Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Repackaging - Okta Single Sign-On (using Azure Functions) #9184

Merged
Merged
Show file tree
Hide file tree
Changes from 8 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -117,25 +117,45 @@
}
]
},
{
"instructions": [
{
"parameters":{

"instructionSteps": [
{
"title": "Option 1 - Azure Resource Manager (ARM) Template",
"description": "This method provides an automated deployment of the Okta SSO connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentineloktaazuredeployv2-solution)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Token** and **URI**. \n - Use the following schema for the `uri` value: `https://<OktaDomain>/api/v1/logs?since=` Replace `<OktaDomain>` with your domain. [Click here](https://developer.okta.com/docs/reference/api-overview/#url-namespace) for further details on how to identify your Okta domain namespace. There is no need to add a time value to the URI, the Function App will dynamically append the inital start time of logs to UTC 0:00 for the current UTC date as time value to the URI in the proper format. \n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
},
{
"title": "Option 2 - Manual Deployment of Azure Functions",
"description": "Use the following step-by-step instructions to deploy the Okta SSO connector manually with Azure Functions."
},
{
"title": "",
"description": "**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**."
},
{
"title": "",
"description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ Add**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and change the default cron schedule to every 10 minutes, then click **Create**.\n4. Click on **Code + Test** on the left pane. \n5. Copy the [Function App Code](https://aka.ms/sentineloktaazurefunctioncodev2) and paste into the Function App `run.ps1` editor.\n5. Click **Save**."
},
{
"title": "",
"description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following five (5) application settings individually, with their respective string values (case-sensitive): \n\t\tapiToken\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tlogAnalyticsUri (optional)\n - Use the following schema for the `uri` value: `https://<OktaDomain>/api/v1/logs?since=` Replace `<OktaDomain>` with your domain. [Click here](https://developer.okta.com/docs/reference/api-overview/#url-namespace) for further details on how to identify your Okta domain namespace. There is no need to add a time value to the URI, the Function App will dynamically append the inital start time of logs to UTC 0:00 for the current UTC date as time value to the URI in the proper format.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://<CustomerId>.ods.opinsights.azure.us. \n4. Once all application settings have been entered, click **Save**."
"description": "Use the following step-by-step instructions to deploy the Okta SSO connector manually with Azure Functions (Deployment via Visual Studio Code).",
"instructions": [
{
"parameters": {

"instructionSteps": [
{
"title": "Step 1 - Deploy a Function App",
"description": "1. Download the [Azure Function App](https://aka.ms/sentineloktaazurefunctioncodev2) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it."
},
{
"title": "Step 2 - Configure the Function App",
"description": "1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select **+ New application setting**.\n4. Add each of the following five (5) application settings individually, with their respective string values (case-sensitive): \n\t\tapiToken\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tlogAnalyticsUri (optional)\n - Use the following schema for the `uri` value: `https://<OktaDomain>/api/v1/logs?since=` Replace `<OktaDomain>` with your domain. [Click here](https://developer.okta.com/docs/reference/api-overview/#url-namespace) for further details on how to identify your Okta domain namespace. There is no need to add a time value to the URI, the Function App will dynamically append the inital start time of logs to UTC 0:00 for the current UTC date as time value to the URI in the proper format.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://<CustomerId>.ods.opinsights.azure.us. \n5. Once all application settings have been entered, click **Save**."
}
]
},
"type": "InstructionStepsGroup"
}
]
}

]
},
"type": "InstructionStepsGroup"
}
]
}

]
}
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
id: 5309ea6b-463c-4449-a3c4-2fc8ee0080ee
name: Admin privilege granted (Okta)
description: |
'Query checks for admin permissions granted to users/groups, often used by adversaries for access and privilege elevation.'
description-detailed: |
v-rusraut marked this conversation as resolved.
Show resolved Hide resolved
'This query searches for successful grant of administrator permissions to user/groups. Adversaries often attempt to assign administrator permission to users/group to maintain access as well as to elevate privileges.
Please verify that the behavior is known and filter out anything that is expected.
Refrence: https://developer.okta.com/docs/reference/api/event-types/'
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
id: 96fb9b37-e2b7-45f6-9b2a-cb9cdfd2b0fc
name: Initiate impersonation session (Okta)
description: |
'User.session.impersonation, usually triggered by Okta Support, are rare. This query checks for impersonation events used in LAPSUS$ breach.'
description-detailed: |
v-rusraut marked this conversation as resolved.
Show resolved Hide resolved
'User.session.impersonation are generally speaking rare events normally triggered when an Okta Support person requests admin access for troubleshooting. This query searches for impersonation events used in LAPSUS$ breach.
Please review user.session.impersonation events and co-relate that with legitimate opened Okta support tickets to determine if these are anomalous.
Refrence: https://developer.okta.com/docs/reference/api/event-types/
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
id: 18667b4a-18e5-4982-ba75-92ace62bc79c
name: Rare MFA Operations (Okta)
description: |
'MFA prevents credential compromise. This query checks for rare MFA operations like deactivation, update, reset, and bypass attempts often used by adversaries to compromise networks/accounts.'
description-detailed: |
v-rusraut marked this conversation as resolved.
Show resolved Hide resolved
'Multi-Factor Authentication (MFA) helps prevent credential compromise.This query searches for rare MFA operations like deactivating, updating, resetting and attempts to bypass MFA.
Adversaries often attempt these operations to compromise networks and high-value accounts.Please verify that the behavior is known and filter out anything that is expected.
Refrence: https://developer.okta.com/docs/reference/api/event-types/'
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
id: 38da2aa3-4778-4d88-9178-3c5c14758b05
name: User password reset(Okta)
description: |
'Adversaries often manipulate accounts for access. This query checks for admin attempts to reset user passwords in Okta logs.'
description-detailed: |
v-rusraut marked this conversation as resolved.
Show resolved Hide resolved
'Adversaries often manipulate accounts to maintain access to victim systems. Account manipulation may consist of actions that preserves adversary access to a compromised account, such as by modifying credentials.
This query searches for attempts to reset user passwords in Okta logs by an admin. Since this can also be a known activity, please filter out anything that is expected.
Reference: https://developer.okta.com/docs/reference/api/event-types/
Expand Down
Binary file not shown.
Loading