @{body('Get_User')?['passwordChanged']}
\n
\nUser is part of below Groups :
\n@{body('Create_HTML_table_format_of_user_group_details')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" } }, - "summary": "Expire Password", - "operationId": "[[variables('_operationId-ExpirePassword')]", - "description": "Action used to change the existing password when current password expired", - "x-ms-visibility": "important", - "parameters": [ - { - "name": "userID", - "in": "path", - "required": true, - "type": "string", - "description": "Please enter user id (Unique identifier of the user)" + "Create_HTML_table_format_of_user_group_details": { + "runAfter": { + "For_each_user_group": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "columns": [ + { + "header": "GroupID", + "value": "@item()?['GroupId']" + }, + { + "header": "GroupName", + "value": "@item()?['GroupName']" + }, + { + "header": "GroupDescription", + "value": "@item()?['GroupDescription']" + } + ], + "format": "HTML", + "from": "@variables('User Groups')" + }, + "description": "prepare html table format to attach in the incident" + }, + "For_each_user_group": { + "foreach": "@body('Get_User_Groups')", + "actions": { + "Append_groups_to_group_array_variable": { + "runAfter": { + "Compose_array_of_groups_for_updating_incident_with_group_details": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "User Groups", + "value": "@outputs('Compose_array_of_groups_for_updating_incident_with_group_details')" + } + }, + "Compose_array_of_groups_for_updating_incident_with_group_details": { + "type": "Compose", + "inputs": { + "GroupDescription": "@items('For_each_user_group')?['profile']?['description']", + "GroupId": "@items('For_each_user_group')?['id']", + "GroupName": "@items('For_each_user_group')?['profile']?['name']" + } + } + }, + "runAfter": { + "Get_User_Groups": [ + "Succeeded" + ] + }, + "type": "Foreach", + "description": "For each user group preparing the list of groups with required details to comment in the incident" + }, + "Get_User": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['OktaCustomConnector']['connectionId']" + } + }, + "method": "get", + "path": "/api/v1/users/@{encodeURIComponent(items('For_each-risky_account_received_from_the_incident')?['Name'])}" + }, + "description": "This gets the user details from Okta" + }, + "Get_User_Groups": { + "runAfter": { + "Get_User": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['OktaCustomConnector']['connectionId']" + } + }, + "method": "get", + "path": "/api/v1/users/@{encodeURIComponent(items('For_each-risky_account_received_from_the_incident')?['Name'])}/groups" }, + "description": "This gets the user groups from Okta" + } + }, + "runAfter": { + "Initialize_variable_to_collect_group_details": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Initialize_variable_to_collect_group_details": { + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ { - "name": "tempPassword", - "in": "query", - "required": false, - "type": "string", - "default": false, - "description": "If tempPassword is included in the request, the user's password is reset to a temporary password that is returned, and then the temporary password is expired" + "name": "User Groups", + "type": "array" } ] } } - }, - "securityDefinitions": { - "API Key": { - "type": "apiKey", - "in": "header", - "name": "Authorization" + } + }, + "parameters": { + "$connections": { + "value": { + "OktaCustomConnector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('OKTAConnectionName'))]", + "connectionName": "[[variables('OKTAConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" + }, + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } } - }, - "security": [ - {} - ] + } } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[[concat(variables('workspace-name'),'/Microsoft.SecurityInsights/',concat('LogicAppsCustomConnector-', last(split(variables('playbookId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", "properties": { - "parentId": "[[variables('playbookId1')]", - "contentId": "[variables('_playbookContentId1')]", - "kind": "LogicAppsCustomConnector", - "version": "[variables('playbookVersion1')]", + "parentId": "[variables('playbookId2')]", + "contentId": "[variables('_playbookContentId2')]", + "kind": "Playbook", + "version": "[variables('playbookVersion2')]", "source": { "kind": "Solution", "name": "Okta Single Sign-On", @@ -2582,13 +2216,33 @@ "email": "support@microsoft.com", "tier": "Microsoft", "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_OktaCustomConnector')]", + "version": "[variables('playbookVersion1')]" + } + ] } } } ], "metadata": { - "comments": "This OKTA connector uses okta API to perform different actions on the user accounts.", - "lastUpdateTime": "2023-02-01T16:00:38.835Z", + "title": "User enrichment - Okta", + "description": "This playbook will collect user information from Okta and post a report on the incident.", + "prerequisites": [ + "1. Okta Custom Connector needs to be deployed prior to the deployment of this playbook under the same resource group.", + "2. Generate an API key. [Learn how](https://developer.okta.com/docs/guides/create-an-api-token/overview/)" + ], + "lastUpdateTime": "2021-07-28T00:00:00Z", + "entities": [ + "Account" + ], + "tags": [ + "Enrichment" + ], "releaseNotes": { "version": "1.0", "title": "[variables('blanks')]", @@ -2597,46 +2251,53 @@ ] } } - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('playbookTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Playbook" - }, - "properties": { - "description": "Okta-EnrichIncidentWithUserDetails playbook", - "displayName": "Okta-EnrichIncidentWithUserDetails playbook" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId2')]", + "contentKind": "Playbook", + "displayName": "Okta-EnrichIncidentWithUserDetails", + "contentProductId": "[variables('_playbookcontentProductId2')]", + "id": "[variables('_playbookcontentProductId2')]", + "version": "[variables('playbookVersion2')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('playbookTemplateSpecName2'),'/',variables('playbookVersion2'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName3')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Playbook" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName2'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Okta-EnrichIncidentWithUserDetails Playbook with template version 2.0.4", + "description": "Okta-PromptUser Playbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion2')]", + "contentVersion": "[variables('playbookVersion3')]", "parameters": { "PlaybookName": { - "defaultValue": "Okta-EnrichIncidentWithUserDetails", + "defaultValue": "Okta-PromptUser", "type": "string", "metadata": { - "description": "Name of the Logic Apps resource to be created" + "description": "Name of the Logic App/Playbook" + } + }, + "Teams GroupId": { + "defaultValue": "TeamgroupId", + "type": "string", + "metadata": { + "description": "GroupId of the Team channel" + } + }, + "Teams ChannelId": { + "defaultValue": "TeamChannelId", + "type": "string", + "metadata": { + "description": "Team ChannelId" } }, "CustomConnectorName": { @@ -2650,10 +2311,13 @@ "variables": { "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", "OKTAConnectionName": "[[concat('oktaconnector-', parameters('PlaybookName'))]", + "TeamsConnectionName": "[[concat('teamsconnector-', parameters('PlaybookName'))]", "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", "_connection-1": "[[variables('connection-1')]", "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]", + "_connection-3": "[[variables('connection-3')]", "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", "workspace-name": "[parameters('workspace')]", "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" @@ -2684,13 +2348,24 @@ } } }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('TeamsConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, { "type": "Microsoft.Logic/workflows", "apiVersion": "2017-07-01", "name": "[[parameters('PlaybookName')]", "location": "[[variables('workspace-location-inline')]", "tags": { - "hidden-SentinelTemplateName": "UserEnrichment-Okta", + "hidden-SentinelTemplateName": "PromptUser-Okta", "hidden-SentinelTemplateVersion": "1.0", "LogicAppsCategory": "security", "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" @@ -2700,7 +2375,8 @@ }, "dependsOn": [ "[[resourceId('Microsoft.Web/connections', variables('OKTAConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]" ], "properties": { "state": "Enabled", @@ -2745,85 +2421,151 @@ "For_each-risky_account_received_from_the_incident": { "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", "actions": { - "Add_a_comment_to_the_incident_with_the_information_collected": { - "runAfter": { - "Create_HTML_table_format_of_user_group_details": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

OKTA Playbook performed the following actions:
\n
\nGot User information from OKTA :
\n
\nUser id:  @{body('Get_User')?['id']}
\nUser name:   @{body('Get_User')?['credentials']?['provider']?['name']}
\nUser login: @{body('Get_User')?['profile']?['login']}
\nUser email: @{body('Get_User')?['profile']?['email']}
\nUser status: @{body('Get_User')?['status']}
\nUser created: @{body('Get_User')?['created']}
\nUser activated: @{body('Get_User')?['activated']}
\nUser statusChanged: @{body('Get_User')?['statusChanged']}
\nUser lastLogin: @{body('Get_User')?['lastLogin']}
\nUser lastUpdated: @{body('Get_User')?['lastUpdated']}
\nUser passwordChanged: @{body('Get_User')?['passwordChanged']}
\n
\nUser is part of below Groups :
\n@{body('Create_HTML_table_format_of_user_group_details')}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "Condition_based_on_the_user_confirmation": { + "actions": { + "Add_a_comment_to_the_incident_with_the_information_collected_and_conclusion": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

OKTA Playbook performed the following actions:
\n
\nGot User information from OKTA :
\n
\nUser id:  @{body('Get_User')?['id']}
\nUser name:   @{body('Get_User')?['credentials']?['provider']?['name']}
\nUser login: @{body('Get_User')?['profile']?['login']}
\nUser email: @{body('Get_User')?['profile']?['email']}
\nUser status: @{body('Get_User')?['status']}
\nUser created: @{body('Get_User')?['created']}
\nUser activated: @{body('Get_User')?['activated']}
\nUser statusChanged: @{body('Get_User')?['statusChanged']}
\nUser lastLogin: @{body('Get_User')?['lastLogin']}
\nUser lastUpdated: @{body('Get_User')?['lastUpdated']}
\nUser passwordChanged: @{body('Get_User')?['passwordChanged']}
\n
\nActions taken on Sentinel:
\n
\nIncident will be closed as the user confirmed that it was him.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" } }, - "method": "post", - "path": "/Incidents/Comment" - } - }, - "Create_HTML_table_format_of_user_group_details": { - "runAfter": { - "For_each_user_group": [ - "Succeeded" - ] - }, - "type": "Table", - "inputs": { - "columns": [ - { - "header": "GroupID", - "value": "@item()?['GroupId']" - }, - { - "header": "GroupName", - "value": "@item()?['GroupName']" - }, - { - "header": "GroupDescription", - "value": "@item()?['GroupDescription']" - } - ], - "format": "HTML", - "from": "@variables('User Groups')" - }, - "description": "prepare html table format to attach in the incident" - }, - "For_each_user_group": { - "foreach": "@body('Get_User_Groups')", - "actions": { - "Append_groups_to_group_array_variable": { + "Update_incident_to_close_it": { "runAfter": { - "Compose_array_of_groups_for_updating_incident_with_group_details": [ + "Add_a_comment_to_the_incident_with_the_information_collected_and_conclusion": [ "Succeeded" ] }, - "type": "AppendToArrayVariable", - "inputs": { - "name": "User Groups", - "value": "@outputs('Compose_array_of_groups_for_updating_incident_with_group_details')" - } - }, - "Compose_array_of_groups_for_updating_incident_with_group_details": { - "type": "Compose", + "type": "ApiConnection", "inputs": { - "GroupDescription": "@items('For_each_user_group')?['profile']?['description']", - "GroupId": "@items('For_each_user_group')?['id']", - "GroupName": "@items('For_each_user_group')?['profile']?['name']" + "body": { + "classification": { + "ClassificationAndReason": "Benign Positive - Suspicious But Expected" + }, + "incidentArmId": "@triggerBody()?['object']?['id']", + "status": "Closed" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Incidents" } } }, "runAfter": { - "Get_User_Groups": [ + "Post_an_Adaptive_Card_to_a_Teams_user_and_wait_for_a_response": [ "Succeeded" ] }, - "type": "Foreach", - "description": "For each user group preparing the list of groups with required details to comment in the incident" + "else": { + "actions": { + "Add_a_comment_to_the_incident_with_the_information_collected": { + "runAfter": { + "Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

OKTA Playbook ran and performed the following actions:
\n
\nGot User information from OKTA :
\n
\nUser id:  @{body('Get_User')?['id']}
\nUser name:   @{body('Get_User')?['credentials']?['provider']?['name']}
\nUser login: @{body('Get_User')?['profile']?['login']}
\nUser email: @{body('Get_User')?['profile']?['email']}
\nUser status: @{body('Get_User')?['status']}
\nUser created: @{body('Get_User')?['created']}
\nUser activated: @{body('Get_User')?['activated']}
\nUser statusChanged: @{body('Get_User')?['statusChanged']}
\nUser lastLogin: @{body('Get_User')?['lastLogin']}
\nUser lastUpdated: @{body('Get_User')?['lastUpdated']}
\nUser passwordChanged: @{body('Get_User')?['passwordChanged']}
\n
\nActions taken on Okta:
\n
\nCleared the user sessions and reset the password of the user.
\n
\nActions taken on Sentinel:
\n
\nInformed the SOC admin about the risky user and asked him to investigate further

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Clear_User_Sessions": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['OktaCustomConnector']['connectionId']" + } + }, + "method": "delete", + "path": "/api/v1/users/@{encodeURIComponent(body('Get_User')?['id'])}/sessions" + }, + "description": "This clears the user sessions in Okta" + }, + "Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": { + "runAfter": { + "Reset_Password": [ + "Succeeded" + ] + }, + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "body": { + "messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"large\",\n \"weight\": \"bolder\",\n \"text\": \"Microsoft Sentinel playbook has taken an action on a risky user\",\n \"wrap\": true\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n } \n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Possible compromised user detected by the @{triggerBody()?['object']?['properties']?['severity']} Incident @{triggerBody()?['object']?['properties']?['title']}\",\n \"wrap\": true,\n \"weight\":\"bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Incident number: @{triggerBody()?['object']?['properties']?['incidentNumber']}\",\n \"wrap\": true,\n \"weight\":\"bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Incident description\",\n \"wrap\": true,\n \"weight\":\"bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \" @{triggerBody()?['object']?['properties']?['description']}\",\n \"wrap\": true \n },\n \n {\n \"type\": \"TextBlock\",\n \"text\": \"[Click here to view Incident]()\",\n \"wrap\":\"true\"\n }, \n \n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n \n {\n \"type\": \"Column\",\n \"items\": [\n \n {\n \"type\": \"TextBlock\",\n \"text\": \"The Okta user in risk:\",\n \"wrap\": true,\n \"weight\":\"bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"User ID: @{body('Get_User')?['id']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"First and Last name: @{body('Get_User')?['profile']?['firstName']} @{body('Get_User')?['profile']?['lastName']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"User display name: @{items('For_each-risky_account_received_from_the_incident')?['Name']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Action taken:\",\n \n \"weight\": \"bolder\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"User password was reset\",\n \n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"User sessions were cleared\",\n\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Please investigate further in Okta.\",\n \"weight\":\"bolder\",\n \"wrap\": true\n }\n ],\n \"width\": \"auto\"\n \n }\n ]\n }\n \n ], \n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"OK\"\n }\n ],\n \n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}", + "recipient": { + "channelId": "[[parameters('Teams ChannelId')]" + }, + "shouldUpdateCard": true + }, + "notificationUrl": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['teams']['connectionId']" + } + }, + "path": "/flowbot/actions/flowcontinuation/recipienttypes/channel/$subscriptions", + "queries": { + "groupId": "[[parameters('Teams GroupId')]" + } + } + }, + "Reset_Password": { + "runAfter": { + "Clear_User_Sessions": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['OktaCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/v1/users/@{encodeURIComponent(body('Get_User')?['id'])}/lifecycle/reset_password" + }, + "description": "Reset password link for Okta will be sent to user" + } + } + }, + "expression": { + "or": [ + { + "equals": [ + "@body('Post_an_Adaptive_Card_to_a_Teams_user_and_wait_for_a_response')?['submitActionId']", + "This was me" + ] + } + ] + }, + "type": "If", + "description": "user confirmation will be captured here if he has done the malicious activity on the user account" }, "Get_User": { "type": "ApiConnection", @@ -2836,49 +2578,41 @@ "method": "get", "path": "/api/v1/users/@{encodeURIComponent(items('For_each-risky_account_received_from_the_incident')?['Name'])}" }, - "description": "This gets the user details from Okta" + "description": "Gets the user details from Okta" }, - "Get_User_Groups": { + "Post_an_Adaptive_Card_to_a_Teams_user_and_wait_for_a_response": { "runAfter": { "Get_User": [ "Succeeded" ] }, - "type": "ApiConnection", + "type": "ApiConnectionWebhook", "inputs": { + "body": { + "body": { + "messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"large\",\n \"weight\": \"bolder\",\n \"text\": \"New Incident from MicrosoftSentinel. Please respond ASAP\",\n \"wrap\": true\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"text\": \"Incident Description \",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"text\":\" @{triggerBody()?['object']?['properties']?['description']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"text\": \"Please confirm it was you\",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n }\n ],\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"This was me\"\n },\n {\n \"type\": \"Action.Submit\",\n \"title\": \"This was not me\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}", + "recipient": { + "to": "@body('Get_User')?['profile']?['email']" + }, + "shouldUpdateCard": true + }, + "notificationUrl": "@{listCallbackUrl()}" + }, "host": { "connection": { - "name": "@parameters('$connections')['OktaCustomConnector']['connectionId']" + "name": "@parameters('$connections')['teams']['connectionId']" } }, - "method": "get", - "path": "/api/v1/users/@{encodeURIComponent(items('For_each-risky_account_received_from_the_incident')?['Name'])}/groups" - }, - "description": "This gets the user groups from Okta" - } - }, - "runAfter": { - "Initialize_variable_to_collect_group_details": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Initialize_variable_to_collect_group_details": { - "runAfter": { - "Entities_-_Get_Accounts": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "User Groups", - "type": "array" + "path": "/flowbot/actions/flowcontinuation/recipienttypes/user/$subscriptions" } + } + }, + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" ] - } + }, + "type": "Foreach" } } }, @@ -2899,6 +2633,11 @@ "type": "ManagedServiceIdentity" } } + }, + "teams": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", + "connectionName": "[[variables('TeamsConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]" } } } @@ -2908,12 +2647,12 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", "properties": { - "parentId": "[variables('playbookId2')]", - "contentId": "[variables('_playbookContentId2')]", + "parentId": "[variables('playbookId3')]", + "contentId": "[variables('_playbookContentId3')]", "kind": "Playbook", - "version": "[variables('playbookVersion2')]", + "version": "[variables('playbookVersion3')]", "source": { "kind": "Solution", "name": "Okta Single Sign-On", @@ -2942,8 +2681,8 @@ } ], "metadata": { - "title": "User enrichment - Okta", - "description": "This playbook will collect user information from Okta and post a report on the incident.", + "title": "Prompt Okta user", + "description": "This playbook uses the OKTA connector to prompt the risky user on Teams. User is asked action was taken by them. Based on the user confirmation the SOC admin is notified to investige on the user account. Also, comment is added to the incident with user information and summary of actions taken.", "prerequisites": [ "1. Okta Custom Connector needs to be deployed prior to the deployment of this playbook under the same resource group.", "2. Generate an API key. [Learn how](https://developer.okta.com/docs/guides/create-an-api-token/overview/)" @@ -2963,58 +2702,58 @@ ] } } - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('playbookTemplateSpecName3')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Playbook" - }, - "properties": { - "description": "Okta-PromptUser playbook", - "displayName": "Okta-PromptUser playbook" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId3')]", + "contentKind": "Playbook", + "displayName": "Okta-PromptUser", + "contentProductId": "[variables('_playbookcontentProductId3')]", + "id": "[variables('_playbookcontentProductId3')]", + "version": "[variables('playbookVersion3')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('playbookTemplateSpecName3'),'/',variables('playbookVersion3'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName4')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Playbook" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName3'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Okta-PromptUser Playbook with template version 2.0.4", + "description": "Okta-ResponseFromTeams Playbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion3')]", + "contentVersion": "[variables('playbookVersion4')]", "parameters": { "PlaybookName": { - "defaultValue": "Okta-PromptUser", - "type": "string", + "defaultValue": "Okta-ResponseFromTeams", + "type": "String", "metadata": { "description": "Name of the Logic App/Playbook" } }, + "SOC Email": { + "defaultValue": "", + "type": "String", + "metadata": { + "description": "Email alias of the SOC team" + } + }, "Teams GroupId": { "defaultValue": "TeamgroupId", - "type": "string", + "type": "String", "metadata": { "description": "GroupId of the Team channel" } }, "Teams ChannelId": { "defaultValue": "TeamChannelId", - "type": "string", + "type": "String", "metadata": { "description": "Team ChannelId" } @@ -3084,7 +2823,7 @@ "name": "[[parameters('PlaybookName')]", "location": "[[variables('workspace-location-inline')]", "tags": { - "hidden-SentinelTemplateName": "PromptUser-Okta", + "hidden-SentinelTemplateName": "ResponseOnOktaUserTeams-Okta", "hidden-SentinelTemplateVersion": "1.0", "LogicAppsCategory": "security", "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" @@ -3124,6 +2863,15 @@ } }, "actions": { + "Compose_the_choice_set_dropdown_for_adaptive_card_for_group_names": { + "runAfter": { + "For_each_group": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "@outputs('Select_groups')?[0]?['body']" + }, "Entities_-_Get_Accounts": { "type": "ApiConnection", "inputs": { @@ -3140,198 +2888,238 @@ "For_each-risky_account_received_from_the_incident": { "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", "actions": { - "Condition_based_on_the_user_confirmation": { - "actions": { - "Add_a_comment_to_the_incident_with_the_information_collected_and_conclusion": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

OKTA Playbook performed the following actions:
\n
\nGot User information from OKTA :
\n
\nUser id:  @{body('Get_User')?['id']}
\nUser name:   @{body('Get_User')?['credentials']?['provider']?['name']}
\nUser login: @{body('Get_User')?['profile']?['login']}
\nUser email: @{body('Get_User')?['profile']?['email']}
\nUser status: @{body('Get_User')?['status']}
\nUser created: @{body('Get_User')?['created']}
\nUser activated: @{body('Get_User')?['activated']}
\nUser statusChanged: @{body('Get_User')?['statusChanged']}
\nUser lastLogin: @{body('Get_User')?['lastLogin']}
\nUser lastUpdated: @{body('Get_User')?['lastUpdated']}
\nUser passwordChanged: @{body('Get_User')?['passwordChanged']}
\n
\nActions taken on Sentinel:
\n
\nIncident will be closed as the user confirmed that it was him.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" + "Add_a_comment_to_the_incident_with_the_information_collected_and_action_taken": { + "runAfter": { + "Update_incident_to_change_severity_and_status_according_to_choice": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@body('Update_incident_to_change_severity_and_status_according_to_choice')?['id']", + "message": "

OKTA Playbook ran and performed the following actions:
\n
\nGot User information from OKTA :
\n
\nUser id:  @{body('Get_User')?['id']}
\nUser name:   @{body('Get_User')?['credentials']?['provider']?['name']}
\nUser login: @{body('Get_User')?['profile']?['login']}
\nUser email: @{body('Get_User')?['profile']?['email']}
\nUser status: @{body('Get_User')?['status']}
\nUser created: @{body('Get_User')?['created']}
\nUser activated: @{body('Get_User')?['activated']}
\nUser statusChanged: @{body('Get_User')?['statusChanged']}
\nUser lastLogin: @{body('Get_User')?['lastLogin']}
\nUser lastUpdated: @{body('Get_User')?['lastUpdated']}
\nUser passwordChanged: @{body('Get_User')?['passwordChanged']}
\n
\nActions taken on Sentinel:
\n
\nIncident close reason: @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['incidentStatus']}
\nAction taken on User: @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')['submitActionId']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, - "Update_incident_to_close_it": { - "runAfter": { - "Add_a_comment_to_the_incident_with_the_information_collected_and_conclusion": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "classification": { - "ClassificationAndReason": "Benign Positive - Suspicious But Expected" - }, - "incidentArmId": "@triggerBody()?['object']?['id']", - "status": "Closed" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "path": "/Incidents" + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Get_User": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['OktaCustomConnector']['connectionId']" } - } + }, + "method": "get", + "path": "/api/v1/users/@{encodeURIComponent(items('For_each-risky_account_received_from_the_incident')?['Name'])}" }, + "description": "This gets the user details from Okta" + }, + "Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": { "runAfter": { - "Post_an_Adaptive_Card_to_a_Teams_user_and_wait_for_a_response": [ + "Get_User": [ "Succeeded" ] }, - "else": { - "actions": { - "Add_a_comment_to_the_incident_with_the_information_collected": { - "runAfter": { - "Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

OKTA Playbook ran and performed the following actions:
\n
\nGot User information from OKTA :
\n
\nUser id:  @{body('Get_User')?['id']}
\nUser name:   @{body('Get_User')?['credentials']?['provider']?['name']}
\nUser login: @{body('Get_User')?['profile']?['login']}
\nUser email: @{body('Get_User')?['profile']?['email']}
\nUser status: @{body('Get_User')?['status']}
\nUser created: @{body('Get_User')?['created']}
\nUser activated: @{body('Get_User')?['activated']}
\nUser statusChanged: @{body('Get_User')?['statusChanged']}
\nUser lastLogin: @{body('Get_User')?['lastLogin']}
\nUser lastUpdated: @{body('Get_User')?['lastUpdated']}
\nUser passwordChanged: @{body('Get_User')?['passwordChanged']}
\n
\nActions taken on Okta:
\n
\nCleared the user sessions and reset the password of the user.
\n
\nActions taken on Sentinel:
\n
\nInformed the SOC admin about the risky user and asked him to investigate further

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - }, - "Clear_User_Sessions": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['OktaCustomConnector']['connectionId']" - } - }, - "method": "delete", - "path": "/api/v1/users/@{encodeURIComponent(body('Get_User')?['id'])}/sessions" + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "body": { + "messageBody": " {\n \"type\": \"AdaptiveCard\",\n \"body\": [\n \n {\n \"type\": \"TextBlock\",\n \"size\": \"large\",\n \"weight\": \"bolder\",\n \"text\": \"Suspicious identity - Microsoft Sentinel\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Possible Comprised User detected by the provider\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"@{triggerBody()?['object']?['properties']?['severity']} incident @{triggerBody()?['object']?['properties']?['title']} \",\n \"wrap\": true,\n \"weight\":\"bolder\"\n },\n \n {\n \"type\": \"TextBlock\",\n \"text\": \"Incident description\",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\":\" @{triggerBody()?['object']?['properties']?['description']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"[Click here to view the Incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})\",\n \"wrap\": true\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n \n {\n \"type\": \"TextBlock\",\n \"text\": \"Risky user details from Okta:\",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"UserID: @{body('Get_User')?['id']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"First and Last name: @{body('Get_User')?['profile']?['firstName']} @{body('Get_User')?['profile']?['lastName']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"User display name: @{items('For_each-risky_account_received_from_the_incident')?['Name']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Status: @{body('Get_User')?['status']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Status changed: @{body('Get_User')?['statusChanged']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Last login: @{body('Get_User')?['lastLogin']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Last updated: @{body('Get_User')?['lastUpdated']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Password changed: @{body('Get_User')?['passwordChanged']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Incident configuration:\",\n \"wrap\": true\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Close Azure Sentinal incident?\"\n },\n {\n \"choices\": [\n {\n \"isSelected\": true,\n \"title\": \"Close incident - False Positive\",\n \"value\": \"False Positive - Incorrect Alert Logic\"\n },\n {\n \"title\": \"Close incident - True Positive\",\n \"value\": \"True Positive - Suspicious Activity\"\n },\n {\n \"title\": \"Close incident - Benign Positive\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"title\": \"No\",\n \"value\": \"no\"\n }\n ],\n \"id\": \"incidentStatus\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Change Microsoft Sentinel incident severity?\"\n },\n {\n \"choices\": [\n {\n \"title\": \"Medium\",\n \"value\": \"Medium\"\n },\n {\n \"title\": \"High\",\n \"value\": \"High\"\n },\n {\n \"title\": \"Low\",\n \"value\": \"Low\"\n },\n {\n \"title\": \"Don't change\",\n \"value\": \"same\"\n }\n ],\n \"id\": \"incidentSeverity\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"@{triggerBody()?['object']?['properties']?['severity']}\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Response in Okta\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\"\n },\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://seekvectorlogo.com/wp-content/uploads/2017/12/okta-vector-logo.png\",\n \"size\": \"Small\"\n }\n ],\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Change user state (suspend)\"\n },\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Change user state (unsuspend)\"\n },\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Expire password\"\n },\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Reset password\"\n },\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Ignore\"\n },\n {\n \"type\": \"Action.ShowCard\",\n \"title\": \"Add user to group\",\n \"card\": {\n \"type\": \"AdaptiveCard\",\n \"body\":[\n {\n \"type\": \"Input.ChoiceSet\",\n \"id\": \"GroupId\",\n \n \"value\": \"1\",\n \"choices\": @{outputs('Select_groups')?[0]?['body']}\n\n }\n ],\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"OK\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n }\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}", + "recipient": { + "channelId": "[[parameters('Teams ChannelId')]" }, - "description": "This clears the user sessions in Okta" + "shouldUpdateCard": true }, - "Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": { - "runAfter": { - "Reset_Password": [ - "Succeeded" - ] - }, - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "body": { - "messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"large\",\n \"weight\": \"bolder\",\n \"text\": \"Microsoft Sentinel playbook has taken an action on a risky user\",\n \"wrap\": true\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n } \n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Possible compromised user detected by the @{triggerBody()?['object']?['properties']?['severity']} Incident @{triggerBody()?['object']?['properties']?['title']}\",\n \"wrap\": true,\n \"weight\":\"bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Incident number: @{triggerBody()?['object']?['properties']?['incidentNumber']}\",\n \"wrap\": true,\n \"weight\":\"bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Incident description\",\n \"wrap\": true,\n \"weight\":\"bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \" @{triggerBody()?['object']?['properties']?['description']}\",\n \"wrap\": true \n },\n \n {\n \"type\": \"TextBlock\",\n \"text\": \"[Click here to view Incident]()\",\n \"wrap\":\"true\"\n }, \n \n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n \n {\n \"type\": \"Column\",\n \"items\": [\n \n {\n \"type\": \"TextBlock\",\n \"text\": \"The Okta user in risk:\",\n \"wrap\": true,\n \"weight\":\"bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"User ID: @{body('Get_User')?['id']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"First and Last name: @{body('Get_User')?['profile']?['firstName']} @{body('Get_User')?['profile']?['lastName']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"User display name: @{items('For_each-risky_account_received_from_the_incident')?['Name']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Action taken:\",\n \n \"weight\": \"bolder\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"User password was reset\",\n \n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"User sessions were cleared\",\n\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Please investigate further in Okta.\",\n \"weight\":\"bolder\",\n \"wrap\": true\n }\n ],\n \"width\": \"auto\"\n \n }\n ]\n }\n \n ], \n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"OK\"\n }\n ],\n \n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}", - "recipient": { - "channelId": "[[parameters('Teams ChannelId')]" - }, - "shouldUpdateCard": true + "notificationUrl": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['teams']['connectionId']" + } + }, + "path": "/flowbot/actions/flowcontinuation/recipienttypes/channel/$subscriptions", + "queries": { + "groupId": "[[parameters('Teams GroupId')]" + } + } + }, + "Switch_to_perform_action_choices_on_the_user_in_Okta": { + "runAfter": { + "Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": [ + "Succeeded" + ] + }, + "cases": { + "Case_-_Add_user_to_group": { + "case": "OK", + "actions": { + "Group_–_Add_member": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['OktaCustomConnector']['connectionId']" + } + }, + "method": "put", + "path": "/api/v1/groups/@{encodeURIComponent(body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['GroupId'])}/users/@{encodeURIComponent(body('Get_User')?['id'])}" + } + } + } + }, + "Case_-_Expire_Password": { + "case": "Expire password", + "actions": { + "Expire_Password": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['OktaCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/v1/users/@{encodeURIComponent(body('Get_User')?['id'])}/lifecycle/expire_password" + } + } + } + }, + "Case_-_Reset_Password": { + "case": "Reset password", + "actions": { + "Reset_Password": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['OktaCustomConnector']['connectionId']" + } }, - "notificationUrl": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['teams']['connectionId']" - } - }, - "path": "/flowbot/actions/flowcontinuation/recipienttypes/channel/$subscriptions", - "queries": { - "groupId": "[[parameters('Teams GroupId')]" + "method": "post", + "path": "/api/v1/users/@{encodeURIComponent(body('Get_User')?['id'])}/lifecycle/reset_password" } } - }, - "Reset_Password": { - "runAfter": { - "Clear_User_Sessions": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['OktaCustomConnector']['connectionId']" - } - }, - "method": "post", - "path": "/api/v1/users/@{encodeURIComponent(body('Get_User')?['id'])}/lifecycle/reset_password" - }, - "description": "Reset password link for Okta will be sent to user" } - } - }, - "expression": { - "or": [ - { - "equals": [ - "@body('Post_an_Adaptive_Card_to_a_Teams_user_and_wait_for_a_response')?['submitActionId']", - "This was me" - ] - } - ] - }, - "type": "If", - "description": "user confirmation will be captured here if he has done the malicious activity on the user account" - }, - "Get_User": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['OktaCustomConnector']['connectionId']" + }, + "Case_-_Suspend_User": { + "case": "Change user state (suspend)", + "actions": { + "Suspend_User": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['OktaCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/v1/users/@{encodeURIComponent(body('Get_User')?['id'])}/lifecycle/suspend" + } + } } }, - "method": "get", - "path": "/api/v1/users/@{encodeURIComponent(items('For_each-risky_account_received_from_the_incident')?['Name'])}" + "Case_-_Unsuspend_User": { + "case": "Change user state (unsuspend)", + "actions": { + "Unsuspend_User": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['OktaCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/v1/users/@{encodeURIComponent(body('Get_User')?['id'])}/lifecycle/unsuspend" + } + } + } + } }, - "description": "Gets the user details from Okta" + "expression": "@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')['submitActionId']", + "type": "Switch" }, - "Post_an_Adaptive_Card_to_a_Teams_user_and_wait_for_a_response": { + "Update_incident_to_change_severity_and_status_according_to_choice": { "runAfter": { - "Get_User": [ + "Switch_to_perform_action_choices_on_the_user_in_Okta": [ "Succeeded" ] }, - "type": "ApiConnectionWebhook", + "type": "ApiConnection", "inputs": { "body": { - "body": { - "messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"large\",\n \"weight\": \"bolder\",\n \"text\": \"New Incident from MicrosoftSentinel. Please respond ASAP\",\n \"wrap\": true\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"text\": \"Incident Description \",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"text\":\" @{triggerBody()?['object']?['properties']?['description']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"text\": \"Please confirm it was you\",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n }\n ],\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"This was me\"\n },\n {\n \"type\": \"Action.Submit\",\n \"title\": \"This was not me\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}", - "recipient": { - "to": "@body('Get_User')?['profile']?['email']" - }, - "shouldUpdateCard": true + "classification": { + "ClassificationAndReason": "@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['incidentStatus']}" }, - "notificationUrl": "@{listCallbackUrl()}" + "incidentArmId": "@triggerBody()?['object']?['id']", + "severity": "@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['incidentSeverity']}", + "status": "Closed" }, "host": { "connection": { - "name": "@parameters('$connections')['teams']['connectionId']" + "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, - "path": "/flowbot/actions/flowcontinuation/recipienttypes/user/$subscriptions" + "method": "put", + "path": "/Incidents" } } }, "runAfter": { - "Entities_-_Get_Accounts": [ + "Compose_the_choice_set_dropdown_for_adaptive_card_for_group_names": [ "Succeeded" ] }, "type": "Foreach" + }, + "For_each_group": { + "foreach": "@body('List_Groups')", + "actions": { + "Select_groups": { + "type": "Select", + "inputs": { + "from": "@body('List_Groups')", + "select": { + "title": "@item()?['profile']?['name']", + "value": "@item()?['id']" + } + }, + "description": "preparing the group name and id from the list of groups to display in the adaptive card for user choice" + } + }, + "runAfter": { + "List_Groups": [ + "Succeeded" + ] + }, + "type": "Foreach", + "description": "For each group preparing the list of groups with required details to display in the adaptive card for user choice" + }, + "List_Groups": { + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['OktaCustomConnector']['connectionId']" + } + }, + "method": "get", + "path": "/api/v1/groups" + }, + "description": "This provides list of groups present in Okta domain" } } }, @@ -3366,12 +3154,12 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]", "properties": { - "parentId": "[variables('playbookId3')]", - "contentId": "[variables('_playbookContentId3')]", + "parentId": "[variables('playbookId4')]", + "contentId": "[variables('_playbookContentId4')]", "kind": "Playbook", - "version": "[variables('playbookVersion3')]", + "version": "[variables('playbookVersion4')]", "source": { "kind": "Solution", "name": "Okta Single Sign-On", @@ -3398,494 +3186,1693 @@ } } } - ], - "metadata": { - "title": "Prompt Okta user", - "description": "This playbook uses the OKTA connector to prompt the risky user on Teams. User is asked action was taken by them. Based on the user confirmation the SOC admin is notified to investige on the user account. Also, comment is added to the incident with user information and summary of actions taken.", - "prerequisites": [ - "1. Okta Custom Connector needs to be deployed prior to the deployment of this playbook under the same resource group.", - "2. Generate an API key. [Learn how](https://developer.okta.com/docs/guides/create-an-api-token/overview/)" - ], - "lastUpdateTime": "2021-07-28T00:00:00Z", - "entities": [ - "Account" - ], - "tags": [ - "Enrichment" - ], - "releaseNotes": { - "version": "1.0", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] - } - } - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('playbookTemplateSpecName4')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Playbook" - }, - "properties": { - "description": "Okta-ResponseFromTeams playbook", - "displayName": "Okta-ResponseFromTeams playbook" + ], + "metadata": { + "title": "Response on Okta user from Teams", + "description": "This playbooks sends an adaptive card to the SOC Teams channel with information about the Okta user and incident details. The SOC is allowed to take action such suspend, reset password, expire password, add to group. An informative comment will be posted to the incident.", + "prerequisites": [ + "1. Okta Custom Connector needs to be deployed prior to the deployment of this playbook under the same resource group.", + "2. Generate an API key. [Learn how](https://developer.okta.com/docs/guides/create-an-api-token/overview/)" + ], + "lastUpdateTime": "2021-07-28T00:00:00Z", + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId4')]", + "contentKind": "Playbook", + "displayName": "Okta-ResponseFromTeams", + "contentProductId": "[variables('_playbookcontentProductId4')]", + "id": "[variables('_playbookcontentProductId4')]", + "version": "[variables('playbookVersion4')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "OktaSingleSignOnWorkbook Workbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Gain extensive insight into Okta Single Sign-On (SSO) by analyzing, collecting and correlating Audit and Event events.\nThis workbook provides visibility into message and click events that were permitted, delivered, or blocked" + }, + "properties": { + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"23197862-8ab5-4aa4-8e78-bb26fbf1a6bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2419200000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}},{\"id\":\"9df846cc-3ff1-4608-ac3a-7dddc6c709a7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Okta_CL\\n| summarize by domain_s\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::1\"],\"showDefault\":false},\"defaultValue\":\"value::1\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Administrative\",\"subTarget\":\"General\",\"preText\":\"Session/User Analysis\",\"style\":\"link\"},{\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Application\",\"subTarget\":\"Application\",\"style\":\"link\"},{\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Session/User Analysis\",\"subTarget\":\"Analysis\",\"preText\":\"Session/User Analysis\",\"style\":\"link\"}]},\"name\":\"links - 13\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"fc39a4b9-f38a-4a3e-bf83-845441828fb8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ApplicationList\",\"label\":\"Application\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Okta_CL\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| mv-expand todynamic(target_s)\\r\\n| where target_s.type == \\\"AppInstance\\\"\\r\\n| distinct tostring(target_s.alternateId)\\r\\n| sort by target_s_alternateId asc\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Application\"},\"name\":\"parameters - 15\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| where eventType_s == \\\"user.session.start\\\"\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| summarize Count = count() by Results = outcome_result_s, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"title\":\"Console Login by Result\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Results\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"FAILURE\",\"color\":\"red\"},{\"seriesName\":\"SUCCESS\",\"color\":\"green\"}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"General\"},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| where eventType_s == \\\"user.session.start\\\"\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| where outcome_result_s == \\\"FAILURE\\\"\\r\\n| summarize Total = count() by User = actor_alternateId_s\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top 10 Failed Console Logins by User\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"}}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Results\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"FAILURE\",\"color\":\"red\"},{\"seriesName\":\"SUCCESS\",\"color\":\"green\"}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"General\"},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| where eventType_s == \\\"user.authentication.auth_via_mfa\\\"\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| where outcome_result_s == \\\"FAILURE\\\"\\r\\n| summarize count() by actor_alternateId_s\\r\\n| top 10 by count_\",\"size\":0,\"title\":\"Top 10 Failed MFA Authentications by User\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"}},{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"labelSettings\":[{\"columnId\":\"actor_alternateId_s\",\"label\":\"User\"},{\"columnId\":\"count_\",\"label\":\"Total\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Results\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"FAILURE\",\"color\":\"red\"},{\"seriesName\":\"SUCCESS\",\"color\":\"green\"}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"General\"},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| where eventType_s == \\\"user.authentication.auth_via_mfa\\\"\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| summarize Count=count() by Results = outcome_result_s, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"title\":\"MFA Authentications by Result\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Results\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"SUCCESS\",\"color\":\"green\"},{\"seriesName\":\"FAILURE\",\"color\":\"red\"}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"General\"},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| mv-expand todynamic(target_s)\\r\\n| where target_s.type == \\\"AppInstance\\\"\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| summarize count() by tostring(target_s.displayName)\\r\\n| top 10 by count_\",\"size\":0,\"title\":\"Active Applications\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Users\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"General\"},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| mv-expand todynamic(target_s)\\r\\n| where target_s.type == \\\"AppInstance\\\"\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| summarize count() by tostring(target_s.displayName), bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"title\":\"Active Applications\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Users\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"General\"},\"customWidth\":\"50\",\"name\":\"Events by Application\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| where eventType_s == \\\"application.user_membership.add\\\"\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| extend TargetUser = tostring(parse_json(target_s)[0].alternateId)\\r\\n| extend Application = tostring(parse_json(target_s)[1].alternateId)\\r\\n| summarize count() by ['Event Time'] = column_ifexists('published_t', now()), ['Source User'] = actor_alternateId_s, Application, ['Target User'] = TargetUser\\r\\n| project-away count_\\r\\n| sort by ['Event Time'] desc\",\"size\":0,\"title\":\"Users Added to Application\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"General\"},\"customWidth\":\"50\",\"name\":\"query - 18\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| where eventType_s == \\\"application.user_membership.remove\\\"\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| extend TargetUser = tostring(parse_json(target_s)[0].alternateId)\\r\\n| extend Application = tostring(parse_json(target_s)[1].alternateId)\\r\\n| summarize count() by column_ifexists('published_t', now()), SourceUser = actor_alternateId_s, Application, TargetUser\\r\\n| project-away count_\\r\\n| sort by column_ifexists('published_t', now()) desc\\r\\n\",\"size\":0,\"title\":\"Users Removed from Application\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"General\"},\"customWidth\":\"50\",\"name\":\"query - 18 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| mv-expand todynamic(target_s)\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| where target_s.type == \\\"AppInstance\\\"\\r\\n| where target_s.alternateId in ({ApplicationList}) or '*' in ({ApplicationList})\\r\\n| summarize count() by tostring(target_s.alternateId), bin(TimeGenerated,{TimeRange:grain})\",\"size\":0,\"title\":\"Total Events by Application\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Application\"},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| mv-expand todynamic(target_s)\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| where target_s.type == \\\"AppInstance\\\"\\r\\n| where target_s.alternateId in ({ApplicationList}) or '*' in ({ApplicationList})\\r\\n| where eventType_s has \\\"authentication\\\"\\r\\n| where outcome_result_s == \\\"FAILURE\\\"\\r\\n| summarize count() by tostring(target_s.alternateId), bin(TimeGenerated,{TimeRange:grain})\",\"size\":0,\"title\":\"Failed Logins by Application\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Application\"},\"customWidth\":\"50\",\"name\":\"query - 12 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| mv-expand todynamic(target_s)\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| where target_s.type == \\\"AppInstance\\\"\\r\\n| where target_s.alternateId in ({ApplicationList}) or '*' in ({ApplicationList})\\r\\n| summarize Total = count() by Application = tostring(target_s.alternateId)\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top 10 Event Count by Application\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Application\"},\"customWidth\":\"50\",\"name\":\"query - 12 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| mv-expand todynamic(target_s)\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| where target_s.type == \\\"AppInstance\\\"\\r\\n| where eventType_s has \\\"authentication\\\"\\r\\n| where target_s.alternateId in ({ApplicationList}) or '*' in ({ApplicationList})\\r\\n| summarize SUCCESS = countif(outcome_result_s == \\\"SUCCESS\\\"), FAILURE = countif(outcome_result_s == \\\"FAILURE\\\"), Total = count() by User = actor_alternateId_s\\r\\n| top 10 by Total\\r\\n\",\"size\":0,\"title\":\"Top 10 User Authentications\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SUCCESS\",\"formatter\":8,\"formatOptions\":{\"palette\":\"red\"}},{\"columnMatch\":\"FAILURE\",\"formatter\":8,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Application\"},\"customWidth\":\"50\",\"name\":\"query - 12 - Copy - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"427470db-f8f8-461c-adc7-47fe5202b5d1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SessionID\",\"label\":\"Session ID\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Okta_CL\\r\\n| where actor_alternateId_s !in (\\\"system@okta.com\\\")\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| distinct authenticationContext_externalSessionId_s\\r\\n| sort by authenticationContext_externalSessionId_s asc\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"939a52ae-0662-4483-a52b-35287b151074\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Okta_CL\\r\\n| where actor_alternateId_s !in (\\\"system@okta.com\\\")\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| distinct actor_alternateId_s\\r\\n| sort by actor_alternateId_s asc\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"059ad6dc-5f2f-490d-941a-d9f87cf71723\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EventTypes\",\"label\":\"Event Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Okta_CL\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| distinct eventType_s\\r\\n| sort by eventType_s asc\",\"value\":[\"user.session.start\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Analysis\"},\"name\":\"parameters - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| where authenticationContext_externalSessionId_s in ({SessionID})\\r\\n| extend actor_alternateId_s=replace_string(actor_alternateId_s,@'\\\\','')\\r\\n| where actor_alternateId_s in ({User}) or '*' in ({User})\\r\\n| where eventType_s in ({EventTypes}) or '*' in ({EventTypes})\\r\\n| summarize count(eventType_s) by actor_alternateId_s, bin(column_ifexists('published_t', now()), {TimeRange:grain})\",\"size\":0,\"showAnnotations\":true,\"title\":\"User Events Timeline\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"actor_alternateId_s\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"actor_alternateId_s\",\"sortOrder\":2}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Analysis\"},\"customWidth\":\"50\",\"name\":\"query - 8 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| where authenticationContext_externalSessionId_s in ({SessionID})\\r\\n| extend actor_alternateId_s=replace_string(actor_alternateId_s,@'\\\\','')\\r\\n| where actor_alternateId_s in ({User}) or '*' in ({User})\\r\\n| where eventType_s in ({EventTypes}) or '*' in ({EventTypes})\\r\\n| summarize count() by authenticationContext_externalSessionId_s, column_ifexists('published_t', now()), eventType_s, actor_alternateId_s\\r\\n| sort by authenticationContext_externalSessionId_s asc, column_ifexists('published_t', now()) asc\",\"size\":0,\"title\":\"User Event Details\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"actor_alternateId_s\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"authenticationContext_externalSessionId_s\",\"label\":\"Session ID\"},{\"columnId\":\"published_t\",\"label\":\"Event Time\"},{\"columnId\":\"eventType_s\",\"label\":\"Event Type\"},{\"columnId\":\"actor_alternateId_s\",\"label\":\"User\"},{\"columnId\":\"count_\",\"label\":\"Total\"}]},\"sortBy\":[{\"itemKey\":\"actor_alternateId_s\",\"sortOrder\":2}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Analysis\"},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| mv-expand todynamic(target_s)\\r\\n| where target_s.type == \\\"AppInstance\\\"\\r\\n| where eventType_s has \\\"authentication\\\"\\r\\n| where authenticationContext_externalSessionId_s in ({SessionID})\\r\\n| extend actor_alternateId_s=replace_string(actor_alternateId_s,@'\\\\','')\\r\\n| where actor_alternateId_s in ({User}) or '*' in ({User})\\r\\n| where eventType_s in ({EventTypes}) or '*' in ({EventTypes})\\r\\n| summarize SUCCESS = countif(outcome_result_s == \\\"SUCCESS\\\"), FAILURE = countif(outcome_result_s == \\\"FAILURE\\\"), Total = count() by actor_alternateId_s, tostring(target_s.alternateId)\\r\\n| sort by actor_alternateId_s asc, target_s_alternateId asc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Application Authentications\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SUCCESS\",\"formatter\":8,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"FAILURE\",\"formatter\":8,\"formatOptions\":{\"palette\":\"red\"}},{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blue\"}}],\"labelSettings\":[{\"columnId\":\"actor_alternateId_s\",\"label\":\"User\"},{\"columnId\":\"target_s_alternateId\",\"label\":\"Application\"},{\"columnId\":\"SUCCESS\"},{\"columnId\":\"FAILURE\"},{\"columnId\":\"Total\"}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Analysis\"},\"customWidth\":\"50\",\"name\":\"query - 8 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n//| where authenticationContext_externalSessionId_s in ({SessionID})\\r\\n//| extend actor_alternateId_s=replace_string(actor_alternateId_s,@'\\\\','')\\r\\n| where actor_alternateId_s in ({User}) or '*' in ({User})\\r\\n//| where eventType_s in ({EventTypes}) or '*' in ({EventTypes})\\r\\n| summarize count(eventType_s) by \\tCity = client_geographicalContext_city_s, actor_alternateId_s, Country = client_geographicalContext_country_s, latitude = client_geographicalContext_geolocation_lat_d, longitude = client_geographicalContext_geolocation_lon_d, Results = outcome_result_s\",\"size\":0,\"title\":\"User Events by Geo-Location\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"map\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Users\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"latitude\":\"latitude\",\"longitude\":\"longitude\",\"sizeSettings\":\"count_eventType_s\",\"sizeAggregation\":\"Sum\",\"labelSettings\":\"actor_alternateId_s\",\"legendMetric\":\"count_eventType_s\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_eventType_s\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Analysis\"},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy - Copy\"}],\"fromTemplateId\":\"sentinel-SSOWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "properties": { + "description": "@{workbookKey=OktaSingleSignOnWorkbook; logoFileName=okta_logo.svg; description=Gain extensive insight into Okta Single Sign-On (SSO) by analyzing, collecting and correlating Audit and Event events.\nThis workbook provides visibility into message and click events that were permitted, delivered, or blocked; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.2; title=Okta Single Sign-On; templateRelativePath=OktaSingleSignOn.json; subtitle=; provider=Okta}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Okta Single Sign-On", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "Okta_CL", + "kind": "DataType" + }, + { + "contentId": "OktaSSO", + "kind": "DataConnector" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('playbookTemplateSpecName4'),'/',variables('playbookVersion4'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Playbook" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName4'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Okta-ResponseFromTeams Playbook with template version 2.0.4", + "description": "FailedLoginsFromUnknownOrInvalidUser_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion4')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Okta-ResponseFromTeams", - "type": "String", - "metadata": { - "description": "Name of the Logic App/Playbook" - } - }, - "SOC Email": { - "defaultValue": "", - "type": "String", - "metadata": { - "description": "Email alias of the SOC team" - } - }, - "Teams GroupId": { - "defaultValue": "TeamgroupId", - "type": "String", - "metadata": { - "description": "GroupId of the Team channel" - } - }, - "Teams ChannelId": { - "defaultValue": "TeamChannelId", - "type": "String", - "metadata": { - "description": "Team ChannelId" - } - }, - "CustomConnectorName": { - "defaultValue": "OktaCustomConnector", - "type": "string", - "metadata": { - "description": "Name of the custom connector which interacts with Okta" - } - } - }, - "variables": { - "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", - "OKTAConnectionName": "[[concat('oktaconnector-', parameters('PlaybookName'))]", - "TeamsConnectionName": "[[concat('teamsconnector-', parameters('PlaybookName'))]", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", - "_connection-1": "[[variables('connection-1')]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, + "contentVersion": "[variables('analyticRuleVersion1')]", + "parameters": {}, + "variables": {}, "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('OKTAConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "api": { - "id": "[[variables('_connection-1')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzureSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('TeamsConnectionName')]", - "location": "[[variables('workspace-location-inline')]", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId1')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "api": { - "id": "[[variables('_connection-3')]" - } + "description": "This query searches for numerous login attempts to the management console with an unknown or invalid user name", + "displayName": "Failed Logins from Unknown or Invalid User", + "enabled": false, + "query": "let FailureThreshold = 15;\nlet FailedLogins = Okta_CL\n| where eventType_s =~ \"user.session.start\" and outcome_reason_s =~ \"VERIFICATION_ERROR\"\n| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)\n| where count_ > FailureThreshold\n| project client_ipAddress_s, actor_alternateId_s;\nOkta_CL\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\n| where eventType_s =~ \"user.session.start\" and outcome_reason_s =~ \"VERIFICATION_ERROR\"\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = column_ifexists('client_geographicalContext_city_s', \"\"), Country = column_ifexists('client_geographicalContext_country_s', \"\"), column_ifexists('published_t', now())\n| sort by column_ifexists('published_t', now()) desc\n| extend timestamp = column_ifexists('published_t', now()), IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Okta_CL" + ], + "connectorId": "OktaSSO" + } + ], + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1110" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "AccountCustomEntity" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ], + "entityType": "IP" + } + ] } }, { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateName": "ResponseOnOktaUserTeams-Okta", - "hidden-SentinelTemplateVersion": "1.0", - "LogicAppsCategory": "security", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('OKTAConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]" - ], + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "When_Azure_Sentinel_incident_creation_rule_was_triggered_(Private_Preview_only)": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - } - } - }, - "actions": { - "Compose_the_choice_set_dropdown_for_adaptive_card_for_group_names": { - "runAfter": { - "For_each_group": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "@outputs('Select_groups')?[0]?['body']" - }, - "Entities_-_Get_Accounts": { - "type": "ApiConnection", - "inputs": { - "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" + "description": "Okta Single Sign-On Analytics Rule 1", + "parentId": "[variables('analyticRuleId1')]", + "contentId": "[variables('_analyticRulecontentId1')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion1')]", + "source": { + "kind": "Solution", + "name": "Okta Single Sign-On", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId1')]", + "contentKind": "AnalyticsRule", + "displayName": "Failed Logins from Unknown or Invalid User", + "contentProductId": "[variables('_analyticRulecontentProductId1')]", + "id": "[variables('_analyticRulecontentProductId1')]", + "version": "[variables('analyticRuleVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "LoginfromUsersfromDifferentCountrieswithin3hours_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId2')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query searches for successful user logins to the Okta Console from different countries within 3 hours", + "displayName": "User Login from Different Countries within 3 hours", + "enabled": false, + "query": "let timeframe = ago(3h);\nlet threshold = 2;\nOkta_CL\n| where column_ifexists('published_t', now()) >= timeframe\n| where eventType_s =~ \"user.session.start\"\n| where outcome_result_s =~ \"SUCCESS\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(column_ifexists('client_geographicalContext_country_s', int(null))) by actor_alternateId_s\n| where NumOfCountries >= threshold\n| extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s\n", + "queryFrequency": "PT3H", + "queryPeriod": "PT3H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Okta_CL" + ], + "connectorId": "OktaSSO" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1078" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "AccountCustomEntity" } - }, - "For_each-risky_account_received_from_the_incident": { - "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", - "actions": { - "Add_a_comment_to_the_incident_with_the_information_collected_and_action_taken": { - "runAfter": { - "Update_incident_to_change_severity_and_status_according_to_choice": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@body('Update_incident_to_change_severity_and_status_according_to_choice')?['id']", - "message": "

OKTA Playbook ran and performed the following actions:
\n
\nGot User information from OKTA :
\n
\nUser id:  @{body('Get_User')?['id']}
\nUser name:   @{body('Get_User')?['credentials']?['provider']?['name']}
\nUser login: @{body('Get_User')?['profile']?['login']}
\nUser email: @{body('Get_User')?['profile']?['email']}
\nUser status: @{body('Get_User')?['status']}
\nUser created: @{body('Get_User')?['created']}
\nUser activated: @{body('Get_User')?['activated']}
\nUser statusChanged: @{body('Get_User')?['statusChanged']}
\nUser lastLogin: @{body('Get_User')?['lastLogin']}
\nUser lastUpdated: @{body('Get_User')?['lastUpdated']}
\nUser passwordChanged: @{body('Get_User')?['passwordChanged']}
\n
\nActions taken on Sentinel:
\n
\nIncident close reason: @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['incidentStatus']}
\nAction taken on User: @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')['submitActionId']}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - }, - "Get_User": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['OktaCustomConnector']['connectionId']" - } - }, - "method": "get", - "path": "/api/v1/users/@{encodeURIComponent(items('For_each-risky_account_received_from_the_incident')?['Name'])}" - }, - "description": "This gets the user details from Okta" - }, - "Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": { - "runAfter": { - "Get_User": [ - "Succeeded" - ] - }, - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "body": { - "messageBody": " {\n \"type\": \"AdaptiveCard\",\n \"body\": [\n \n {\n \"type\": \"TextBlock\",\n \"size\": \"large\",\n \"weight\": \"bolder\",\n \"text\": \"Suspicious identity - Microsoft Sentinel\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Possible Comprised User detected by the provider\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"@{triggerBody()?['object']?['properties']?['severity']} incident @{triggerBody()?['object']?['properties']?['title']} \",\n \"wrap\": true,\n \"weight\":\"bolder\"\n },\n \n {\n \"type\": \"TextBlock\",\n \"text\": \"Incident description\",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\":\" @{triggerBody()?['object']?['properties']?['description']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"[Click here to view the Incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})\",\n \"wrap\": true\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n \n {\n \"type\": \"TextBlock\",\n \"text\": \"Risky user details from Okta:\",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"UserID: @{body('Get_User')?['id']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"First and Last name: @{body('Get_User')?['profile']?['firstName']} @{body('Get_User')?['profile']?['lastName']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"User display name: @{items('For_each-risky_account_received_from_the_incident')?['Name']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Status: @{body('Get_User')?['status']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Status changed: @{body('Get_User')?['statusChanged']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Last login: @{body('Get_User')?['lastLogin']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Last updated: @{body('Get_User')?['lastUpdated']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Password changed: @{body('Get_User')?['passwordChanged']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Incident configuration:\",\n \"wrap\": true\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Close Azure Sentinal incident?\"\n },\n {\n \"choices\": [\n {\n \"isSelected\": true,\n \"title\": \"Close incident - False Positive\",\n \"value\": \"False Positive - Incorrect Alert Logic\"\n },\n {\n \"title\": \"Close incident - True Positive\",\n \"value\": \"True Positive - Suspicious Activity\"\n },\n {\n \"title\": \"Close incident - Benign Positive\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"title\": \"No\",\n \"value\": \"no\"\n }\n ],\n \"id\": \"incidentStatus\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Change Microsoft Sentinel incident severity?\"\n },\n {\n \"choices\": [\n {\n \"title\": \"Medium\",\n \"value\": \"Medium\"\n },\n {\n \"title\": \"High\",\n \"value\": \"High\"\n },\n {\n \"title\": \"Low\",\n \"value\": \"Low\"\n },\n {\n \"title\": \"Don't change\",\n \"value\": \"same\"\n }\n ],\n \"id\": \"incidentSeverity\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"@{triggerBody()?['object']?['properties']?['severity']}\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Response in Okta\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\"\n },\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://seekvectorlogo.com/wp-content/uploads/2017/12/okta-vector-logo.png\",\n \"size\": \"Small\"\n }\n ],\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Change user state (suspend)\"\n },\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Change user state (unsuspend)\"\n },\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Expire password\"\n },\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Reset password\"\n },\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Ignore\"\n },\n {\n \"type\": \"Action.ShowCard\",\n \"title\": \"Add user to group\",\n \"card\": {\n \"type\": \"AdaptiveCard\",\n \"body\":[\n {\n \"type\": \"Input.ChoiceSet\",\n \"id\": \"GroupId\",\n \n \"value\": \"1\",\n \"choices\": @{outputs('Select_groups')?[0]?['body']}\n\n }\n ],\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"OK\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n }\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}", - "recipient": { - "channelId": "[[parameters('Teams ChannelId')]" - }, - "shouldUpdateCard": true - }, - "notificationUrl": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['teams']['connectionId']" - } - }, - "path": "/flowbot/actions/flowcontinuation/recipienttypes/channel/$subscriptions", - "queries": { - "groupId": "[[parameters('Teams GroupId')]" - } - } - }, - "Switch_to_perform_action_choices_on_the_user_in_Okta": { - "runAfter": { - "Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": [ - "Succeeded" - ] - }, - "cases": { - "Case_-_Add_user_to_group": { - "case": "OK", - "actions": { - "Group_–_Add_member": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['OktaCustomConnector']['connectionId']" - } - }, - "method": "put", - "path": "/api/v1/groups/@{encodeURIComponent(body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['GroupId'])}/users/@{encodeURIComponent(body('Get_User')?['id'])}" - } - } - } - }, - "Case_-_Expire_Password": { - "case": "Expire password", - "actions": { - "Expire_Password": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['OktaCustomConnector']['connectionId']" - } - }, - "method": "post", - "path": "/api/v1/users/@{encodeURIComponent(body('Get_User')?['id'])}/lifecycle/expire_password" - } - } - } - }, - "Case_-_Reset_Password": { - "case": "Reset password", - "actions": { - "Reset_Password": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['OktaCustomConnector']['connectionId']" - } - }, - "method": "post", - "path": "/api/v1/users/@{encodeURIComponent(body('Get_User')?['id'])}/lifecycle/reset_password" - } - } - } - }, - "Case_-_Suspend_User": { - "case": "Change user state (suspend)", - "actions": { - "Suspend_User": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['OktaCustomConnector']['connectionId']" - } - }, - "method": "post", - "path": "/api/v1/users/@{encodeURIComponent(body('Get_User')?['id'])}/lifecycle/suspend" - } - } - } - }, - "Case_-_Unsuspend_User": { - "case": "Change user state (unsuspend)", - "actions": { - "Unsuspend_User": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['OktaCustomConnector']['connectionId']" - } - }, - "method": "post", - "path": "/api/v1/users/@{encodeURIComponent(body('Get_User')?['id'])}/lifecycle/unsuspend" - } - } - } - } - }, - "expression": "@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')['submitActionId']", - "type": "Switch" - }, - "Update_incident_to_change_severity_and_status_according_to_choice": { - "runAfter": { - "Switch_to_perform_action_choices_on_the_user_in_Okta": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "classification": { - "ClassificationAndReason": "@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['incidentStatus']}" - }, - "incidentArmId": "@triggerBody()?['object']?['id']", - "severity": "@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['incidentSeverity']}", - "status": "Closed" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "path": "/Incidents" - } - } - }, - "runAfter": { - "Compose_the_choice_set_dropdown_for_adaptive_card_for_group_names": [ - "Succeeded" - ] + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", + "properties": { + "description": "Okta Single Sign-On Analytics Rule 2", + "parentId": "[variables('analyticRuleId2')]", + "contentId": "[variables('_analyticRulecontentId2')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion2')]", + "source": { + "kind": "Solution", + "name": "Okta Single Sign-On", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId2')]", + "contentKind": "AnalyticsRule", + "displayName": "User Login from Different Countries within 3 hours", + "contentProductId": "[variables('_analyticRulecontentProductId2')]", + "id": "[variables('_analyticRulecontentProductId2')]", + "version": "[variables('analyticRuleVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName3')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "PasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion3')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId3')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack", + "displayName": "Potential Password Spray Attack", + "enabled": false, + "query": "let FailureThreshold = 15;\nlet FailedEvents = Okta_CL\n| where eventType_s =~ \"user.session.start\"and outcome_reason_s in (\"VERIFICATION_ERROR\",\"INVALID_CREDENTIALS\")\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\n| where dcount_actor_alternateId_s > FailureThreshold\n| project client_ipAddress_s, TimeGenerated;\nOkta_CL\n| where eventType_s =~ \"user.session.start\"and outcome_reason_s in (\"VERIFICATION_ERROR\",\"INVALID_CREDENTIALS\")\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = column_ifexists('client_geographicalContext_city_s', \"\"), Country = column_ifexists('client_geographicalContext_country_s', \"\"), bin(TimeGenerated, 5m)\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\n| sort by TimeGenerated desc\n| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Okta_CL" + ], + "connectorId": "OktaSSO" + } + ], + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1110" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", + "properties": { + "description": "Okta Single Sign-On Analytics Rule 3", + "parentId": "[variables('analyticRuleId3')]", + "contentId": "[variables('_analyticRulecontentId3')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion3')]", + "source": { + "kind": "Solution", + "name": "Okta Single Sign-On", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId3')]", + "contentKind": "AnalyticsRule", + "displayName": "Potential Password Spray Attack", + "contentProductId": "[variables('_analyticRulecontentProductId3')]", + "id": "[variables('_analyticRulecontentProductId3')]", + "version": "[variables('analyticRuleVersion3')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName4')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "PhishingDetection_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion4')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId4')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query detects cases in which Okta FastPass effectively prevented access to a known phishing website", + "displayName": "Okta Fast Pass phishing Detection", + "enabled": false, + "query": "Okta_CL\n| where eventType_s == 'user.authentication.auth_via_mfa'\n| where outcome_result_s == 'FAILURE'\n| where outcome_reason_s == 'FastPass declined phishing attempt'\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by actor_alternateId_s, actor_displayName_s, client_userAgent_os_s, client_ipAddress_s, client_geographicalContext_state_s,displayMessage_s, outcome_result_s,\n outcome_reason_s, column_ifexists('debugContext_debugData_logOnlySecurityData_s', \"\"), debugContext_debugData_threatSuspected_s, client_userAgent_rawUserAgent_s,client_userAgent_browser_s, severity_s, client_geographicalContext_city_s, client_geographicalContext_country_s\n| extend Location = strcat(client_geographicalContext_city_s, \"-\", client_geographicalContext_country_s)\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Okta_CL" + ], + "connectorId": "OktaSSO" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1566" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "actor_alternateId_s" }, - "type": "Foreach" - }, - "For_each_group": { - "foreach": "@body('List_Groups')", - "actions": { - "Select_groups": { - "type": "Select", - "inputs": { - "from": "@body('List_Groups')", - "select": { - "title": "@item()?['profile']?['name']", - "value": "@item()?['id']" - } - }, - "description": "preparing the group name and id from the list of groups to display in the adaptive card for user choice" - } + { + "identifier": "DisplayName", + "columnName": "actor_displayName_s" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "client_ipAddress_s" + } + ], + "entityType": "IP" + } + ], + "customDetails": { + "Location": "Location", + "UserAgent": "client_userAgent_rawUserAgent_s" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", + "properties": { + "description": "Okta Single Sign-On Analytics Rule 4", + "parentId": "[variables('analyticRuleId4')]", + "contentId": "[variables('_analyticRulecontentId4')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion4')]", + "source": { + "kind": "Solution", + "name": "Okta Single Sign-On", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId4')]", + "contentKind": "AnalyticsRule", + "displayName": "Okta Fast Pass phishing Detection", + "contentProductId": "[variables('_analyticRulecontentProductId4')]", + "id": "[variables('_analyticRulecontentProductId4')]", + "version": "[variables('analyticRuleVersion4')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName5')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "NewDeviceLocationCriticalOperation_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion5')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId5')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query identifies users seen login from new geo location/country as well as a new device and performing critical operations", + "displayName": "New Device/Location sign-in along with critical operation", + "enabled": false, + "query": "let timeframe = 1h;\nlet RiskyOperations = dynamic([\"policy.rule.update\",\"policy.rule.create\",\"policy.rule.delete\", \"policy.rule.deactivate\", \"policy.lifecycle.update\", \"policy.rule.modify\", \"policy.lifecycle.create\", \"policy.lifecycle.delete\", \"policy.lifecycle.deactivate\", \"policy.lifecycle.modify\", \"network_zone.rule.disabled\", \"system.api_token.create\", \"system.api_token.revoke\", \"application.policy.sign_on.update\", \"application.policy.sign_on.rule.delete\",\"user.mfa.factor.deactivate\", \"user.mfa.factor.reset_all\", \"system.mfa.factor.deactivate\", \"user.mfa.attempt_bypass\"]);\nlet UserLoginNewCountryDevice = Okta_CL\n| where eventType_s == \"user.session.start\"\n| where outcome_result_s == \"SUCCESS\"\n| where parse_json(tostring(parse_json(debugContext_debugData_logOnlySecurityData_s).behaviors)).[\"New Country\"] == \"POSITIVE\"\n| where parse_json(tostring(parse_json(debugContext_debugData_logOnlySecurityData_s).behaviors)).[\"New Geo-Location\"] == \"POSITIVE\"\n| where parse_json(tostring(parse_json(debugContext_debugData_logOnlySecurityData_s).behaviors)).[\"New Device\"] == \"POSITIVE\"\n| summarize by timekey = bin(TimeGenerated, timeframe), actor_alternateId_s, actor_displayName_s, client_userAgent_os_s, client_userAgent_browser_s, client_device_s, client_userAgent_rawUserAgent_s, client_ipAddress_s, authenticationContext_externalSessionId_s, client_geographicalContext_country_s, client_geographicalContext_city_s, displayMessage_s, outcome_result_s, outcome_reason_s, column_ifexists('debugContext_debugData_logOnlySecurityData_s', \"\"), debugContext_debugData_threatSuspected_s, client_geographicalContext_geolocation_lat_d, client_geographicalContext_geolocation_lon_d\n| extend Location = strcat(client_geographicalContext_city_s, \"-\", client_geographicalContext_country_s);\nlet RiskyOperationsObserved = Okta_CL\n| where eventType_s in (RiskyOperations)\n| where outcome_result_s == \"SUCCESS\"\n| summarize by timekey = bin(TimeGenerated, timeframe), actor_alternateId_s, actor_displayName_s, client_userAgent_os_s, client_userAgent_browser_s, client_device_s, client_userAgent_rawUserAgent_s, client_ipAddress_s, authenticationContext_externalSessionId_s, client_geographicalContext_country_s, client_geographicalContext_city_s, displayMessage_s, outcome_result_s, outcome_reason_s, column_ifexists('debugContext_debugData_logOnlySecurityData_s', \"\"), debugContext_debugData_threatSuspected_s, client_geographicalContext_geolocation_lat_d, client_geographicalContext_geolocation_lon_d;\nUserLoginNewCountryDevice\n| join kind=inner (RiskyOperationsObserved) on timekey, actor_displayName_s, client_ipAddress_s\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Okta_CL" + ], + "connectorId": "OktaSSO" + } + ], + "tactics": [ + "InitialAccess", + "Persistence" + ], + "techniques": [ + "T1078", + "T1556" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "actor_alternateId_s" }, - "runAfter": { - "List_Groups": [ - "Succeeded" - ] + { + "identifier": "DisplayName", + "columnName": "actor_displayName_s" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "client_ipAddress_s" + } + ], + "entityType": "IP" + } + ], + "customDetails": { + "Location": "Location", + "SessionId": "authenticationContext_externalSessionId_s" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "This query identifies users seen login from new geo location/country {{Location}} as well as a new device and performing critical operations\n", + "alertDisplayNameFormat": "New Device/Location {{Location}} sign-in along with critical operation" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]", + "properties": { + "description": "Okta Single Sign-On Analytics Rule 5", + "parentId": "[variables('analyticRuleId5')]", + "contentId": "[variables('_analyticRulecontentId5')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion5')]", + "source": { + "kind": "Solution", + "name": "Okta Single Sign-On", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId5')]", + "contentKind": "AnalyticsRule", + "displayName": "New Device/Location sign-in along with critical operation", + "contentProductId": "[variables('_analyticRulecontentProductId5')]", + "id": "[variables('_analyticRulecontentProductId5')]", + "version": "[variables('analyticRuleVersion5')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName6')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MFAFatigue_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion6')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId6')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "MFA fatigue attack is a cybersecurity threat where attackers exploit user exhaustion from multi-factor authentication prompts to trick them into providing their MFA details thus compromising their own security. The query identifies MFA fatigue attempts in the Okta data. \n Ref: https://sec.okta.com/everythingisyes", + "displayName": "MFA Fatigue (OKTA)", + "enabled": false, + "query": "let PushThreshold = 10;\nOkta_CL\n| where ((eventType_s ==\"user.authentication.auth_via_mfa\" and debugContext_debugData_factor_s == \"OKTA_VERIFY_PUSH\") or eventType_s == \"system.push.send_factor_verify_push\" or eventType_s == \"user.mfa.okta_verify.deny_push\") \n| summarize IPAddress = make_set(client_ipAddress_s,100), City = make_set(client_geographicalContext_city_s,100),\n successes = countif(eventType_s == \"user.authentication.auth_via_mfa\"),\n denies = countif(eventType_s == \"user.mfa.okta_verify.deny_push\"),\n pushes = countif(eventType_s == \"system.push.send_factor_verify_push\") by TimeGenerated, authenticationContext_externalSessionId_s, actor_alternateId_s,actor_displayName_s, outcome_result_s \n| summarize lasttime = max(TimeGenerated), firsttime = min(TimeGenerated),\n successes = sum(successes), failures = sum(denies), pushes = sum(pushes) by authenticationContext_externalSessionId_s, actor_alternateId_s,actor_displayName_s, outcome_result_s \n| extend seconds = lasttime - firsttime\n| where pushes > (PushThreshold)\n| extend totalattempts = successes + failures\n| extend finding = case(\n failures == pushes and pushes > 1, \"Authentication attempts not successful because multiple pushes denied\",\n totalattempts == 0, \"Multiple pushes sent and ignored\",\n successes > 0 and pushes > 3, \"Multiple pushes sent, eventual successful authentication!\",\n \"Normal authentication pattern\")\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Okta_CL" + ], + "connectorId": "OktaSSO" + } + ], + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1621" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "actor_alternateId_s" }, - "type": "Foreach", - "description": "For each group preparing the list of groups with required details to display in the adaptive card for user choice" - }, - "List_Groups": { - "runAfter": { - "Entities_-_Get_Accounts": [ - "Succeeded" - ] + { + "identifier": "DisplayName", + "columnName": "actor_displayName_s" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]", + "properties": { + "description": "Okta Single Sign-On Analytics Rule 6", + "parentId": "[variables('analyticRuleId6')]", + "contentId": "[variables('_analyticRulecontentId6')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion6')]", + "source": { + "kind": "Solution", + "name": "Okta Single Sign-On", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId6')]", + "contentKind": "AnalyticsRule", + "displayName": "MFA Fatigue (OKTA)", + "contentProductId": "[variables('_analyticRulecontentProductId6')]", + "id": "[variables('_analyticRulecontentProductId6')]", + "version": "[variables('analyticRuleVersion6')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName7')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "HighRiskAdminActivity_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion7')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId7')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "The Okta risk engine auto-assigns risk levels to each login attempt. This query identifies admin operations originating from events associated with high-risk profiles. ", + "displayName": "High-Risk Admin Activity", + "enabled": false, + "query": "let AdminActivity = dynamic([\"iam.role.create\",\"iam.role.permissions.add\",\"user.session.access_admin_app\",\"user.mfa.factor.suspend\", \"user.account.privilege.grant\", \"group.privilege.grant\", \"system.api_token.create\", \"user.session.impersonation.grant\"]);\nlet AdminOperations = Okta_CL\n| where eventType_s in (AdminActivity)\n| where outcome_result_s =~ 'SUCCESS' \n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by actor_alternateId_s, actor_displayName_s, client_userAgent_os_s, client_userAgent_browser_s, client_device_s, client_userAgent_rawUserAgent_s, client_ipAddress_s, client_geographicalContext_country_s, client_geographicalContext_city_s, displayMessage_s, outcome_result_s, outcome_reason_s, column_ifexists('debugContext_debugData_logOnlySecurityData_s', \"\"), debugContext_debugData_threatSuspected_s, client_geographicalContext_geolocation_lat_d, client_geographicalContext_geolocation_lon_d, authenticationContext_externalSessionId_s;\nlet HighRiskEvents = Okta_CL\n| where eventType_s in ('policy.evaluate_sign_on' , 'user.session.start')\n| where parse_json(tostring(parse_json(debugContext_debugData_logOnlySecurityData_s).risk)).level =~ \"HIGH\"\n| where outcome_result_s =~ 'SUCCESS'\n| extend reasons = tostring(parse_json(tostring(parse_json(debugContext_debugData_logOnlySecurityData_s).risk)).reasons)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by actor_alternateId_s, actor_displayName_s, client_userAgent_os_s, client_userAgent_browser_s, client_device_s, client_userAgent_rawUserAgent_s, client_ipAddress_s, client_geographicalContext_country_s, client_geographicalContext_city_s, displayMessage_s, outcome_result_s, outcome_reason_s, column_ifexists('debugContext_debugData_logOnlySecurityData_s', \"\"), debugContext_debugData_threatSuspected_s, client_geographicalContext_geolocation_lat_d, client_geographicalContext_geolocation_lon_d, authenticationContext_externalSessionId_s, reasons;\nAdminOperations\n| join kind=inner (HighRiskEvents) on actor_displayName_s, client_ipAddress_s, authenticationContext_externalSessionId_s\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Okta_CL" + ], + "connectorId": "OktaSSO" + } + ], + "tactics": [ + "Persistence" + ], + "techniques": [ + "T1098" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "actor_alternateId_s" }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['OktaCustomConnector']['connectionId']" - } - }, - "method": "get", - "path": "/api/v1/groups" + { + "identifier": "DisplayName", + "columnName": "actor_displayName_s" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "client_ipAddress_s" + } + ], + "entityType": "IP" + } + ], + "customDetails": { + "SessionId": "authenticationContext_externalSessionId_s" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]", + "properties": { + "description": "Okta Single Sign-On Analytics Rule 7", + "parentId": "[variables('analyticRuleId7')]", + "contentId": "[variables('_analyticRulecontentId7')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion7')]", + "source": { + "kind": "Solution", + "name": "Okta Single Sign-On", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId7')]", + "contentKind": "AnalyticsRule", + "displayName": "High-Risk Admin Activity", + "contentProductId": "[variables('_analyticRulecontentProductId7')]", + "id": "[variables('_analyticRulecontentProductId7')]", + "version": "[variables('analyticRuleVersion7')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName8')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "DeviceRegistrationMaliciousIP_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion8')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId8')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query identifies Device Registration from IP addresses identified as malicious by Okta ThreatInsight", + "displayName": "Device Registration from Malicious IP", + "enabled": false, + "query": "let Events = dynamic([\"device.enrollment.create\"]);\nlet ThreatInsightOperations = dynamic([\"security.threat.detected\", \"security.attack.start\", \"security.attack.end\" ]);\nlet DeviceRegistrations = Okta_CL\n| where eventType_s in (Events)\n| where outcome_result_s == \"SUCCESS\"\n| extend oktaDeviceId_ = tostring(parse_json(tostring(parse_json(target_s)[0].detailEntry)).oktaDeviceId), NewDevice_osPlatform = tostring(parse_json(tostring(parse_json(target_s)[0].detailEntry)).osPlatform), NewDevice_osVersion = tostring(parse_json(tostring(parse_json(target_s)[0].detailEntry)).osVersion), displayName_ = tostring(parse_json(target_s)[0].displayName)\n| extend Location = strcat(client_geographicalContext_city_s, \" | \", client_geographicalContext_state_s,\" | \", client_geographicalContext_country_s)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by actor_alternateId_s, actor_displayName_s, client_userAgent_os_s, client_ipAddress_s, displayMessage_s, outcome_result_s,\noutcome_reason_s, column_ifexists('debugContext_debugData_logOnlySecurityData_s', \"\"), column_ifexists('debugContext_debugData_threatSuspected_s',\"\"), client_userAgent_rawUserAgent_s,client_userAgent_browser_s, severity_s, NewDevice_osPlatform, NewDevice_osVersion, eventType_s, Location ;\nlet ThreatInsightEvents = Okta_CL\n| where eventType_s in (ThreatInsightOperations)\n| extend SuspiciousIP = actor_displayName_s\n| project TimeGenerated, debugContext_debugData_threatDetections_s, client_userAgent_rawUserAgent_s, severity_s, outcome_result_s, eventType_s, displayMessage_s, SuspiciousIP, transaction_id_s;\nDeviceRegistrations \n| join kind=inner (ThreatInsightEvents) on $left.client_ipAddress_s == $right.SuspiciousIP\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Okta_CL" + ], + "connectorId": "OktaSSO" + } + ], + "tactics": [ + "Persistence" + ], + "techniques": [ + "T1098" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "actor_alternateId_s" }, - "description": "This provides list of groups present in Okta domain" - } + { + "identifier": "DisplayName", + "columnName": "actor_displayName_s" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "client_ipAddress_s" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]", + "properties": { + "description": "Okta Single Sign-On Analytics Rule 8", + "parentId": "[variables('analyticRuleId8')]", + "contentId": "[variables('_analyticRulecontentId8')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion8')]", + "source": { + "kind": "Solution", + "name": "Okta Single Sign-On", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId8')]", + "contentKind": "AnalyticsRule", + "displayName": "Device Registration from Malicious IP", + "contentProductId": "[variables('_analyticRulecontentProductId8')]", + "id": "[variables('_analyticRulecontentProductId8')]", + "version": "[variables('analyticRuleVersion8')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "AdminPrivilegeGrant_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Okta_Single_Sign-On_Hunting_Query_1", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Admin privilege granted (Okta)", + "category": "Hunting Queries", + "query": "let Events = dynamic([\"group.privilege.grant\", \"user.account.privilege.grant\"]);\nOkta_CL\n| where eventType_s in (Events)\n| where outcome_result_s =~ \"SUCCESS\"\n| extend Target=parsejson(target_s)\n| mvexpand bagexpansion=array (Target)\n| evaluate bag_unpack(Target)\n| extend Target_Id = tostring(column_ifexists('id', \"\")), Target_type = tostring(column_ifexists('type', \"\")), Target_user = tostring(column_ifexists('displayName', \"\")), Target_alternateId = tostring(column_ifexists('alternateId', \"\"))\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by actor_id_s, actor_type_s, actor_alternateId_s, actor_displayName_s, Target_alternateId, Target_Id, Target_type, Target_user,column_ifexists('debugContext_debugData_privilegeGranted_s', \"\"),domain_s,\n authenticationContext_externalSessionId_s, eventType_s, displayMessage_s, transaction_id_s, uuid_g\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query checks for admin permissions granted to users/groups, often used by adversaries for access and privilege elevation." + }, + { + "name": "tactics", + "value": "Persistence" + }, + { + "name": "techniques", + "value": "T1098" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]", + "properties": { + "description": "Okta Single Sign-On Hunting Query 1", + "parentId": "[variables('huntingQueryId1')]", + "contentId": "[variables('_huntingQuerycontentId1')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion1')]", + "source": { + "kind": "Solution", + "name": "Okta Single Sign-On", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId1')]", + "contentKind": "HuntingQuery", + "displayName": "Admin privilege granted (Okta)", + "contentProductId": "[variables('_huntingQuerycontentProductId1')]", + "id": "[variables('_huntingQuerycontentProductId1')]", + "version": "[variables('huntingQueryVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CreateAPIToken_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Okta_Single_Sign-On_Hunting_Query_2", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Create API Token (Okta)", + "category": "Hunting Queries", + "query": "let Events = dynamic([\"system.api_token.create\"]);\nOkta_CL\n| where eventType_s in (Events)\n| where outcome_result_s =~ \"SUCCESS\"\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Okta API tokens are used to authenticate requests to Okta APIs. This query searches for attempts to create new API Token.\n Refrence: https://developer.okta.com/docs/reference/api/event-types/" + }, + { + "name": "tactics", + "value": "PrivilegeEscalation" + }, + { + "name": "techniques", + "value": "T1134" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]", + "properties": { + "description": "Okta Single Sign-On Hunting Query 2", + "parentId": "[variables('huntingQueryId2')]", + "contentId": "[variables('_huntingQuerycontentId2')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion2')]", + "source": { + "kind": "Solution", + "name": "Okta Single Sign-On", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId2')]", + "contentKind": "HuntingQuery", + "displayName": "Create API Token (Okta)", + "contentProductId": "[variables('_huntingQuerycontentProductId2')]", + "id": "[variables('_huntingQuerycontentProductId2')]", + "version": "[variables('huntingQueryVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName3')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "ImpersonationSession_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryVersion3')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Okta_Single_Sign-On_Hunting_Query_3", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Initiate impersonation session (Okta)", + "category": "Hunting Queries", + "query": "let Events = dynamic([\"user.session.impersonation.initiate\", \"user.session.impersonation.grant\", \"user.session.impersonation.extend\", \"user.session.impersonation.end\", \"user.session.impersonation.revoke\"]);\nOkta_CL\n| where eventType_s in (Events)\n| where outcome_result_s =~ \"SUCCESS\"\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "User.session.impersonation, usually triggered by Okta Support, are rare. This query checks for impersonation events used in LAPSUS$ breach." + }, + { + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1195" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]", + "properties": { + "description": "Okta Single Sign-On Hunting Query 3", + "parentId": "[variables('huntingQueryId3')]", + "contentId": "[variables('_huntingQuerycontentId3')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion3')]", + "source": { + "kind": "Solution", + "name": "Okta Single Sign-On", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId3')]", + "contentKind": "HuntingQuery", + "displayName": "Initiate impersonation session (Okta)", + "contentProductId": "[variables('_huntingQuerycontentProductId3')]", + "id": "[variables('_huntingQuerycontentProductId3')]", + "version": "[variables('huntingQueryVersion3')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName4')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RareMFAOperation_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryVersion4')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Okta_Single_Sign-On_Hunting_Query_4", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Rare MFA Operations (Okta)", + "category": "Hunting Queries", + "query": "let Events = dynamic([\"user.mfa.factor.update\", \"system.mfa.factor.deactivate\", \"user.mfa.attempt_bypass\", \"user.mfa.factor.reset_all\"]);\nOkta_CL\n| where eventType_s in (Events)\n| where outcome_result_s =~ \"SUCCESS\"\n| extend Target=parsejson(target_s)\n| mvexpand bagexpansion=array (Target)\n| evaluate bag_unpack(Target)\n| extend Target_Id = tostring(column_ifexists('id', \"\")), Target_type = tostring(column_ifexists('type', \"\")), Target_user = tostring(column_ifexists('displayName', \"\")), Target_alternateId = tostring(column_ifexists('alternateId', \"\"))\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by actor_id_s, actor_type_s, actor_alternateId_s, actor_displayName_s, Target_alternateId, Target_Id, Target_type, Target_user,debugContext_debugData_requestUri_s,\n debugContext_debugData_requestId_s, domain_s, authenticationContext_externalSessionId_s, eventType_s, displayMessage_s, transaction_id_s, uuid_g, client_userAgent_rawUserAgent_s, client_userAgent_os_s, client_userAgent_browser_s, \n client_ipAddress_s, column_ifexists('client_geographicalContext_city_s', \"\"), column_ifexists('client_geographicalContext_state_s', \"\"), column_ifexists('client_geographicalContext_country_s', \"\"), column_ifexists('securityContext_isp_s', \"\")\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "MFA prevents credential compromise. This query checks for rare MFA operations like deactivation, update, reset, and bypass attempts often used by adversaries to compromise networks/accounts." + }, + { + "name": "tactics", + "value": "Persistence" + }, + { + "name": "techniques", + "value": "T1098" } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]", + "properties": { + "description": "Okta Single Sign-On Hunting Query 4", + "parentId": "[variables('huntingQueryId4')]", + "contentId": "[variables('_huntingQuerycontentId4')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion4')]", + "source": { + "kind": "Solution", + "name": "Okta Single Sign-On", + "sourceId": "[variables('_solutionId')]" }, - "parameters": { - "$connections": { - "value": { - "OktaCustomConnector": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('OKTAConnectionName'))]", - "connectionName": "[[variables('OKTAConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" - }, - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "connectionName": "[[variables('AzureSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "teams": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", - "connectionName": "[[variables('TeamsConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]" - } - } + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId4')]", + "contentKind": "HuntingQuery", + "displayName": "Rare MFA Operations (Okta)", + "contentProductId": "[variables('_huntingQuerycontentProductId4')]", + "id": "[variables('_huntingQuerycontentProductId4')]", + "version": "[variables('huntingQueryVersion4')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName5')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "UserPasswordReset_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryVersion5')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Okta_Single_Sign-On_Hunting_Query_5", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "User password reset(Okta)", + "category": "Hunting Queries", + "query": "let Events = dynamic([\"user.account.reset_password\"]);\nOkta_CL\n| where eventType_s in (Events)\n| where outcome_result_s =~ \"SUCCESS\"\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Adversaries often manipulate accounts for access. This query checks for admin attempts to reset user passwords in Okta logs." + }, + { + "name": "tactics", + "value": "Persistence" + }, + { + "name": "techniques", + "value": "T1098" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]", + "properties": { + "description": "Okta Single Sign-On Hunting Query 5", + "parentId": "[variables('huntingQueryId5')]", + "contentId": "[variables('_huntingQuerycontentId5')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion5')]", + "source": { + "kind": "Solution", + "name": "Okta Single Sign-On", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId5')]", + "contentKind": "HuntingQuery", + "displayName": "User password reset(Okta)", + "contentProductId": "[variables('_huntingQuerycontentProductId5')]", + "id": "[variables('_huntingQuerycontentProductId5')]", + "version": "[variables('huntingQueryVersion5')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName6')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "NewDeviceRegistration_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryVersion6')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Okta_Single_Sign-On_Hunting_Query_6", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "New device registration from unfamiliar location", + "category": "Hunting Queries", + "query": "let Events = dynamic([\"device.enrollment.create\"]);\nlet DeviceRegistrations = Okta_CL\n | where eventType_s in (Events)\n | where outcome_result_s == \"SUCCESS\"\n | extend oktaDeviceId_ = tostring(parse_json(tostring(parse_json(target_s)[0].detailEntry)).oktaDeviceId), NewDevice_osPlatform = tostring(parse_json(tostring(parse_json(target_s)[0].detailEntry)).osPlatform), NewDevice_osVersion = tostring(parse_json(tostring(parse_json(target_s)[0].detailEntry)).osVersion), displayName_ = tostring(parse_json(target_s)[0].displayName)\n | extend Location = strcat(client_geographicalContext_city_s, \" | \", client_geographicalContext_state_s,\" | \", client_geographicalContext_country_s)\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by actor_alternateId_s, actor_displayName_s, client_userAgent_os_s, client_ipAddress_s, displayMessage_s, outcome_result_s,\n outcome_reason_s, column_ifexists('debugContext_debugData_logOnlySecurityData_s', \"\"), column_ifexists('debugContext_debugData_threatSuspected_s',\"\"), client_userAgent_rawUserAgent_s,client_userAgent_browser_s, severity_s, NewDevice_osPlatform, NewDevice_osVersion, eventType_s, Location ;\nlet UserLogins = Okta_CL\n | where TimeGenerated > ago(14d)\n | where eventType_s =~ \"user.session.start\"\n | where outcome_result_s =~ \"SUCCESS\"\n | extend Location = strcat(client_geographicalContext_city_s, \" | \", client_geographicalContext_state_s,\" | \", client_geographicalContext_country_s)\n | project actor_alternateId_s, actor_displayName_s, Location;\nDeviceRegistrations\n | join kind=leftanti (\n UserLogins\n )\non Location, actor_alternateId_s\n | extend Account_0_Name = actor_displayName_s\n | extend IP_0_Address = client_ipAddress_s\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This query identifies new device being registered from a location where the user does not normally login from" + }, + { + "name": "tactics", + "value": "Persistence" + }, + { + "name": "techniques", + "value": "T1098" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]", + "properties": { + "description": "Okta Single Sign-On Hunting Query 6", + "parentId": "[variables('huntingQueryId6')]", + "contentId": "[variables('_huntingQuerycontentId6')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion6')]", + "source": { + "kind": "Solution", + "name": "Okta Single Sign-On", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId6')]", + "contentKind": "HuntingQuery", + "displayName": "New device registration from unfamiliar location", + "contentProductId": "[variables('_huntingQuerycontentProductId6')]", + "id": "[variables('_huntingQuerycontentProductId6')]", + "version": "[variables('huntingQueryVersion6')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName7')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "LoginsVPSProvider_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryVersion7')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Okta_Single_Sign-On_Hunting_Query_7", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Logins originating from VPS Providers", + "category": "Hunting Queries", + "query": "let IP_Data = (externaldata(network:string)\n[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/VPS_Networks.csv\"] with (format=\"csv\"));\nOkta_CL\n| where eventType_s =~ \"user.session.start\"\n| where outcome_result_s =~ \"SUCCESS\"\n| evaluate ipv4_lookup(IP_Data, client_ipAddress_s, network, return_unmatched = false)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by actor_alternateId_s, actor_displayName_s, client_userAgent_os_s, client_ipAddress_s, client_geographicalContext_state_s,displayMessage_s, outcome_result_s,\noutcome_reason_s, column_ifexists('debugContext_debugData_logOnlySecurityData_s', \"\"), debugContext_debugData_threatSuspected_s, client_userAgent_rawUserAgent_s,client_userAgent_browser_s, severity_s\n| extend Account_0_Name = actor_displayName_s\n| extend IP_0_Address = client_ipAddress_s\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This query searches for successful logons from known VPS provider network ranges.\n This is not an exhaustive list of VPS provider ranges but covers some of the most prevalent providers observed." + }, + { + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1078" } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]", + "properties": { + "description": "Okta Single Sign-On Hunting Query 7", + "parentId": "[variables('huntingQueryId7')]", + "contentId": "[variables('_huntingQuerycontentId7')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion7')]", + "source": { + "kind": "Solution", + "name": "Okta Single Sign-On", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" } } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId7')]", + "contentKind": "HuntingQuery", + "displayName": "Logins originating from VPS Providers", + "contentProductId": "[variables('_huntingQuerycontentProductId7')]", + "id": "[variables('_huntingQuerycontentProductId7')]", + "version": "[variables('huntingQueryVersion7')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName8')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "LoginNordVPN_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryVersion8')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Okta_Single_Sign-On_Hunting_Query_8", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Sign-ins from Nord VPN Providers", + "category": "Hunting Queries", + "query": "let nord_vpn_feed = (externaldata(id:int,ip_address: string,search_keywords: dynamic,categories:dynamic,name: string,domain:string,price:int,flag:string,country:string,location:dynamic ,load: int ,features:dynamic)\n [@\"https://raw.githubusercontent.com/microsoft/mstic/master/nordvpn-servers.csv\"] with (format=\"csv\", ignoreFirstRecord=True));\nOkta_CL\n| where eventType_s =~ \"user.session.start\"\n| where outcome_result_s =~ \"SUCCESS\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by actor_alternateId_s, actor_displayName_s, client_userAgent_os_s, client_ipAddress_s, client_geographicalContext_state_s,displayMessage_s, outcome_result_s,\n outcome_reason_s, column_ifexists('debugContext_debugData_logOnlySecurityData_s', \"\"), debugContext_debugData_threatSuspected_s, client_userAgent_rawUserAgent_s,client_userAgent_browser_s, severity_s\n| join kind= inner nord_vpn_feed on $left.client_ipAddress_s == $right.ip_address\n| extend Account_0_Name = actor_displayName_s\n| extend IP_0_Address = client_ipAddress_s\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This query searches for sign-in activity from Nord VPN providers.\nThe purpose is to identify any unfamiliar sign-in attempts from VPN providers, that are not typically observed among users in the organization." + }, + { + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1078" + } + ] + } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]", "properties": { - "parentId": "[variables('playbookId4')]", - "contentId": "[variables('_playbookContentId4')]", - "kind": "Playbook", - "version": "[variables('playbookVersion4')]", + "description": "Okta Single Sign-On Hunting Query 8", + "parentId": "[variables('huntingQueryId8')]", + "contentId": "[variables('_huntingQuerycontentId8')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion8')]", "source": { "kind": "Solution", "name": "Okta Single Sign-On", @@ -3900,105 +4887,162 @@ "email": "support@microsoft.com", "tier": "Microsoft", "link": "https://support.microsoft.com" - }, - "dependencies": { - "criteria": [ - { - "kind": "LogicAppsCustomConnector", - "contentId": "[variables('_OktaCustomConnector')]", - "version": "[variables('playbookVersion1')]" - } - ] } } } - ], - "metadata": { - "title": "Response on Okta user from Teams", - "description": "This playbooks sends an adaptive card to the SOC Teams channel with information about the Okta user and incident details. The SOC is allowed to take action such suspend, reset password, expire password, add to group. An informative comment will be posted to the incident.", - "prerequisites": [ - "1. Okta Custom Connector needs to be deployed prior to the deployment of this playbook under the same resource group.", - "2. Generate an API key. [Learn how](https://developer.okta.com/docs/guides/create-an-api-token/overview/)" - ], - "lastUpdateTime": "2021-07-28T00:00:00Z", - "entities": [ - "Account" - ], - "tags": [ - "Remediation" - ], - "releaseNotes": { - "version": "1.0", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] - } - } - } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId8')]", + "contentKind": "HuntingQuery", + "displayName": "Sign-ins from Nord VPN Providers", + "contentProductId": "[variables('_huntingQuerycontentProductId8')]", + "id": "[variables('_huntingQuerycontentProductId8')]", + "version": "[variables('huntingQueryVersion8')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('workbookTemplateSpecName1')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName9')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], "properties": { - "description": "Okta Single Sign-On Workbook with template", - "displayName": "Okta Single Sign-On workbook template" + "description": "LoginFromMultipleLocations_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryVersion9')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Okta_Single_Sign-On_Hunting_Query_9", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Okta Login from multiple locations", + "category": "Hunting Queries", + "query": "let starttime = ago(4d);\nlet endtime = ago(2d);\nlet common_locations = (Okta_CL\n | where TimeGenerated between(starttime..endtime)\n //| where eventType_s =~ 'user.session.start'\n | extend locationString= strcat(client_geographicalContext_country_s, \"/\",client_geographicalContext_state_s, \"/\", client_geographicalContext_city_s)\n | where locationString != \"//\"\n | summarize count() by locationString\n //modify the most common location value(below) based on your enviornment \n | take 20\n | project locationString);\nlet signIns = (Okta_CL\n | where TimeGenerated between(starttime..endtime)\n // | where eventType_s =~ 'user.session.start'\n | extend locationString= strcat(client_geographicalContext_country_s, \"/\",client_geographicalContext_state_s, \"/\", client_geographicalContext_city_s)\n | where locationString != \"//\" and locationString !endswith \"/\"\n | where locationString !in (common_locations));\n // Adjust these to tune your query\nlet lookupWindow = 10m;\nlet lookupBin = lookupWindow / 2.0; // lookup bin = equal to 1/2 of the lookup window\nlet threshold = 5;\nlet users = (signIns\n| summarize dcount(locationString) by actor_displayName_s\n| where dcount_locationString > threshold\n| project actor_displayName_s);\nsignIns\n | where actor_displayName_s in (users)\n | project-rename Start=TimeGenerated\n | extend TimeKey = bin(Start, lookupBin)\n | join kind = inner (\n signIns\n | project-rename End=TimeGenerated, EndLocationString=locationString\n // TimeKey on the right side of the join - emulates this authentication appearing several times\n | extend TimeKey = range(bin(End - lookupWindow, lookupBin),\n bin(End, lookupBin), lookupBin)\n | mvexpand TimeKey to typeof(datetime) // translate TimeKey arrange range to a column\n ) on actor_displayName_s, TimeKey\n | where End > Start\n | project tostring(Start), tostring(End), locationString, EndLocationString, timeSpan = End - Start, actor_displayName_s, client_ipAddress_s, client_userAgent_rawUserAgent_s, client_userAgent_browser_s, client_device_s, displayMessage_s, outcome_result_s, outcome_reason_s, column_ifexists('debugContext_debugData_logOnlySecurityData_s', \"\"), debugContext_debugData_threatSuspected_s, client_geographicalContext_geolocation_lat_d, client_geographicalContext_geolocation_lon_d, eventType_s\n | where locationString != EndLocationString\n | summarize ips=make_set(client_ipAddress_s,100), UAs=make_set(client_userAgent_rawUserAgent_s,100) by timeSpan, actor_displayName_s, locationString, EndLocationString, Start, End, client_userAgent_rawUserAgent_s, client_userAgent_browser_s, client_device_s\n | extend Account_0_Name = actor_displayName_s\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This query identifies accounts associated with multiple authentications from different geographical locations in a short period of time." + }, + { + "name": "tactics", + "value": "CredentialAccess" + }, + { + "name": "techniques", + "value": "T1110" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId9'),'/'))))]", + "properties": { + "description": "Okta Single Sign-On Hunting Query 9", + "parentId": "[variables('huntingQueryId9')]", + "contentId": "[variables('_huntingQuerycontentId9')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion9')]", + "source": { + "kind": "Solution", + "name": "Okta Single Sign-On", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId9')]", + "contentKind": "HuntingQuery", + "displayName": "Okta Login from multiple locations", + "contentProductId": "[variables('_huntingQuerycontentProductId9')]", + "id": "[variables('_huntingQuerycontentProductId9')]", + "version": "[variables('huntingQueryVersion9')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName10')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OktaSingleSignOnWorkbook Workbook with template version 2.0.4", + "description": "LegacyAuthentication_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion1')]", + "contentVersion": "[variables('huntingQueryVersion10')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId1')]", + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Okta_Single_Sign-On_Hunting_Query_10", "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Gain extensive insight into Okta Single Sign-On (SSO) by analyzing, collecting and correlating Audit and Event events.\nThis workbook provides visibility into message and click events that were permitted, delivered, or blocked" - }, "properties": { - "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"23197862-8ab5-4aa4-8e78-bb26fbf1a6bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2419200000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}},{\"id\":\"9df846cc-3ff1-4608-ac3a-7dddc6c709a7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Okta_CL\\n| summarize by domain_s\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::1\"],\"showDefault\":false},\"defaultValue\":\"value::1\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Administrative\",\"subTarget\":\"General\",\"preText\":\"Session/User Analysis\",\"style\":\"link\"},{\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Application\",\"subTarget\":\"Application\",\"style\":\"link\"},{\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Session/User Analysis\",\"subTarget\":\"Analysis\",\"preText\":\"Session/User Analysis\",\"style\":\"link\"}]},\"name\":\"links - 13\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"fc39a4b9-f38a-4a3e-bf83-845441828fb8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ApplicationList\",\"label\":\"Application\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Okta_CL\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| mv-expand todynamic(target_s)\\r\\n| where target_s.type == \\\"AppInstance\\\"\\r\\n| distinct tostring(target_s.alternateId)\\r\\n| sort by target_s_alternateId asc\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Application\"},\"name\":\"parameters - 15\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| where eventType_s == \\\"user.session.start\\\"\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| summarize Count = count() by Results = outcome_result_s, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"title\":\"Console Login by Result\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Results\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"FAILURE\",\"color\":\"red\"},{\"seriesName\":\"SUCCESS\",\"color\":\"green\"}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"General\"},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| where eventType_s == \\\"user.session.start\\\"\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| where outcome_result_s == \\\"FAILURE\\\"\\r\\n| summarize Total = count() by User = actor_alternateId_s\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top 10 Failed Console Logins by User\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"}}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Results\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"FAILURE\",\"color\":\"red\"},{\"seriesName\":\"SUCCESS\",\"color\":\"green\"}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"General\"},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| where eventType_s == \\\"user.authentication.auth_via_mfa\\\"\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| where outcome_result_s == \\\"FAILURE\\\"\\r\\n| summarize count() by actor_alternateId_s\\r\\n| top 10 by count_\",\"size\":0,\"title\":\"Top 10 Failed MFA Authentications by User\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"}},{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"labelSettings\":[{\"columnId\":\"actor_alternateId_s\",\"label\":\"User\"},{\"columnId\":\"count_\",\"label\":\"Total\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Results\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"FAILURE\",\"color\":\"red\"},{\"seriesName\":\"SUCCESS\",\"color\":\"green\"}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"General\"},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| where eventType_s == \\\"user.authentication.auth_via_mfa\\\"\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| summarize Count=count() by Results = outcome_result_s, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"title\":\"MFA Authentications by Result\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Results\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"SUCCESS\",\"color\":\"green\"},{\"seriesName\":\"FAILURE\",\"color\":\"red\"}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"General\"},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| mv-expand todynamic(target_s)\\r\\n| where target_s.type == \\\"AppInstance\\\"\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| summarize count() by tostring(target_s.displayName)\\r\\n| top 10 by count_\",\"size\":0,\"title\":\"Active Applications\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Users\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"General\"},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| mv-expand todynamic(target_s)\\r\\n| where target_s.type == \\\"AppInstance\\\"\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| summarize count() by tostring(target_s.displayName), bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"title\":\"Active Applications\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Users\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"General\"},\"customWidth\":\"50\",\"name\":\"Events by Application\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| where eventType_s == \\\"application.user_membership.add\\\"\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| extend TargetUser = tostring(parse_json(target_s)[0].alternateId)\\r\\n| extend Application = tostring(parse_json(target_s)[1].alternateId)\\r\\n| summarize count() by ['Event Time'] = column_ifexists('published_t', now()), ['Source User'] = actor_alternateId_s, Application, ['Target User'] = TargetUser\\r\\n| project-away count_\\r\\n| sort by ['Event Time'] desc\",\"size\":0,\"title\":\"Users Added to Application\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"General\"},\"customWidth\":\"50\",\"name\":\"query - 18\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| where eventType_s == \\\"application.user_membership.remove\\\"\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| extend TargetUser = tostring(parse_json(target_s)[0].alternateId)\\r\\n| extend Application = tostring(parse_json(target_s)[1].alternateId)\\r\\n| summarize count() by column_ifexists('published_t', now()), SourceUser = actor_alternateId_s, Application, TargetUser\\r\\n| project-away count_\\r\\n| sort by column_ifexists('published_t', now()) desc\\r\\n\",\"size\":0,\"title\":\"Users Removed from Application\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"General\"},\"customWidth\":\"50\",\"name\":\"query - 18 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| mv-expand todynamic(target_s)\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| where target_s.type == \\\"AppInstance\\\"\\r\\n| where target_s.alternateId in ({ApplicationList}) or '*' in ({ApplicationList})\\r\\n| summarize count() by tostring(target_s.alternateId), bin(TimeGenerated,{TimeRange:grain})\",\"size\":0,\"title\":\"Total Events by Application\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Application\"},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| mv-expand todynamic(target_s)\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| where target_s.type == \\\"AppInstance\\\"\\r\\n| where target_s.alternateId in ({ApplicationList}) or '*' in ({ApplicationList})\\r\\n| where eventType_s has \\\"authentication\\\"\\r\\n| where outcome_result_s == \\\"FAILURE\\\"\\r\\n| summarize count() by tostring(target_s.alternateId), bin(TimeGenerated,{TimeRange:grain})\",\"size\":0,\"title\":\"Failed Logins by Application\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Application\"},\"customWidth\":\"50\",\"name\":\"query - 12 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| mv-expand todynamic(target_s)\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| where target_s.type == \\\"AppInstance\\\"\\r\\n| where target_s.alternateId in ({ApplicationList}) or '*' in ({ApplicationList})\\r\\n| summarize Total = count() by Application = tostring(target_s.alternateId)\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top 10 Event Count by Application\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Application\"},\"customWidth\":\"50\",\"name\":\"query - 12 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| mv-expand todynamic(target_s)\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| where target_s.type == \\\"AppInstance\\\"\\r\\n| where eventType_s has \\\"authentication\\\"\\r\\n| where target_s.alternateId in ({ApplicationList}) or '*' in ({ApplicationList})\\r\\n| summarize SUCCESS = countif(outcome_result_s == \\\"SUCCESS\\\"), FAILURE = countif(outcome_result_s == \\\"FAILURE\\\"), Total = count() by User = actor_alternateId_s\\r\\n| top 10 by Total\\r\\n\",\"size\":0,\"title\":\"Top 10 User Authentications\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SUCCESS\",\"formatter\":8,\"formatOptions\":{\"palette\":\"red\"}},{\"columnMatch\":\"FAILURE\",\"formatter\":8,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Application\"},\"customWidth\":\"50\",\"name\":\"query - 12 - Copy - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"427470db-f8f8-461c-adc7-47fe5202b5d1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SessionID\",\"label\":\"Session ID\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Okta_CL\\r\\n| where actor_alternateId_s !in (\\\"system@okta.com\\\")\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| distinct authenticationContext_externalSessionId_s\\r\\n| sort by authenticationContext_externalSessionId_s asc\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"939a52ae-0662-4483-a52b-35287b151074\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Okta_CL\\r\\n| where actor_alternateId_s !in (\\\"system@okta.com\\\")\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| distinct actor_alternateId_s\\r\\n| sort by actor_alternateId_s asc\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"059ad6dc-5f2f-490d-941a-d9f87cf71723\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EventTypes\",\"label\":\"Event Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Okta_CL\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| distinct eventType_s\\r\\n| sort by eventType_s asc\",\"value\":[\"user.session.start\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Analysis\"},\"name\":\"parameters - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| where authenticationContext_externalSessionId_s in ({SessionID})\\r\\n| extend actor_alternateId_s=replace_string(actor_alternateId_s,@'\\\\','')\\r\\n| where actor_alternateId_s in ({User}) or '*' in ({User})\\r\\n| where eventType_s in ({EventTypes}) or '*' in ({EventTypes})\\r\\n| summarize count(eventType_s) by actor_alternateId_s, bin(column_ifexists('published_t', now()), {TimeRange:grain})\",\"size\":0,\"showAnnotations\":true,\"title\":\"User Events Timeline\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"actor_alternateId_s\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"actor_alternateId_s\",\"sortOrder\":2}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Analysis\"},\"customWidth\":\"50\",\"name\":\"query - 8 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| where authenticationContext_externalSessionId_s in ({SessionID})\\r\\n| extend actor_alternateId_s=replace_string(actor_alternateId_s,@'\\\\','')\\r\\n| where actor_alternateId_s in ({User}) or '*' in ({User})\\r\\n| where eventType_s in ({EventTypes}) or '*' in ({EventTypes})\\r\\n| summarize count() by authenticationContext_externalSessionId_s, column_ifexists('published_t', now()), eventType_s, actor_alternateId_s\\r\\n| sort by authenticationContext_externalSessionId_s asc, column_ifexists('published_t', now()) asc\",\"size\":0,\"title\":\"User Event Details\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"actor_alternateId_s\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"authenticationContext_externalSessionId_s\",\"label\":\"Session ID\"},{\"columnId\":\"published_t\",\"label\":\"Event Time\"},{\"columnId\":\"eventType_s\",\"label\":\"Event Type\"},{\"columnId\":\"actor_alternateId_s\",\"label\":\"User\"},{\"columnId\":\"count_\",\"label\":\"Total\"}]},\"sortBy\":[{\"itemKey\":\"actor_alternateId_s\",\"sortOrder\":2}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Analysis\"},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n| mv-expand todynamic(target_s)\\r\\n| where target_s.type == \\\"AppInstance\\\"\\r\\n| where eventType_s has \\\"authentication\\\"\\r\\n| where authenticationContext_externalSessionId_s in ({SessionID})\\r\\n| extend actor_alternateId_s=replace_string(actor_alternateId_s,@'\\\\','')\\r\\n| where actor_alternateId_s in ({User}) or '*' in ({User})\\r\\n| where eventType_s in ({EventTypes}) or '*' in ({EventTypes})\\r\\n| summarize SUCCESS = countif(outcome_result_s == \\\"SUCCESS\\\"), FAILURE = countif(outcome_result_s == \\\"FAILURE\\\"), Total = count() by actor_alternateId_s, tostring(target_s.alternateId)\\r\\n| sort by actor_alternateId_s asc, target_s_alternateId asc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Application Authentications\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SUCCESS\",\"formatter\":8,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"FAILURE\",\"formatter\":8,\"formatOptions\":{\"palette\":\"red\"}},{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blue\"}}],\"labelSettings\":[{\"columnId\":\"actor_alternateId_s\",\"label\":\"User\"},{\"columnId\":\"target_s_alternateId\",\"label\":\"Application\"},{\"columnId\":\"SUCCESS\"},{\"columnId\":\"FAILURE\"},{\"columnId\":\"Total\"}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Analysis\"},\"customWidth\":\"50\",\"name\":\"query - 8 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Okta_CL\\r\\n| where domain_s in ({Domain}) or '*' in ({Domain})\\r\\n//| where authenticationContext_externalSessionId_s in ({SessionID})\\r\\n//| extend actor_alternateId_s=replace_string(actor_alternateId_s,@'\\\\','')\\r\\n| where actor_alternateId_s in ({User}) or '*' in ({User})\\r\\n//| where eventType_s in ({EventTypes}) or '*' in ({EventTypes})\\r\\n| summarize count(eventType_s) by \\tCity = client_geographicalContext_city_s, actor_alternateId_s, Country = client_geographicalContext_country_s, latitude = client_geographicalContext_geolocation_lat_d, longitude = client_geographicalContext_geolocation_lon_d, Results = outcome_result_s\",\"size\":0,\"title\":\"User Events by Geo-Location\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"map\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Users\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"latitude\":\"latitude\",\"longitude\":\"longitude\",\"sizeSettings\":\"count_eventType_s\",\"sizeAggregation\":\"Sum\",\"labelSettings\":\"actor_alternateId_s\",\"legendMetric\":\"count_eventType_s\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_eventType_s\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Analysis\"},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy - Copy\"}],\"fromTemplateId\":\"sentinel-SSOWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" + "eTag": "*", + "displayName": "Okta login attempts using Legacy Auth", + "category": "Hunting Queries", + "query": "Okta_CL\n| where debugContext_debugData_requestUri_s has 'sso/wsfed/active'\n| where outcome_result_s == 'SUCCESS'\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by actor_alternateId_s, actor_displayName_s, client_userAgent_os_s, client_ipAddress_s, client_geographicalContext_state_s,displayMessage_s, outcome_result_s,eventType_s,\noutcome_reason_s, column_ifexists('debugContext_debugData_logOnlySecurityData_s', \"\"), debugContext_debugData_threatSuspected_s, client_userAgent_rawUserAgent_s,client_userAgent_browser_s, severity_s, client_geographicalContext_country_s, client_geographicalContext_city_s\n| extend Account_0_Name = actor_displayName_s\n| extend IP_0_Address = client_ipAddress_s\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This query identifies use of legacy authentication protocol in the Okta Logs." + }, + { + "name": "tactics", + "value": "CredentialAccess" + }, + { + "name": "techniques", + "value": "T1556" + } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId10'),'/'))))]", "properties": { - "description": "@{workbookKey=OktaSingleSignOnWorkbook; logoFileName=okta_logo.svg; description=Gain extensive insight into Okta Single Sign-On (SSO) by analyzing, collecting and correlating Audit and Event events.\nThis workbook provides visibility into message and click events that were permitted, delivered, or blocked; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.2; title=Okta Single Sign-On; templateRelativePath=OktaSingleSignOn.json; subtitle=; provider=Okta}.description", - "parentId": "[variables('workbookId1')]", - "contentId": "[variables('_workbookContentId1')]", - "kind": "Workbook", - "version": "[variables('workbookVersion1')]", + "description": "Okta Single Sign-On Hunting Query 10", + "parentId": "[variables('huntingQueryId10')]", + "contentId": "[variables('_huntingQuerycontentId10')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion10')]", "source": { "kind": "Solution", "name": "Okta Single Sign-On", @@ -4013,34 +5057,39 @@ "email": "support@microsoft.com", "tier": "Microsoft", "link": "https://support.microsoft.com" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "Okta_CL", - "kind": "DataType" - }, - { - "contentId": "OktaSSO", - "kind": "DataConnector" - } - ] } } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId10')]", + "contentKind": "HuntingQuery", + "displayName": "Okta login attempts using Legacy Auth", + "contentProductId": "[variables('_huntingQuerycontentProductId10')]", + "id": "[variables('_huntingQuerycontentProductId10')]", + "version": "[variables('huntingQueryVersion10')]" } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "2.0.4", + "version": "3.0.0", "kind": "Solution", - "contentSchemaVersion": "2.0.0", + "contentSchemaVersion": "3.0.0", + "displayName": "Okta Single Sign-On", + "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Okta Single Sign-On (SSO) solution for Microsoft Sentinel provides the capability to ingest audit and event logs into Microsoft Sentinel using the Okta API.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1, Workbooks: 1, Analytic Rules: 8, Hunting Queries: 10, Custom Azure Logic Apps Connectors: 1, Playbooks: 3

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", "contentId": "[variables('_solutionId')]", "parentId": "[variables('_solutionId')]", "source": { @@ -4061,6 +5110,36 @@ "dependencies": { "operator": "AND", "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + }, + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_OktaCustomConnector')]", + "version": "[variables('playbookVersion1')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Okta-EnrichIncidentWithUserDetails')]", + "version": "[variables('playbookVersion2')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Okta-PromptUser')]", + "version": "[variables('playbookVersion3')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Okta-ResponseFromTeams')]", + "version": "[variables('playbookVersion4')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" + }, { "kind": "AnalyticsRule", "contentId": "[variables('analyticRulecontentId1')]", @@ -4077,9 +5156,29 @@ "version": "[variables('analyticRuleVersion3')]" }, { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId4')]", + "version": "[variables('analyticRuleVersion4')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId5')]", + "version": "[variables('analyticRuleVersion5')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId6')]", + "version": "[variables('analyticRuleVersion6')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId7')]", + "version": "[variables('analyticRuleVersion7')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId8')]", + "version": "[variables('analyticRuleVersion8')]" }, { "kind": "HuntingQuery", @@ -4107,29 +5206,29 @@ "version": "[variables('huntingQueryVersion5')]" }, { - "kind": "LogicAppsCustomConnector", - "contentId": "[variables('_OktaCustomConnector')]", - "version": "[variables('playbookVersion1')]" + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId6')]", + "version": "[variables('huntingQueryVersion6')]" }, { - "kind": "Playbook", - "contentId": "[variables('_Okta-EnrichIncidentWithUserDetails')]", - "version": "[variables('playbookVersion2')]" + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId7')]", + "version": "[variables('huntingQueryVersion7')]" }, { - "kind": "Playbook", - "contentId": "[variables('_Okta-PromptUser')]", - "version": "[variables('playbookVersion3')]" + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId8')]", + "version": "[variables('huntingQueryVersion8')]" }, { - "kind": "Playbook", - "contentId": "[variables('_Okta-ResponseFromTeams')]", - "version": "[variables('playbookVersion4')]" + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId9')]", + "version": "[variables('huntingQueryVersion9')]" }, { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId1')]", - "version": "[variables('workbookVersion1')]" + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId10')]", + "version": "[variables('huntingQueryVersion10')]" } ] }, diff --git a/Solutions/Okta Single Sign-On/Playbooks/readme.md b/Solutions/Okta Single Sign-On/Playbooks/readme.md index 82c9bf8b8f4..eebafaf1c18 100644 --- a/Solutions/Okta Single Sign-On/Playbooks/readme.md +++ b/Solutions/Okta Single Sign-On/Playbooks/readme.md @@ -100,12 +100,12 @@ Once deployment is complete, you will need to authorize each connection. ## Components of this integration Connector -* [OktaCustomConnector](https://github.com/Azure/Azure-Sentinel/master/Playbooks/Okta/OktaCustomConnector) +* [OktaCustomConnector](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Okta%20Single%20Sign-On/Playbooks/OktaCustomConnector) Playbooks -* [Okta-Response From Teams : Playbook to perform different actions on user on Okta and add user deatils to incident](https://github.com/Azure/Azure-Sentinel/master/Playbooks/Okta/OktaPlaybooks/Okta-EnrichIncidentWithUserDetails) -* [Okta-Enrich incident with user details : Playbook to enrich incident with user deatils and user groupdetails ](https://github.com/Azure/Azure-Sentinel/master/Playbooks/Okta/OktaPlaybooks/Okta-EnrichIncidentWithUserDetails) -* [Okta-PromptUser : Playbook to prompt risky user about the malicious activity](https://github.com/Azure/Azure-Sentinel/master/Playbooks/Okta/OktaPlaybooks/Okta-PromptUser) +* [Okta-Response From Teams : Playbook to perform different actions on user on Okta and add user deatils to incident](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Okta%20Single%20Sign-On/Playbooks/OktaPlaybooks/Okta-EnrichIncidentWithUserDetails) +* [Okta-Enrich incident with user details : Playbook to enrich incident with user deatils and user groupdetails ](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Okta%20Single%20Sign-On/Playbooks/OktaPlaybooks/Okta-EnrichIncidentWithUserDetails) +* [Okta-PromptUser : Playbook to prompt risky user about the malicious activity](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Okta%20Single%20Sign-On/Playbooks/OktaPlaybooks/Okta-PromptUser) diff --git a/Solutions/Okta Single Sign-On/ReleaseNotes.md b/Solutions/Okta Single Sign-On/ReleaseNotes.md new file mode 100644 index 00000000000..9cb22f1e92a --- /dev/null +++ b/Solutions/Okta Single Sign-On/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|---------------------------------------------------------------| +| 3.0.0 | 10-10-2023 | Manual deployment instructions updated for **Data Connector** | \ No newline at end of file diff --git a/Solutions/Okta Single Sign-On/data/Solution_Okta.json b/Solutions/Okta Single Sign-On/data/Solution_Okta.json index 6f886ee9f3f..2ee8d3bebb6 100644 --- a/Solutions/Okta Single Sign-On/data/Solution_Okta.json +++ b/Solutions/Okta Single Sign-On/data/Solution_Okta.json @@ -6,17 +6,27 @@ "Analytic Rules": [ "Analytic Rules/FailedLoginsFromUnknownOrInvalidUser.yaml", "Analytic Rules/LoginfromUsersfromDifferentCountrieswithin3hours.yaml", - "Analytic Rules/PasswordSpray.yaml" + "Analytic Rules/PasswordSpray.yaml", + "Analytic Rules/PhishingDetection.yaml", + "Analytic Rules/NewDeviceLocationCriticalOperation.yaml", + "Analytic Rules/MFAFatigue.yaml", + "Analytic Rules/HighRiskAdminActivity.yaml", + "Analytic Rules/DeviceRegistrationMaliciousIP.yaml" ], "Data Connectors": [ - "Data Connectors/Okta Single Sign-On/Connector_REST_API_FunctionApp_Okta.json" - ], + "Data Connectors/OktaSingleSign-On/Connector_REST_API_FunctionApp_Okta.json" +], "Hunting Queries": [ "Hunting Queries/AdminPrivilegeGrant.yaml", "Hunting Queries/CreateAPIToken.yaml", "Hunting Queries/ImpersonationSession.yaml", "Hunting Queries/RareMFAOperation.yaml", - "Hunting Queries/UserPasswordReset.yaml" + "Hunting Queries/UserPasswordReset.yaml", + "Hunting Queries/NewDeviceRegistration.yaml", + "Hunting Queries/LoginsVPSProvider.yaml", + "Hunting Queries/LoginNordVPN.yaml", + "Hunting Queries/LoginFromMultipleLocations.yaml", + "Hunting Queries/LegacyAuthentication.yaml" ], "Playbooks": [ "Playbooks/OktaCustomConnector/azuredeploy.json", @@ -28,8 +38,8 @@ "Workbooks/OktaSingleSignOn.json" ], "Metadata": "SolutionMetadata.json", - "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Okta Single Sign-On", - "Version": "2.0.4", + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Okta Single Sign-On\\", + "Version": "3.0.0", "TemplateSpec": true, "Is1PConnector": false } diff --git a/Solutions/Okta Single Sign-On/data/system_generated_metadata.json b/Solutions/Okta Single Sign-On/data/system_generated_metadata.json new file mode 100644 index 00000000000..8db44c73f69 --- /dev/null +++ b/Solutions/Okta Single Sign-On/data/system_generated_metadata.json @@ -0,0 +1,39 @@ +{ + "Name": "Okta Single Sign-On", + "Author": "Microsoft - support@microsoft.com", + "Logo": "", + "Description": "The [Okta Single Sign-On (SSO)](https://www.okta.com/products/single-sign-on) solution for Microsoft Sentinel provides the capability to ingest [audit and event logs](https://www.okta.com/integrate/documentation/isv-syslog-references/) into Microsoft Sentinel using the Okta API.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n\r\n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\n", + "Metadata": "SolutionMetadata.json", + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Okta Single Sign-On\\", + "Version": "3.0.0", + "TemplateSpec": true, + "Is1PConnector": false, + "publisherId": "azuresentinel", + "offerId": "azure-sentinel-solution-okta", + "providers": [ + "Okta" + ], + "categories": { + "domains": [ + "Identity", + "Security - Automation (SOAR)" + ] + }, + "firstPublishDate": "2022-03-24", + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "Data Connectors": "[\n \"Data Connectors/OktaSingleSign-On/Connector_REST_API_FunctionApp_Okta.json\"\n]", + "Playbooks": [ + "Playbooks/OktaCustomConnector/azuredeploy.json", + "Playbooks/OktaPlaybooks/Okta-EnrichIncidentWithUserDetails/azuredeploy.json", + "Playbooks/OktaPlaybooks/Okta-PromptUser/azuredeploy.json", + "Playbooks/OktaPlaybooks/Okta-ResponseFromTeams/azuredeploy.json" + ], + "Workbooks": "[\n \"Workbooks/OktaSingleSignOn.json\"\n]", + "Analytic Rules": "[\n \"FailedLoginsFromUnknownOrInvalidUser.yaml\",\n \"LoginfromUsersfromDifferentCountrieswithin3hours.yaml\",\n \"PasswordSpray.yaml\",\n \"PhishingDetection.yaml\",\n \"NewDeviceLocationCriticalOperation.yaml\",\n \"MFAFatigue.yaml\",\n \"HighRiskAdminActivity.yaml\",\n \"DeviceRegistrationMaliciousIP.yaml\"\n]", + "Hunting Queries": "[\n \"AdminPrivilegeGrant.yaml\",\n \"CreateAPIToken.yaml\",\n \"ImpersonationSession.yaml\",\n \"RareMFAOperation.yaml\",\n \"UserPasswordReset.yaml\",\n \"NewDeviceRegistration.yaml\",\n \"LoginsVPSProvider.yaml\",\n \"LoginNordVPN.yaml\",\n \"LoginFromMultipleLocations.yaml\",\n \"LegacyAuthentication.yaml\"\n]" +} diff --git a/Solutions/ProofPointTap/Data Connectors/ProofpointTAP_API_FunctionApp.json b/Solutions/ProofPointTap/Data Connectors/ProofpointTAP_API_FunctionApp.json index 2f0891c69ba..89daa1dd383 100644 --- a/Solutions/ProofPointTap/Data Connectors/ProofpointTAP_API_FunctionApp.json +++ b/Solutions/ProofPointTap/Data Connectors/ProofpointTAP_API_FunctionApp.json @@ -147,25 +147,45 @@ } ] }, + + { + "instructions": [ + { + "parameters":{ + + "instructionSteps": [ { "title": "Option 1 - Azure Resource Manager (ARM) Template", "description": "Use this method for automated deployment of the Proofpoint TAP connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinelproofpointtapazuredeploy) \n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password**, and validate the **Uri**.\n> - The default URI is pulling data for the last 300 seconds (5 minutes) to correspond with the default Function App Timer trigger of 5 minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." }, { "title": "Option 2 - Manual Deployment of Azure Functions", - "description": "This method provides the step-by-step instructions to deploy the Proofpoint TAP connector manually with Azure Function." - }, - { - "title": "", - "description": "**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**." - }, - { - "title": "", - "description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ Add**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and modify the cron schedule, if needed. The default value is set to run the Function App every 5 minutes. (Note: the Timer trigger should match the `timeInterval` value below to prevent overlapping data), click **Create**.\n4. Click on **Code + Test** on the left pane. \n5. Copy the [Function App Code](https://aka.ms/sentinelproofpointtapazurefunctioncode) and paste into the Function App `run.ps1` editor.\n5. Click **Save**." - }, - { - "title": "", - "description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following six (6) application settings individually, with their respective string values (case-sensitive): \n\t\tapiUsername\n\t\tapipassword\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tlogAnalyticsUri (optional)\n> - Set the `uri` value to: `https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&sinceSeconds=300`\n> - The default URI is pulling data for the last 300 seconds (5 minutes) to correspond with the default Function App Timer trigger of 5 minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.\n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`\n4. Once all application settings have been entered, click **Save**." + "description": "This method provides the step-by-step instructions to deploy the Proofpoint TAP connector manually with Azure Function (Deployment via Visual Studio Code).", + "instructions": [ + { + "parameters": { + + "instructionSteps": [ + { + "title": "Step 1 - Deploy a Function App", + "description": "1. Download the [Azure Function App](https://aka.ms/sentinelproofpointtapazurefunctionzip) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." + }, + { + "title": "Step 2 - Configure the Function App", + "description": "1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select **+ New application setting**.\n4. Add each of the following six (6) application settings individually, with their respective string values (case-sensitive): \n\t\tapiUsername\n\t\tapipassword\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tlogAnalyticsUri (optional)\n> - Set the `uri` value to: `https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&sinceSeconds=300`\n> - The default URI is pulling data for the last 300 seconds (5 minutes) to correspond with the default Function App Timer trigger of 5 minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.\n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`\n5. Once all application settings have been entered, click **Save**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] } + + ] + }, + "type": "InstructionStepsGroup" + } + ] +} ] } diff --git a/Solutions/ProofPointTap/Data/Solution_ProofTap.json b/Solutions/ProofPointTap/Data/Solution_ProofTap.json index 2428fcd7f71..94ffafc8b42 100644 --- a/Solutions/ProofPointTap/Data/Solution_ProofTap.json +++ b/Solutions/ProofPointTap/Data/Solution_ProofTap.json @@ -7,7 +7,7 @@ "Solutions/ProofPointTap/Data Connectors/ProofpointTAP_API_FunctionApp.json" ], "Parsers": [ - "Solutions/ProofPointTap/Parsers/ProofpointTAPEvent.txt" + "Solutions/ProofPointTap/Parsers/ProofpointTAPEvent.yaml" ], "Analytic Rules": [ "Solutions/ProofPointTap/Analytic Rules/MalwareAttachmentDelivered.yaml", @@ -23,7 +23,7 @@ "Solutions/ProofPointTap/Playbooks/ProofpointTAP-CheckAccountInVAP/azuredeploy.json" ], "BasePath": "C:\\GitHub\\Azure-Sentinel", - "Version": "3.0.0", + "Version": "3.0.1", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/ProofPointTap/Package/3.0.1.zip b/Solutions/ProofPointTap/Package/3.0.1.zip new file mode 100644 index 00000000000..0b28dfb6f8a Binary files /dev/null and b/Solutions/ProofPointTap/Package/3.0.1.zip differ diff --git a/Solutions/ProofPointTap/Package/mainTemplate.json b/Solutions/ProofPointTap/Package/mainTemplate.json index 6a50d8bf1f0..8d1725b39c2 100644 --- a/Solutions/ProofPointTap/Package/mainTemplate.json +++ b/Solutions/ProofPointTap/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "ProofPointTap", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.0.1", "solutionId": "azuresentinel.azure-sentinel-proofpoint", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "ProofpointTAP", @@ -125,7 +125,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ProofPointTap data connector with template version 3.0.0", + "description": "ProofPointTap data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -285,21 +285,40 @@ ] }, { - "description": "Use this method for automated deployment of the Proofpoint TAP connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinelproofpointtapazuredeploy) \n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password**, and validate the **Uri**.\n> - The default URI is pulling data for the last 300 seconds (5 minutes) to correspond with the default Function App Timer trigger of 5 minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", - "title": "Option 1 - Azure Resource Manager (ARM) Template" - }, - { - "description": "This method provides the step-by-step instructions to deploy the Proofpoint TAP connector manually with Azure Function.", - "title": "Option 2 - Manual Deployment of Azure Functions" - }, - { - "description": "**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**." - }, - { - "description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ Add**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and modify the cron schedule, if needed. The default value is set to run the Function App every 5 minutes. (Note: the Timer trigger should match the `timeInterval` value below to prevent overlapping data), click **Create**.\n4. Click on **Code + Test** on the left pane. \n5. Copy the [Function App Code](https://aka.ms/sentinelproofpointtapazurefunctioncode) and paste into the Function App `run.ps1` editor.\n5. Click **Save**." - }, - { - "description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following six (6) application settings individually, with their respective string values (case-sensitive): \n\t\tapiUsername\n\t\tapipassword\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tlogAnalyticsUri (optional)\n> - Set the `uri` value to: `https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&sinceSeconds=300`\n> - The default URI is pulling data for the last 300 seconds (5 minutes) to correspond with the default Function App Timer trigger of 5 minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.\n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`\n4. Once all application settings have been entered, click **Save**." + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Proofpoint TAP connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinelproofpointtapazuredeploy) \n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password**, and validate the **Uri**.\n> - The default URI is pulling data for the last 300 seconds (5 minutes) to correspond with the default Function App Timer trigger of 5 minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Functions", + "description": "This method provides the step-by-step instructions to deploy the Proofpoint TAP connector manually with Azure Function (Deployment via Visual Studio Code).", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Step 1 - Deploy a Function App", + "description": "1. Download the [Azure Function App](https://aka.ms/sentinelproofpointtapazurefunctionzip) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." + }, + { + "title": "Step 2 - Configure the Function App", + "description": "1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select **+ New application setting**.\n4. Add each of the following six (6) application settings individually, with their respective string values (case-sensitive): \n\t\tapiUsername\n\t\tapipassword\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tlogAnalyticsUri (optional)\n> - Set the `uri` value to: `https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&sinceSeconds=300`\n> - The default URI is pulling data for the last 300 seconds (5 minutes) to correspond with the default Function App Timer trigger of 5 minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.\n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`\n5. Once all application settings have been entered, click **Save**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] } ] } @@ -528,21 +547,40 @@ ] }, { - "description": "Use this method for automated deployment of the Proofpoint TAP connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinelproofpointtapazuredeploy) \n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password**, and validate the **Uri**.\n> - The default URI is pulling data for the last 300 seconds (5 minutes) to correspond with the default Function App Timer trigger of 5 minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", - "title": "Option 1 - Azure Resource Manager (ARM) Template" - }, - { - "description": "This method provides the step-by-step instructions to deploy the Proofpoint TAP connector manually with Azure Function.", - "title": "Option 2 - Manual Deployment of Azure Functions" - }, - { - "description": "**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**." - }, - { - "description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ Add**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and modify the cron schedule, if needed. The default value is set to run the Function App every 5 minutes. (Note: the Timer trigger should match the `timeInterval` value below to prevent overlapping data), click **Create**.\n4. Click on **Code + Test** on the left pane. \n5. Copy the [Function App Code](https://aka.ms/sentinelproofpointtapazurefunctioncode) and paste into the Function App `run.ps1` editor.\n5. Click **Save**." - }, - { - "description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following six (6) application settings individually, with their respective string values (case-sensitive): \n\t\tapiUsername\n\t\tapipassword\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tlogAnalyticsUri (optional)\n> - Set the `uri` value to: `https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&sinceSeconds=300`\n> - The default URI is pulling data for the last 300 seconds (5 minutes) to correspond with the default Function App Timer trigger of 5 minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.\n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`\n4. Once all application settings have been entered, click **Save**." + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Proofpoint TAP connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinelproofpointtapazuredeploy) \n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password**, and validate the **Uri**.\n> - The default URI is pulling data for the last 300 seconds (5 minutes) to correspond with the default Function App Timer trigger of 5 minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Functions", + "description": "This method provides the step-by-step instructions to deploy the Proofpoint TAP connector manually with Azure Function (Deployment via Visual Studio Code).", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Step 1 - Deploy a Function App", + "description": "1. Download the [Azure Function App](https://aka.ms/sentinelproofpointtapazurefunctionzip) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." + }, + { + "title": "Step 2 - Configure the Function App", + "description": "1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select **+ New application setting**.\n4. Add each of the following six (6) application settings individually, with their respective string values (case-sensitive): \n\t\tapiUsername\n\t\tapipassword\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tlogAnalyticsUri (optional)\n> - Set the `uri` value to: `https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&sinceSeconds=300`\n> - The default URI is pulling data for the last 300 seconds (5 minutes) to correspond with the default Function App Timer trigger of 5 minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.\n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`\n5. Once all application settings have been entered, click **Save**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] } ], "id": "[variables('_uiConfigId1')]" @@ -558,7 +596,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ProofpointTAPEvent Data Parser with template version 3.0.0", + "description": "ProofpointTAPEvent Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion1')]", @@ -573,15 +611,15 @@ "properties": { "eTag": "*", "displayName": "ProofpointTAPEvent", - "category": "Samples", + "category": "Microsoft Sentinel Parser", "functionAlias": "ProofpointTAPEvent", - "query": "\nunion isfuzzy=true ProofpointTAPNativePoller_CL, ProofPointTAPMessagesDelivered_CL, ProofPointTAPMessagesBlocked_CL, ProofPointTAPClicksPermitted_CL, ProofPointTAPClicksBlocked_CL\r\n| extend EventVendor = 'Proofpoint',\r\n EventProduct = 'Targeted Attack Protection',\r\n EventCount = '1'\r\n| project-rename CcAddresses=ccAddresses_s,\r\n\t Cluster=cluster_s,\r\n\t CompletelyRewritten=completelyRewritten_b,\r\n\t SrcUsername=fromAddress_s,\r\n\t EventOriginalUid=GUID_s,\r\n\t HeaderFrom=headerFrom_s,\r\n\t HeaderReplyTo=headerReplyTo_s,\r\n\t Id=id_g,\r\n\t ImpostorScore=impostorScore_d,\r\n\t MalwareScore=malwareScore_d,\r\n\t MessageId=messageID_s,\r\n\t MessageParts=messageParts_s,\r\n\t NetworkBytes=messageSize_d,\r\n\t EventEndTime=messageTime_t,\r\n\t ModulesRun=modulesRun_s,\r\n\t PhishScore=phishScore_d,\r\n\t PolicyRoutes=policyRoutes_s,\r\n\t Qid=QID_s,\r\n\t QuarantineFolder=quarantineFolder_s,\r\n\t QuarantineRule=quarantineRule_s,\r\n\t Recipient=recipient_s,\r\n\t ReplyToAddress=replyToAddress_s,\r\n\t Sender=sender_s,\r\n\t SrcIpAddr=senderIP_s,\r\n\t SpamScore=spamScore_d,\r\n\t Subject=subject_s,\r\n\t ThreatsInfoMap=threatsInfoMap_s,\r\n\t DstUsername=toAddresses_s,\r\n\t Xmailer=xmailer_s", + "query": "union isfuzzy=true ProofpointTAPNativePoller_CL, ProofPointTAPMessagesDelivered_CL, ProofPointTAPMessagesBlocked_CL, ProofPointTAPClicksPermitted_CL, ProofPointTAPClicksBlocked_CL\n| extend EventVendor = 'Proofpoint',\n EventProduct = 'Targeted Attack Protection',\n EventCount = '1'\n| project-rename CcAddresses=ccAddresses_s,\n\t Cluster=cluster_s,\n\t CompletelyRewritten=completelyRewritten_b,\n\t SrcUsername=fromAddress_s,\n\t EventOriginalUid=GUID_s,\n\t HeaderFrom=headerFrom_s,\n\t HeaderReplyTo=headerReplyTo_s,\n\t Id=id_g,\n\t ImpostorScore=impostorScore_d,\n\t MalwareScore=malwareScore_d,\n\t MessageId=messageID_s,\n\t MessageParts=messageParts_s,\n\t NetworkBytes=messageSize_d,\n\t EventEndTime=messageTime_t,\n\t ModulesRun=modulesRun_s,\n\t PhishScore=phishScore_d,\n\t PolicyRoutes=policyRoutes_s,\n\t Qid=QID_s,\n\t QuarantineFolder=quarantineFolder_s,\n\t QuarantineRule=quarantineRule_s,\n\t Recipient=recipient_s,\n\t ReplyToAddress=replyToAddress_s,\n\t Sender=sender_s,\n\t SrcIpAddr=senderIP_s,\n\t SpamScore=spamScore_d,\n\t Subject=subject_s,\n\t ThreatsInfoMap=threatsInfoMap_s,\n\t DstUsername=toAddresses_s,\n\t Xmailer=xmailer_s\n", "functionParameters": "", - "version": 1, + "version": 2, "tags": [ { "name": "description", - "value": "ProofpointTAPEvent" + "value": "" } ] } @@ -591,7 +629,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", "dependsOn": [ - "[variables('_parserName1')]" + "[variables('_parserId1')]" ], "properties": { "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", @@ -638,15 +676,15 @@ "properties": { "eTag": "*", "displayName": "ProofpointTAPEvent", - "category": "Samples", + "category": "Microsoft Sentinel Parser", "functionAlias": "ProofpointTAPEvent", - "query": "\nunion isfuzzy=true ProofpointTAPNativePoller_CL, ProofPointTAPMessagesDelivered_CL, ProofPointTAPMessagesBlocked_CL, ProofPointTAPClicksPermitted_CL, ProofPointTAPClicksBlocked_CL\r\n| extend EventVendor = 'Proofpoint',\r\n EventProduct = 'Targeted Attack Protection',\r\n EventCount = '1'\r\n| project-rename CcAddresses=ccAddresses_s,\r\n\t Cluster=cluster_s,\r\n\t CompletelyRewritten=completelyRewritten_b,\r\n\t SrcUsername=fromAddress_s,\r\n\t EventOriginalUid=GUID_s,\r\n\t HeaderFrom=headerFrom_s,\r\n\t HeaderReplyTo=headerReplyTo_s,\r\n\t Id=id_g,\r\n\t ImpostorScore=impostorScore_d,\r\n\t MalwareScore=malwareScore_d,\r\n\t MessageId=messageID_s,\r\n\t MessageParts=messageParts_s,\r\n\t NetworkBytes=messageSize_d,\r\n\t EventEndTime=messageTime_t,\r\n\t ModulesRun=modulesRun_s,\r\n\t PhishScore=phishScore_d,\r\n\t PolicyRoutes=policyRoutes_s,\r\n\t Qid=QID_s,\r\n\t QuarantineFolder=quarantineFolder_s,\r\n\t QuarantineRule=quarantineRule_s,\r\n\t Recipient=recipient_s,\r\n\t ReplyToAddress=replyToAddress_s,\r\n\t Sender=sender_s,\r\n\t SrcIpAddr=senderIP_s,\r\n\t SpamScore=spamScore_d,\r\n\t Subject=subject_s,\r\n\t ThreatsInfoMap=threatsInfoMap_s,\r\n\t DstUsername=toAddresses_s,\r\n\t Xmailer=xmailer_s", + "query": "union isfuzzy=true ProofpointTAPNativePoller_CL, ProofPointTAPMessagesDelivered_CL, ProofPointTAPMessagesBlocked_CL, ProofPointTAPClicksPermitted_CL, ProofPointTAPClicksBlocked_CL\n| extend EventVendor = 'Proofpoint',\n EventProduct = 'Targeted Attack Protection',\n EventCount = '1'\n| project-rename CcAddresses=ccAddresses_s,\n\t Cluster=cluster_s,\n\t CompletelyRewritten=completelyRewritten_b,\n\t SrcUsername=fromAddress_s,\n\t EventOriginalUid=GUID_s,\n\t HeaderFrom=headerFrom_s,\n\t HeaderReplyTo=headerReplyTo_s,\n\t Id=id_g,\n\t ImpostorScore=impostorScore_d,\n\t MalwareScore=malwareScore_d,\n\t MessageId=messageID_s,\n\t MessageParts=messageParts_s,\n\t NetworkBytes=messageSize_d,\n\t EventEndTime=messageTime_t,\n\t ModulesRun=modulesRun_s,\n\t PhishScore=phishScore_d,\n\t PolicyRoutes=policyRoutes_s,\n\t Qid=QID_s,\n\t QuarantineFolder=quarantineFolder_s,\n\t QuarantineRule=quarantineRule_s,\n\t Recipient=recipient_s,\n\t ReplyToAddress=replyToAddress_s,\n\t Sender=sender_s,\n\t SrcIpAddr=senderIP_s,\n\t SpamScore=spamScore_d,\n\t Subject=subject_s,\n\t ThreatsInfoMap=threatsInfoMap_s,\n\t DstUsername=toAddresses_s,\n\t Xmailer=xmailer_s\n", "functionParameters": "", - "version": 1, + "version": 2, "tags": [ { "name": "description", - "value": "ProofpointTAPEvent" + "value": "" } ] } @@ -690,7 +728,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MalwareAttachmentDelivered_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "MalwareAttachmentDelivered_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion1')]", @@ -735,8 +773,8 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "AccountCustomEntity" } ] }, @@ -744,8 +782,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ] } @@ -803,7 +841,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MalwareLinkClicked_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "MalwareLinkClicked_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion2')]", @@ -848,8 +886,8 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "AccountCustomEntity" } ] }, @@ -857,8 +895,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ] }, @@ -866,8 +904,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "URLCustomEntity", - "identifier": "Url" + "identifier": "Url", + "columnName": "URLCustomEntity" } ] } @@ -925,7 +963,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ProofpointTAPWorkbook Workbook with template version 3.0.0", + "description": "ProofpointTAPWorkbook Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -1025,7 +1063,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ProofpointTAPConnector Playbook with template version 3.0.0", + "description": "ProofpointTAPConnector Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -1995,7 +2033,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Get-ProofpointTAPEvents Playbook with template version 3.0.0", + "description": "Get-ProofpointTAPEvents Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -2297,7 +2335,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ProofpointTAP-AddForensicsInfoToIncident Playbook with template version 3.0.0", + "description": "ProofpointTAP-AddForensicsInfoToIncident Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -2396,7 +2434,7 @@ "type": "Table" }, "Create_logo": { - "inputs": "", + "inputs": "", "runAfter": { "Create_HTML_table": [ "Succeeded" @@ -2674,7 +2712,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ProofpointTAP-CheckAccountInVAP Playbook with template version 3.0.0", + "description": "ProofpointTAP-CheckAccountInVAP Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -2791,7 +2829,7 @@ "type": "Table" }, "Create_logo": { - "inputs": "", + "inputs": "", "runAfter": { "Create_HTML_table": [ "Succeeded" @@ -3093,12 +3131,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "3.0.1", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "ProofPointTap", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Proofpoint TAP solution for Microsoft Sentinel enables you to ingest Proofpoint TAP logs into Microsoft Sentinel.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 2, Custom Azure Logic Apps Connectors: 1, Playbooks: 3

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Proofpoint TAP solution for Microsoft Sentinel enables you to ingest Proofpoint TAP logs into Microsoft Sentinel.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 2, Custom Azure Logic Apps Connectors: 1, Playbooks: 3

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", diff --git a/Solutions/ProofPointTap/Parsers/ProofpointTAPEvent.txt b/Solutions/ProofPointTap/Parsers/ProofpointTAPEvent.txt deleted file mode 100644 index b662afa3fde..00000000000 --- a/Solutions/ProofPointTap/Parsers/ProofpointTAPEvent.txt +++ /dev/null @@ -1,38 +0,0 @@ -// Usage Instructions: -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name as ProofpointTAPEvent and specifying Legacy Category. -// This function maps Proofpoint Targeted Attack Protection events to Microsoft Sentinel Information Model (ASIM) (https://docs.microsoft.com/azure/sentinel/normalization). -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. ProofpointTAPEvent | take 10). -// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -union isfuzzy=true ProofpointTAPNativePoller_CL, ProofPointTAPMessagesDelivered_CL, ProofPointTAPMessagesBlocked_CL, ProofPointTAPClicksPermitted_CL, ProofPointTAPClicksBlocked_CL -| extend EventVendor = 'Proofpoint', - EventProduct = 'Targeted Attack Protection', - EventCount = '1' -| project-rename CcAddresses=ccAddresses_s, - Cluster=cluster_s, - CompletelyRewritten=completelyRewritten_b, - SrcUsername=fromAddress_s, - EventOriginalUid=GUID_s, - HeaderFrom=headerFrom_s, - HeaderReplyTo=headerReplyTo_s, - Id=id_g, - ImpostorScore=impostorScore_d, - MalwareScore=malwareScore_d, - MessageId=messageID_s, - MessageParts=messageParts_s, - NetworkBytes=messageSize_d, - EventEndTime=messageTime_t, - ModulesRun=modulesRun_s, - PhishScore=phishScore_d, - PolicyRoutes=policyRoutes_s, - Qid=QID_s, - QuarantineFolder=quarantineFolder_s, - QuarantineRule=quarantineRule_s, - Recipient=recipient_s, - ReplyToAddress=replyToAddress_s, - Sender=sender_s, - SrcIpAddr=senderIP_s, - SpamScore=spamScore_d, - Subject=subject_s, - ThreatsInfoMap=threatsInfoMap_s, - DstUsername=toAddresses_s, - Xmailer=xmailer_s \ No newline at end of file diff --git a/Solutions/ProofPointTap/Playbooks/Get-ProofPointTapEvents/readme.md b/Solutions/ProofPointTap/Playbooks/Get-ProofPointTapEvents/readme.md index cebb42bcfe2..4a82ba2d6af 100644 --- a/Solutions/ProofPointTap/Playbooks/Get-ProofPointTapEvents/readme.md +++ b/Solutions/ProofPointTap/Playbooks/Get-ProofPointTapEvents/readme.md @@ -1,7 +1,7 @@ # Get-ProofpointTapEvents Author: Cristhofer Romeo Munoz -This playbook ingests events from ProofPoint TAP to Log Analytics/Azure Sentinel. +This playbook ingests events from ProofPoint TAP to Log Analytics/Microsoft Sentinel. [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FProofPointTap%2FPlaybooks%2FGet-ProofPointTapEvents%2FAzuredeploy.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FProofPointTap%2FPlaybooks%2FGet-ProofPointTapEvents%2FAzuredeploy.json) \ No newline at end of file diff --git a/Solutions/ProofPointTap/Playbooks/ProofpointTAP-AddForensicsInfoToIncident/azuredeploy.json b/Solutions/ProofPointTap/Playbooks/ProofpointTAP-AddForensicsInfoToIncident/azuredeploy.json index 13c51567b0d..ec29d72731c 100644 --- a/Solutions/ProofPointTap/Playbooks/ProofpointTAP-AddForensicsInfoToIncident/azuredeploy.json +++ b/Solutions/ProofPointTap/Playbooks/ProofpointTAP-AddForensicsInfoToIncident/azuredeploy.json @@ -128,7 +128,7 @@ "type": "Table" }, "Create_logo": { - "inputs": "", + "inputs": "", "runAfter": { "Create_HTML_table": [ "Succeeded" diff --git a/Solutions/ProofPointTap/Playbooks/ProofpointTAP-AddForensicsInfoToIncident/readme.md b/Solutions/ProofPointTap/Playbooks/ProofpointTAP-AddForensicsInfoToIncident/readme.md index 3f7a4ab7436..b2f9d91b7de 100644 --- a/Solutions/ProofPointTap/Playbooks/ProofpointTAP-AddForensicsInfoToIncident/readme.md +++ b/Solutions/ProofPointTap/Playbooks/ProofpointTAP-AddForensicsInfoToIncident/readme.md @@ -20,12 +20,12 @@ ### Post-Deployment instructions #### a. Authorize connections Once deployment is complete, authorize each connection. -1. Click the Azure Sentinel connection resource +1. Click the Microsoft Sentinel connection resource 2. Click edit API connection 3. Click Authorize 4. Sign in 5. Click Save 6. Repeat steps for Proofpoint TAP connector API Connection. Provide the Service Principal and the secret for authorizing. #### b. Configurations in Sentinel -1. In Azure sentinel, analytical rules should be configured to trigger an incident. An incident should have *campaignId* custom entity (obtained from *campaignId_s* field in ProofpointTAP logs). Check the [documentation](https://docs.microsoft.com/azure/sentinel/surface-custom-details-in-alerts) to learn more about adding custom entities to incidents. +1. In Microsoft Sentinel, analytical rules should be configured to trigger an incident. An incident should have *campaignId* custom entity (obtained from *campaignId_s* field in ProofpointTAP logs). Check the [documentation](https://docs.microsoft.com/azure/sentinel/surface-custom-details-in-alerts) to learn more about adding custom entities to incidents. 2. Configure the automation rules to trigger the playbook. diff --git a/Solutions/ProofPointTap/Playbooks/ProofpointTAP-CheckAccountInVAP/azuredeploy.json b/Solutions/ProofPointTap/Playbooks/ProofpointTAP-CheckAccountInVAP/azuredeploy.json index 72fa29951a0..85a8f77360a 100644 --- a/Solutions/ProofPointTap/Playbooks/ProofpointTAP-CheckAccountInVAP/azuredeploy.json +++ b/Solutions/ProofPointTap/Playbooks/ProofpointTAP-CheckAccountInVAP/azuredeploy.json @@ -147,7 +147,7 @@ "type": "Table" }, "Create_logo": { - "inputs": "", + "inputs": "", "runAfter": { "Create_HTML_table": [ "Succeeded" diff --git a/Solutions/ProofPointTap/Playbooks/ProofpointTAP-CheckAccountInVAP/readme.md b/Solutions/ProofPointTap/Playbooks/ProofpointTAP-CheckAccountInVAP/readme.md index b15610e3c37..22eef0fb908 100644 --- a/Solutions/ProofPointTap/Playbooks/ProofpointTAP-CheckAccountInVAP/readme.md +++ b/Solutions/ProofPointTap/Playbooks/ProofpointTAP-CheckAccountInVAP/readme.md @@ -21,12 +21,12 @@ ### Post-Deployment instructions #### a. Authorize connections Once deployment is complete, authorize each connection. -1. Click the Azure Sentinel connection resource +1. Click the Microsoft Sentinel connection resource 2. Click edit API connection 3. Click Authorize 4. Sign in 5. Click Save 6. Repeat steps for Proofpoint TAP connector API Connection. Provide the Service Principal and the secret for authorizing. #### b. Configurations in Sentinel -1. In Azure sentinel, analytical rules have to be configured to trigger an incident with risky user account. In the *Entity maping* section of the analytics rule creation workflow, user's email has to be mapped to **FullName** identitfier of the **Account** entity type. Check the [documentation](https://docs.microsoft.com/azure/sentinel/map-data-fields-to-entities) to learn more about mapping entities. +1. In Microsoft Sentinel, analytical rules have to be configured to trigger an incident with risky user account. In the *Entity maping* section of the analytics rule creation workflow, user's email has to be mapped to **FullName** identitfier of the **Account** entity type. Check the [documentation](https://docs.microsoft.com/azure/sentinel/map-data-fields-to-entities) to learn more about mapping entities. 2. Configure the automation rules to trigger the playbook. diff --git a/Solutions/ProofPointTap/ReleaseNotes.md b/Solutions/ProofPointTap/ReleaseNotes.md index 359ec8ab5e9..77aff1cf933 100644 --- a/Solutions/ProofPointTap/ReleaseNotes.md +++ b/Solutions/ProofPointTap/ReleaseNotes.md @@ -1,3 +1,4 @@ -| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | -|-------------|--------------------------------|------------------------------------------------------| -| 3.0.0 | 01-08-2023 | Updated solution logo with Microsoft Sentinel logo | +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------------------------------------------| +| 3.0.1 | 10-10-2023 | Manual deployment instructions updated for **Data Connector**| +| 3.0.0 | 01-08-2023 | Updated solution logo with Microsoft Sentinel logo |