Okta Single Sign-On Solution

Solution: Okta Single Sign-On

Okta Single Sign-On Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Solutions Index

Attribute Value
Publisher Microsoft Corporation
Support Tier Microsoft
Support Link https://support.microsoft.com
Categories domains
Version 3.1.6
Author Microsoft - support@microsoft.com
First Published 2022-03-24
Last Updated 2026-01-14
Solution Folder Okta Single Sign-On
Marketplace Azure Marketplace · Rating: ★☆☆☆☆ 1.0/5 (1 ratings) · Popularity: 🟢 High (88%)

The Okta Single Sign-On (SSO) solution for Microsoft Sentinel provides the capability to ingest audit and event logs into Microsoft Sentinel using the Okta API.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

a. Azure Monitor HTTP Data Collector API

b. Azure Functions

c. Codeless Connector Platform (CCP)

Contents

Data Connectors

This solution provides 2 data connector(s) (plus 2 discovered⚠️):

🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.

🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Tables Used

This solution uses 3 table(s):

Table Used By Connectors Used By Content
OktaNativePoller_CL Okta Single Sign-On (Polling CCP) -
OktaV2_CL Okta Single Sign-On (using Azure Functions), Okta Single Sign-On (via Codeless Connector Framework) Analytics, Hunting, Workbooks
Okta_CL 🔶 Okta Single Sign-On (using Azure Functions), Okta Single Sign-On (via Codeless Connector Framework), [DEPRECATED] Okta Single Sign-On (using Azure Function) Analytics, Hunting, Workbooks

🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Content Items

This solution includes 24 content item(s):

Content Type Count
Hunting Queries 10
Analytic Rules 9
Playbooks 3
Workbooks 1
Parsers 1

Analytic Rules

Name Severity Tactics Tables Used
Device Registration from Malicious IP High Persistence OktaV2_CL
Okta_CL
Failed Logins from Unknown or Invalid User Medium CredentialAccess OktaV2_CL
Okta_CL
High-Risk Admin Activity Medium Persistence OktaV2_CL
Okta_CL
MFA Fatigue (OKTA) Medium CredentialAccess OktaV2_CL
Okta_CL
New Device/Location sign-in along with critical operation Medium InitialAccess, Persistence OktaV2_CL
Okta_CL
Okta Fast Pass phishing Detection Medium InitialAccess OktaV2_CL
Okta_CL
Potential Password Spray Attack Medium CredentialAccess OktaV2_CL
Okta_CL
User Login from Different Countries within 3 hours High InitialAccess OktaV2_CL
Okta_CL
User Session Impersonation(Okta) Medium PrivilegeEscalation Okta_CL

Hunting Queries

Name Tactics Tables Used
Admin privilege granted (Okta) Persistence OktaV2_CL
Okta_CL
Create API Token (Okta) PrivilegeEscalation OktaV2_CL
Okta_CL
Initiate impersonation session (Okta) InitialAccess OktaV2_CL
Okta_CL
Logins originating from VPS Providers InitialAccess OktaV2_CL
Okta_CL
New device registration from unfamiliar location Persistence OktaV2_CL
Okta_CL
Okta Login from multiple locations CredentialAccess OktaV2_CL
Okta_CL
Okta login attempts using Legacy Auth CredentialAccess OktaV2_CL
Okta_CL
Rare MFA Operations (Okta) Persistence OktaV2_CL
Okta_CL
Sign-ins from Nord VPN Providers InitialAccess OktaV2_CL
Okta_CL
User password reset(Okta) Persistence OktaV2_CL
Okta_CL

Workbooks

Name Tables Used
OktaSingleSignOn OktaV2_CL
Okta_CL

Playbooks

Name Description Tables Used
Prompt Okta user This playbook uses the OKTA connector to prompt the risky user on Teams. User is asked action was ta... -
Response on Okta user from Teams This playbooks sends an adaptive card to the SOC Teams channel with information about the Okta user ... -
User enrichment - Okta This playbook will collect user information from Okta and post a report on the incident. -

Parsers

Name Description Tables Used
OktaSSO - OktaV2_CL (read)
Okta_CL (read)

Release Notes

Version Date Modified (DD-MM-YYYY) Change History
3.1.6 14-04-2026 Deprecate Okta Single Sign-On (using Azure Function)
3.1.5 02-04-2026 Rename CCF solution to Okta Single Sign-On (via Codeless Connector Framework).
Add SessionId variable and reference in template.
3.1.4 13-01-2026 Updated non-functional link from MFA Fatigue (OKTA) Analytic rule
3.1.3 05-02-2025 Version Update
3.1.2 06-01-2025 Removing Custom Entity mappings from Analytic Rule
3.1.1 08-11-2024 Fixed CCP Data Connector connection bug
3.1.0 27-11-2024 Fixed Solution version in Maintemplate and resolved ARM template error
3.0.10 08-11-2024 Updated Parser to fix the schema
3.0.9 17-10-2024 Updated package to fix connectivity of CCP connector
3.0.8 14-08-2024 Data Connector Globally Available
3.0.7 25-04-2024 Repackaged for parser issue with old names
3.0.6 17-04-2024 Repackaged solution for parser fix
3.0.5 08-04-2024 Added Azure Deploy button for government portal deployments
3.0.4 18-03-2024 Updated description in data file, data connector and added logo for ccp data connector
3.0.3 08-03-2024 Updated ccp with domainname in dcr, tables, name change in definition and poller
3.0.2 20-02-2024 Updated _solutionVersion to resource specific version and repackage
3.0.1 24-01-2024 New Analytic Rule added (UserSessionImpersonation.yaml)
3.0.0 10-10-2023 Manual deployment instructions updated for Data Connector

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Solutions Index