Response on Okta user from Teams
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbooks sends an adaptive card to the SOC Teams channel with information about the Okta user and incident details. The SOC is allowed to take action such suspend, reset password, expire password, add to group. An informative comment will be posted to the incident.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Okta Single Sign-On |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 3 |
teams |
Managed | 1 | 0 |
OktaCustomConnector |
Custom | 1 | 7 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Entities_-_Get_Accounts | post | /entities/account |
— |
| Add_a_comment_to_the_incident_with_the_information_collected_and_action_taken | post | /Incidents/Comment |
— |
| Update_incident_to_change_severity_and_status_according_to_choice | put | /Incidents |
— |
OktaCustomConnector (Custom)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_User | get | /api/v1/users/@{encodeURIComponent(items('For_each-risky_account_received_from_the_incident')?['Name'])} |
— |
| Group_–_Add_member | put | /api/v1/groups/@{encodeURIComponent(body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['GroupId'])}/users/@{encodeURIComponent(body('Get_User')?['id'])} |
— |
| Expire_Password | post | /api/v1/users/@{encodeURIComponent(body('Get_User')?['id'])}/lifecycle/expire_password |
— |
| Reset_Password | post | /api/v1/users/@{encodeURIComponent(body('Get_User')?['id'])}/lifecycle/reset_password |
— |
| Suspend_User | post | /api/v1/users/@{encodeURIComponent(body('Get_User')?['id'])}/lifecycle/suspend |
— |
| Unsuspend_User | post | /api/v1/users/@{encodeURIComponent(body('Get_User')?['id'])}/lifecycle/unsuspend |
— |
| List_Groups | get | /api/v1/groups |
— |
Additional Documentation
Okta-Response From Teams Playbook
Summary
When a new sentinal incident is created,this playbook gets triggered and performs below actions
- An adaptive card is sent to the SOC Teams channel with information collected from the incident and the risky user information from Okta.
- The SOC is allowed to take action on risky user based on the information provided in the adaptive card.
This is the adaptive card SOC will recieve when playbook is triggered:
Prerequisites
- Okta Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription.
- Generate an API key.Refer this link how to generate the API Key
Deployment instructions
Deploy the playbook by clicking on "Deply to Azure" button. This will take you to deplyoing an ARM Template wizard.
Fill in the required paramteres:
- Playbook Name : Enter the playbook name here (ex:Oktaplaybook)
- Teams GroupId : Enter the Teams channel id to send the adaptive card
- Teams ChannelId : Enter the Teams Group id to send the adaptive card Refer the below link to get the channel id and group id
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, you will need to authorize each connection.
- Click the Microsoft Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections such as Teams connection and Okta Api Connection (For authorizing the Okta API connection, API Key needs to be provided)
b. Configurations in Sentinel
- In Microsoft sentinel analytical rules should be configured to trigger an incident with risky user account
- Configure the automation rules to trigger this playbook
Playbook steps explained
When Microsoft Sentinel incident creation rule is triggered
Microsoft Sentinel incident is created. The playbook receives the incident as the input.
Entities - Get Accounts
Get the list of risky/malicious accounts as entities from the Incident
List groups
Playbook uses "List Groups" action to get all the group details present in the particular Okta domain This groups list will be used later in the adaptive card dropdown when SOC wants to add user to a group
For each group
Select groups-preparing the group name and id from the list of groups to display in the adaptive card for user choice
Compose group information
Compose the choice set dropdown for adaptive card for group names
For each-risky account received from the incident
Iterates on the accounts found in this incident (probably one) and performs the following:
For the risky user account, playbook uses "Get User" action to get user details from Okta
Post an Adaptive Card to a SOC admin on teams channel with the incident information and risky user information and admin has a list of choices to perform different user actions on Okta
Switch case to perform action choices on the user in Okta
a. Case - Add user to group: When Soc admin chooses to add user to a group in Okta, playbook uses "Add user to group" action to add user to group in okta.SOC admin needs to select a group from the adaptive card
b. Case - Expire Password: When Soc admin chooses to expire password of the user in Okta, playbook uses "Expire Password" action.
c. Case - Reset Password : When Soc admin chooses to reset password of the user in Okta,playbook uses "Reset Password" action.
d. Case - Suspend User: When Soc admin chooses to suspend the user in Okta,playbook uses "Suspend User" action.
e. Case - Unsuspend User :When Soc admin chooses to unsuspend the user in Okta,playbook uses "UnSuspend User" action.
f. Ignore
Update incident to change severity and status according to choice of SOC admin through adaptive card
[Content truncated...]
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊