User enrichment - Okta

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This playbook will collect user information from Okta and post a report on the incident.

Attribute	Value
Type	Playbook
Solution	Okta Single Sign-On
Source	View on GitHub

Logic App Connectors

This playbook uses 2 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	2
`OktaCustomConnector`	Custom	1	2

Action parameters (URLs, paths, function IDs)

`azuresentinel` (Managed)

Action	Method	Endpoint	Other
Entities_-_Get_Accounts	post	`/entities/account`	—
Add_a_comment_to_the_incident_with_the_information_collected	post	`/Incidents/Comment`	—

`OktaCustomConnector` (Custom)

Action	Method	Endpoint	Other
Get_User	get	`/api/v1/users/@{encodeURIComponent(items('For_each-risky_account_received_from_the_incident')?['Name'])}`	—
Get_User_Groups	get	`/api/v1/users/@{encodeURIComponent(items('For_each-risky_account_received_from_the_incident')?['Name'])}/groups`	—

Additional Documentation

📄 Source: OktaPlaybooks/Okta-EnrichIncidentWithUserDetails/readme.md

Okta-Enrich Incident With User Details Playbook

Summary

When a new Microsoft Sentinel incident is created, this playbook gets triggered and performs below actions

Fetches the user details and user group details from Okta
Adds a rich comment to the incident with all the collected information

Playbook Designer view

Prerequisites

Okta Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription.
Generate an API key.Refer this link how to generate the API Key

Deployment instructions

Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deplyoing an ARM Template wizard.
Fill in the required paramteres:
- Playbook Name: Enter the playbook name here (Ex:OktaPlaybook)

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, you will need to authorize each connection.

Click the Microsoft Sentinel connection resource
Click edit API connection
Click Authorize
Sign in
Click Save
Repeat steps for Okta Api Connection (For authorizing the Okta API connection, API Key needs to be provided)

b. Configurations in Sentinel

In Microsoft sentinel analytical rules should be configured to trigger an incident with risky user account
Configure the automation rules to trigger this playbook

Playbook steps explained

When Microsoft Sentinel incident creation rule is triggered

Microsoft Sentinel incident is created. The playbook receives the incident as the input.

Entities - Get Accounts

Get the list of risky/malicious accounts as entities from the Incident

Initialize variable to collect group details

Initialize an array variable to compose user group details to use it later while updating the incident

For each-risky account received from the incident

Iterates on the accounts found in this incident (probably one) and performs the following:

For the risky user account, playbook uses "Get User" action to get user details from Okta
For each user, playbook uses "Get User Groups" action to get user group details from Okta

a. Compose array of groups for updating incident with group details

b. Append groups to group array variable
Create HTML table format of user group details such as group id,group name and group description
Add a comment to the incident with the information below:

a. User information collected by "Get User" action from Okta such as
- User id, User name, User login, User email, User status, User created, User activated, User statusChanged, User lastLogin, User lastUpdated, User passwordChanged
b. User groups information collected by "Get User Groups" action from Okta such as
- Group id,Group name and Group description