Create User Session Impersonation(Okta)

Solutions/Okta Single Sign-On/Analytic Rules/UserSessionImpersonation.yaml

@@ -0,0 +1,46 @@
+id: 35846296-4052-4de2-8098-beb6bb5f2203
+name: User Session Impersonation(Okta)
+description: |
+    'A user has started a session impersonation, gaining access with the impersonated users permissions. This typically signifies Okta admin access and should only happen if anticipated and requested.'
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: OktaSSO
+    dataTypes:
+      - Okta_CL
+  - connectorId: OktaSSOv2
+    dataTypes:
+      - OktaSSO
+queryFrequency: 6h
+queryPeriod: 6h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - PrivilegeEscalation
+relevantTechniques:
+  - T1134
+  - T1134.003
+query: |
+  Okta_CL
+  | where eventType_s == "user.session.impersonation.initiate" and outcome_result_s == "SUCCESS"
+  // Expand the JSON array in 'target_s' field to extract detailed information about the event
+  | mv-expand parsed_json = todynamic(target_s) // Unpack and understand the details from the 'target_s' JSON array
+  // Enhance visibility by extending columns with extracted details for better analysis
+  | extend TargetUser_id = tostring(parsed_json.id), 
+           TargetUser_type = tostring(parsed_json.type), 
+           TargetUser_alternateId = tostring(parsed_json.alternateId), 
+           TargetUser_displayName = tostring(parsed_json.displayName), 
+           Target_detailEntry = tostring(parsed_json.detailEntry) 
+  // Project event details to gain insights into the security context, including actor and target user information
+  | project TimeGenerated, actor_alternateId_s, actor_displayName_s, TargetUser_alternateId, 
+                 TargetUser_displayName, TargetUser_type, TargetUser_id, 
+                 eventType_s, outcome_result_s
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: actor_alternateId_s
+      - identifier: DisplayName
+        columnName: actor_displayName_s
+version: 1.0.0
+kind: Scheduled

Solutions/Okta Single Sign-On/Data Connectors/OktaNativePollerConnectorV2/OktaSSOv2_DataConnectorDefinition.json

@@ -1,7 +1,7 @@
 {
     "name": "OktaSSOv2",
     "apiVersion": "2022-09-01-preview",
-    "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+    "type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
     "location": "{{location}}",
     "kind": "Customizable",
     "properties": {

Solutions/Okta Single Sign-On/Data Connectors/OktaNativePollerConnectorV2/OktaSSOv2_PollingConfig.json

@@ -2,7 +2,7 @@
     {
         "name": "OktaDCV1",
         "apiVersion": "2022-12-01-preview",
-        "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+        "type": "Microsoft.SecurityInsights/dataConnectors",
         "location": "{{location}}",
         "kind": "RestApiPoller",
         "properties": {

Solutions/Okta Single Sign-On/Data Connectors/OktaNativePollerConnectorV2/OktaSSOv2_Tables.json

@@ -1,6 +1,6 @@
 [
     {
-        "name": "OktaV2",
+        "name": "OktaV2_CL",
         "apiVersion": "2021-03-01-privatepreview",
         "type": "Microsoft.OperationalInsights/workspaces/tables",
         "location": "{{location}}",

Solutions/Okta Single Sign-On/Package/createUiDefinition.json

@@ -117,7 +117,7 @@
                 "name": "workbook1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Gain extensive insight into Okta Single Sign-On (SSO) by analyzing, collecting and correlating Audit and Event events.\nThis workbook provides visibility into message and click events that were permitted, delivered, or blocked"
+                  "text": "Gain extensive insight into Okta Single Sign-On (SSO) by analyzing, collecting and correlating Audit and Event events.\nThis workbook provides visibility into message and click events that were permitted, delivered, or blocked."
                 }
               }
             ]
@@ -261,6 +261,20 @@
                 }
               }
             ]
+          },
+          {
+            "name": "analytic9",
+            "type": "Microsoft.Common.Section",
+            "label": "User Session Impersonation(Okta)",
+            "elements": [
+              {
+                "name": "analytic9-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "A user has started a session impersonation, gaining access with the impersonated users permissions. This typically signifies Okta admin access and should only happen if anticipated and requested."
+                }
+              }
+            ]
           }
         ]
       },

Solutions/Okta Single Sign-On/Package/testParameters.json

@@ -0,0 +1,46 @@
+{
+  "location": {
+    "type": "string",
+    "minLength": 1,
+    "defaultValue": "[resourceGroup().location]",
+    "metadata": {
+      "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`.  We instead use the `workspace-location` which is derived from the LA workspace"
+    }
+  },
+  "workspace-location": {
+    "type": "string",
+    "defaultValue": "",
+    "metadata": {
+      "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+    }
+  },
+  "workspace": {
+    "defaultValue": "",
+    "type": "string",
+    "metadata": {
+      "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+    }
+  },
+  "resourceGroupName": {
+    "type": "string",
+    "defaultValue": "[resourceGroup().name]",
+    "metadata": {
+      "description": "resource group name where Microsoft Sentinel is setup"
+    }
+  },
+  "subscription": {
+    "type": "string",
+    "defaultValue": "[last(split(subscription().id, '/'))]",
+    "metadata": {
+      "description": "subscription id where Microsoft Sentinel is setup"
+    }
+  },
+  "workbook1-name": {
+    "type": "string",
+    "defaultValue": "Okta Single Sign-On",
+    "minLength": 1,
+    "metadata": {
+      "description": "Name for the workbook"
+    }
+  }
+}

Solutions/Okta Single Sign-On/ReleaseNotes.md

@@ -1,3 +1,3 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                            |
 |-------------|--------------------------------|---------------------------------------------------------------|
-| 3.0.0       | 10-10-2023                     | Manual deployment instructions updated for **Data Connector** |
+| 3.0.0       | 10-10-2023                     | Manual deployment instructions updated for **Data Connector** <br/> New **Analytic Rule** added (UserSessionImpersonation.yaml)|

Solutions/Okta Single Sign-On/data/Solution_Okta.json

@@ -11,7 +11,8 @@
   	"Analytic Rules/NewDeviceLocationCriticalOperation.yaml",
   	"Analytic Rules/MFAFatigue.yaml",
   	"Analytic Rules/HighRiskAdminActivity.yaml",
-	  "Analytic Rules/DeviceRegistrationMaliciousIP.yaml"
+	  "Analytic Rules/DeviceRegistrationMaliciousIP.yaml",
+    "Analytic Rules/UserSessionImpersonation.yaml"
   ],
   "Data Connectors": [
     "Data Connectors/OktaSingleSign-On/Connector_REST_API_FunctionApp_Okta.json",