Azure · v-atulyadav · Oct 18, 2023 · Oct 10, 2023 · Oct 10, 2023 · Oct 10, 2023
@@ -117,25 +117,45 @@
                 }
             ]
         },
+		{
+				"instructions": [ 
+		{
+			"parameters":{
+
+				   "instructionSteps": [
         {
             "title": "Option 1 - Azure Resource Manager (ARM) Template",
             "description": "This method provides an automated deployment of the Okta SSO connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentineloktaazuredeployv2-solution)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Token** and **URI**. \n - Use the following schema for the `uri` value: `https://<OktaDomain>/api/v1/logs?since=` Replace `<OktaDomain>` with your domain. [Click here](https://developer.okta.com/docs/reference/api-overview/#url-namespace) for further details on how to identify your Okta domain namespace. There is no need to add a time value to the URI, the Function App will dynamically append the inital start time of logs to UTC 0:00 for the current UTC date as time value to the URI in the proper format. \n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
         },
         {
             "title": "Option 2 - Manual Deployment of Azure Functions",
-            "description": "Use the following step-by-step instructions to deploy the Okta SSO connector manually with Azure Functions."
-        },
-        {
-            "title": "",
-            "description": "**1. Create a Function App**\n\n1.  From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**."
-        },
-        {
-            "title": "",
-            "description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ Add**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and change the default cron schedule to every 10 minutes, then click **Create**.\n4. Click on **Code + Test** on the left pane. \n5. Copy the [Function App Code](https://aka.ms/sentineloktaazurefunctioncodev2) and paste into the Function App `run.ps1` editor.\n5. Click **Save**."
-        },
-        {
-            "title": "",
-            "description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following five (5) application settings individually, with their respective string values (case-sensitive): \n\t\tapiToken\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tlogAnalyticsUri (optional)\n - Use the following schema for the `uri` value: `https://<OktaDomain>/api/v1/logs?since=` Replace `<OktaDomain>` with your domain. [Click here](https://developer.okta.com/docs/reference/api-overview/#url-namespace) for further details on how to identify your Okta domain namespace. There is no need to add a time value to the URI, the Function App will dynamically append the inital start time of logs to UTC 0:00 for the current UTC date as time value to the URI in the proper format.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://<CustomerId>.ods.opinsights.azure.us. \n4. Once all application settings have been entered, click **Save**."
+            "description": "Use the following step-by-step instructions to deploy the Okta SSO connector manually with Azure Functions (Deployment via Visual Studio Code).",
+ "instructions": [ 
+                {
+                    "parameters": {
+
+                        "instructionSteps": [
+                             {
+							  "title": "Step 1 - Deploy a Function App",
+							  "description": "1. Download the [Azure Function App](https://aka.ms/sentineloktaazurefunctioncodev2) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it."
+							  },
+							{
+                              "title": "Step 2 - Configure the Function App",
+                              "description": "1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select **+ New application setting**.\n4. Add each of the following five (5) application settings individually, with their respective string values (case-sensitive): \n\t\tapiToken\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tlogAnalyticsUri (optional)\n - Use the following schema for the `uri` value: `https://<OktaDomain>/api/v1/logs?since=` Replace `<OktaDomain>` with your domain. [Click here](https://developer.okta.com/docs/reference/api-overview/#url-namespace) for further details on how to identify your Okta domain namespace. There is no need to add a time value to the URI, the Function App will dynamically append the inital start time of logs to UTC 0:00 for the current UTC date as time value to the URI in the proper format.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://<CustomerId>.ods.opinsights.azure.us. \n5. Once all application settings have been entered, click **Save**."
+                             }
+                        ]
+                    },
+                    "type": "InstructionStepsGroup"
+                }
+            ]
         }
+
+		]
+	},
+			  "type": "InstructionStepsGroup"
+	}
+	]
+}
+
     ]
 }
@@ -1,6 +1,8 @@
 id: 5309ea6b-463c-4449-a3c4-2fc8ee0080ee
 name: Admin privilege granted (Okta)
 description: |
+  'Query checks for admin permissions granted to users/groups, often used by adversaries for access and privilege elevation.'
+description-detailed: |
   'This query searches for successful grant of administrator permissions to user/groups. Adversaries often attempt to assign administrator permission to users/group to maintain access as well as to elevate privileges.
    Please verify that the behavior is known and filter out anything that is expected.
    Refrence: https://developer.okta.com/docs/reference/api/event-types/'

@@ -1,6 +1,8 @@
 id: 96fb9b37-e2b7-45f6-9b2a-cb9cdfd2b0fc
 name: Initiate impersonation session (Okta) 
 description: |
+    'User.session.impersonation, usually triggered by Okta Support, are rare. This query checks for impersonation events used in LAPSUS$ breach.'
+description-detailed: |
   'User.session.impersonation are generally speaking rare events normally triggered when an Okta Support person requests admin access for troubleshooting. This query searches for impersonation events used in LAPSUS$ breach.
    Please review user.session.impersonation events and co-relate that with legitimate opened Okta support tickets to determine if these are anomalous.
    Refrence: https://developer.okta.com/docs/reference/api/event-types/

@@ -1,6 +1,8 @@
 id: 18667b4a-18e5-4982-ba75-92ace62bc79c
 name: Rare MFA Operations (Okta)
 description: |
+  'MFA prevents credential compromise. This query checks for rare MFA operations like deactivation, update, reset, and bypass attempts often used by adversaries to compromise networks/accounts.'
+description-detailed: |
   'Multi-Factor Authentication (MFA) helps prevent credential compromise.This query searches for rare MFA operations like deactivating, updating, resetting and attempts to bypass MFA.
    Adversaries often attempt these operations to compromise networks and high-value accounts.Please verify that the behavior is known and filter out anything that is expected.
    Refrence: https://developer.okta.com/docs/reference/api/event-types/'

@@ -1,6 +1,8 @@
 id: 38da2aa3-4778-4d88-9178-3c5c14758b05
 name: User password reset(Okta)
 description: |
+    'Adversaries often manipulate accounts for access. This query checks for admin attempts to reset user passwords in Okta logs.'
+description-detailed: |
   'Adversaries often manipulate accounts to maintain access to victim systems. Account manipulation may consist of actions that preserves adversary access to a compromised account, such as by modifying credentials. 
    This query searches for attempts to reset user passwords in Okta logs by an admin. Since this can also be a known activity, please filter out anything that is expected.
    Reference: https://developer.okta.com/docs/reference/api/event-types/