diff --git a/Solutions/Okta Single Sign-On/Analytic Rules/UserSessionImpersonation.yaml b/Solutions/Okta Single Sign-On/Analytic Rules/UserSessionImpersonation.yaml index bd4fbad2cf4..1e3296d7dfb 100644 --- a/Solutions/Okta Single Sign-On/Analytic Rules/UserSessionImpersonation.yaml +++ b/Solutions/Okta Single Sign-On/Analytic Rules/UserSessionImpersonation.yaml @@ -21,7 +21,7 @@ relevantTechniques: - T1134 - T1134.003 query: | - Okta_CL + OktaSSO | where eventType_s == "user.session.impersonation.initiate" and outcome_result_s == "SUCCESS" // Expand the JSON array in 'target_s' field to extract detailed information about the event | mv-expand parsed_json = todynamic(target_s) // Unpack and understand the details from the 'target_s' JSON array @@ -42,5 +42,5 @@ entityMappings: columnName: actor_alternateId_s - identifier: DisplayName columnName: actor_displayName_s -version: 1.0.0 -kind: Scheduled \ No newline at end of file +version: 1.1.0 +kind: Scheduled diff --git a/Solutions/Okta Single Sign-On/Package/3.1.7.zip b/Solutions/Okta Single Sign-On/Package/3.1.7.zip new file mode 100644 index 00000000000..ca8e44b9c0c Binary files /dev/null and b/Solutions/Okta Single Sign-On/Package/3.1.7.zip differ diff --git a/Solutions/Okta Single Sign-On/Package/mainTemplate.json b/Solutions/Okta Single Sign-On/Package/mainTemplate.json index 2eb0aa8e95b..58b7a7ab254 100644 --- a/Solutions/Okta Single Sign-On/Package/mainTemplate.json +++ b/Solutions/Okta Single Sign-On/Package/mainTemplate.json @@ -55,7 +55,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Okta Single Sign-On", - "_solutionVersion": "3.1.6", + "_solutionVersion": "3.1.7", "solutionId": "azuresentinel.azure-sentinel-solution-okta", "_solutionId": "[variables('solutionId')]", "analyticRuleObject1": { @@ -115,11 +115,11 @@ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e36c6bd6-f86a-4282-93a5-b4a1b48dd849','-', '1.1.1')))]" }, "analyticRuleObject9": { - "analyticRuleVersion9": "1.0.0", + "analyticRuleVersion9": "1.1.0", "_analyticRulecontentId9": "35846296-4052-4de2-8098-beb6bb5f2203", "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '35846296-4052-4de2-8098-beb6bb5f2203')]", "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('35846296-4052-4de2-8098-beb6bb5f2203')))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','35846296-4052-4de2-8098-beb6bb5f2203','-', '1.0.0')))]" + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','35846296-4052-4de2-8098-beb6bb5f2203','-', '1.1.0')))]" }, "uiConfigId1": "OktaSSO", "_uiConfigId1": "[variables('uiConfigId1')]", @@ -131,7 +131,7 @@ "dataConnectorVersion1": "1.0.0", "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "dataConnectorCCPVersion": "3.1.6", + "dataConnectorCCPVersion": "3.1.7", "_dataConnectorContentIdConnectorDefinition2": "OktaSSOv2", "dataConnectorTemplateNameConnectorDefinition2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition2')))]", "_dataConnectorContentIdConnections2": "OktaSSOv2Connections", @@ -234,7 +234,9 @@ "parserVersion1": "1.0.2", "parserContentId1": "OktaSSO-Parser" }, - "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]", + "SessionId": "authenticationContext_externalSessionId_s", + "_SessionId": "[variables('SessionId')]" }, "resources": [ { @@ -246,7 +248,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FailedLoginsFromUnknownOrInvalidUser_AnalyticalRules Analytics Rule with template version 3.1.6", + "description": "FailedLoginsFromUnknownOrInvalidUser_AnalyticalRules Analytics Rule with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -294,22 +296,22 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "actor_alternateId_s", "identifier": "FullName" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "columnName": "ClientIP", "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -365,7 +367,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LoginfromUsersfromDifferentCountrieswithin3hours_AnalyticalRules Analytics Rule with template version 3.1.6", + "description": "LoginfromUsersfromDifferentCountrieswithin3hours_AnalyticalRules Analytics Rule with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -416,13 +418,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "actor_alternateId_s", "identifier": "FullName" } - ], - "entityType": "Account" + ] } ] } @@ -478,7 +480,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PasswordSpray_AnalyticalRules Analytics Rule with template version 3.1.6", + "description": "PasswordSpray_AnalyticalRules Analytics Rule with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -529,13 +531,13 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { "columnName": "client_ipAddress_s", "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -591,7 +593,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PhishingDetection_AnalyticalRules Analytics Rule with template version 3.1.6", + "description": "PhishingDetection_AnalyticalRules Analytics Rule with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -639,6 +641,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "actor_alternateId_s", @@ -648,22 +651,21 @@ "columnName": "actor_displayName_s", "identifier": "DisplayName" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "columnName": "client_ipAddress_s", "identifier": "Address" } - ], - "entityType": "IP" + ] } ], "customDetails": { - "UserAgent": "client_userAgent_rawUserAgent_s", - "Location": "Location" + "Location": "Location", + "UserAgent": "client_userAgent_rawUserAgent_s" } } }, @@ -718,7 +720,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewDeviceLocationCriticalOperation_AnalyticalRules Analytics Rule with template version 3.1.6", + "description": "NewDeviceLocationCriticalOperation_AnalyticalRules Analytics Rule with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -768,6 +770,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "actor_alternateId_s", @@ -777,22 +780,21 @@ "columnName": "actor_displayName_s", "identifier": "DisplayName" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "columnName": "client_ipAddress_s", "identifier": "Address" } - ], - "entityType": "IP" + ] } ], "customDetails": { "Location": "Location", - "SessionId": "authenticationContext_externalSessionId_s" + "SessionId": "[variables('_SessionId')]" }, "alertDetailsOverride": { "alertDisplayNameFormat": "New Device/Location {{Location}} sign-in along with critical operation", @@ -851,7 +853,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MFAFatigue_AnalyticalRules Analytics Rule with template version 3.1.6", + "description": "MFAFatigue_AnalyticalRules Analytics Rule with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -899,6 +901,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "actor_alternateId_s", @@ -908,8 +911,7 @@ "columnName": "actor_displayName_s", "identifier": "DisplayName" } - ], - "entityType": "Account" + ] } ] } @@ -965,7 +967,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "HighRiskAdminActivity_AnalyticalRules Analytics Rule with template version 3.1.6", + "description": "HighRiskAdminActivity_AnalyticalRules Analytics Rule with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -1013,6 +1015,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "actor_alternateId_s", @@ -1022,21 +1025,20 @@ "columnName": "actor_displayName_s", "identifier": "DisplayName" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "columnName": "client_ipAddress_s", "identifier": "Address" } - ], - "entityType": "IP" + ] } ], "customDetails": { - "SessionId": "authenticationContext_externalSessionId_s" + "SessionId": "[variables('_SessionId')]" } } }, @@ -1091,7 +1093,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DeviceRegistrationMaliciousIP_AnalyticalRules Analytics Rule with template version 3.1.6", + "description": "DeviceRegistrationMaliciousIP_AnalyticalRules Analytics Rule with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -1139,6 +1141,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "actor_alternateId_s", @@ -1148,17 +1151,16 @@ "columnName": "actor_displayName_s", "identifier": "DisplayName" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "columnName": "client_ipAddress_s", "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -1214,7 +1216,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserSessionImpersonation_AnalyticalRules Analytics Rule with template version 3.1.6", + "description": "UserSessionImpersonation_AnalyticalRules Analytics Rule with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -1231,7 +1233,7 @@ "description": "A user has started a session impersonation, gaining access with the impersonated users permissions. This typically signifies Okta admin access and should only happen if anticipated and requested.", "displayName": "User Session Impersonation(Okta)", "enabled": false, - "query": "Okta_CL\n| where eventType_s == \"user.session.impersonation.initiate\" and outcome_result_s == \"SUCCESS\"\n// Expand the JSON array in 'target_s' field to extract detailed information about the event\n| mv-expand parsed_json = todynamic(target_s) // Unpack and understand the details from the 'target_s' JSON array\n// Enhance visibility by extending columns with extracted details for better analysis\n| extend TargetUser_id = tostring(parsed_json.id), \n TargetUser_type = tostring(parsed_json.type), \n TargetUser_alternateId = tostring(parsed_json.alternateId), \n TargetUser_displayName = tostring(parsed_json.displayName), \n Target_detailEntry = tostring(parsed_json.detailEntry) \n// Project event details to gain insights into the security context, including actor and target user information\n| project TimeGenerated, actor_alternateId_s, actor_displayName_s, TargetUser_alternateId, \n TargetUser_displayName, TargetUser_type, TargetUser_id, \n eventType_s, outcome_result_s\n", + "query": "OktaSSO\n| where eventType_s == \"user.session.impersonation.initiate\" and outcome_result_s == \"SUCCESS\"\n// Expand the JSON array in 'target_s' field to extract detailed information about the event\n| mv-expand parsed_json = todynamic(target_s) // Unpack and understand the details from the 'target_s' JSON array\n// Enhance visibility by extending columns with extracted details for better analysis\n| extend TargetUser_id = tostring(parsed_json.id), \n TargetUser_type = tostring(parsed_json.type), \n TargetUser_alternateId = tostring(parsed_json.alternateId), \n TargetUser_displayName = tostring(parsed_json.displayName), \n Target_detailEntry = tostring(parsed_json.detailEntry) \n// Project event details to gain insights into the security context, including actor and target user information\n| project TimeGenerated, actor_alternateId_s, actor_displayName_s, TargetUser_alternateId, \n TargetUser_displayName, TargetUser_type, TargetUser_id, \n eventType_s, outcome_result_s\n", "queryFrequency": "PT6H", "queryPeriod": "PT6H", "severity": "Medium", @@ -1266,6 +1268,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "actor_alternateId_s", @@ -1275,8 +1278,7 @@ "columnName": "actor_displayName_s", "identifier": "DisplayName" } - ], - "entityType": "Account" + ] } ] } @@ -1332,7 +1334,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Okta Single Sign-On data connector with template version 3.1.6", + "description": "Okta Single Sign-On data connector with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -2692,7 +2694,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AdminPrivilegeGrant_HuntingQueries Hunting Query with template version 3.1.6", + "description": "AdminPrivilegeGrant_HuntingQueries Hunting Query with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -2777,7 +2779,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CreateAPIToken_HuntingQueries Hunting Query with template version 3.1.6", + "description": "CreateAPIToken_HuntingQueries Hunting Query with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -2862,7 +2864,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpersonationSession_HuntingQueries Hunting Query with template version 3.1.6", + "description": "ImpersonationSession_HuntingQueries Hunting Query with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -2947,7 +2949,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareMFAOperation_HuntingQueries Hunting Query with template version 3.1.6", + "description": "RareMFAOperation_HuntingQueries Hunting Query with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -3032,7 +3034,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserPasswordReset_HuntingQueries Hunting Query with template version 3.1.6", + "description": "UserPasswordReset_HuntingQueries Hunting Query with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -3117,7 +3119,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewDeviceRegistration_HuntingQueries Hunting Query with template version 3.1.6", + "description": "NewDeviceRegistration_HuntingQueries Hunting Query with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -3202,7 +3204,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LoginsVPSProvider_HuntingQueries Hunting Query with template version 3.1.6", + "description": "LoginsVPSProvider_HuntingQueries Hunting Query with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -3287,7 +3289,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LoginNordVPN_HuntingQueries Hunting Query with template version 3.1.6", + "description": "LoginNordVPN_HuntingQueries Hunting Query with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -3372,7 +3374,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LoginFromMultipleLocations_HuntingQueries Hunting Query with template version 3.1.6", + "description": "LoginFromMultipleLocations_HuntingQueries Hunting Query with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -3457,7 +3459,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LegacyAuthentication_HuntingQueries Hunting Query with template version 3.1.6", + "description": "LegacyAuthentication_HuntingQueries Hunting Query with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -3542,7 +3544,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OktaCustomConnector Playbook with template version 3.1.6", + "description": "OktaCustomConnector Playbook with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -4805,7 +4807,7 @@ ], "metadata": { "comments": "This OKTA connector uses okta API to perform different actions on the user accounts.", - "lastUpdateTime": "2026-04-14T11:40:20.189Z", + "lastUpdateTime": "2026-04-28T15:34:12.054Z", "releaseNotes": { "version": "1.0", "title": "[variables('blanks')]", @@ -4837,7 +4839,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Okta-EnrichIncidentWithUserDetails Playbook with template version 3.1.6", + "description": "Okta-EnrichIncidentWithUserDetails Playbook with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -5196,7 +5198,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Okta-PromptUser Playbook with template version 3.1.6", + "description": "Okta-PromptUser Playbook with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -5647,7 +5649,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Okta-ResponseFromTeams Playbook with template version 3.1.6", + "description": "Okta-ResponseFromTeams Playbook with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -6154,7 +6156,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OktaSingleSignOn Workbook with template version 3.1.6", + "description": "OktaSingleSignOn Workbook with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -6250,7 +6252,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OktaSSO Data Parser with template version 3.1.6", + "description": "OktaSSO Data Parser with template version 3.1.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -6378,7 +6380,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.1.6", + "version": "3.1.7", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Okta Single Sign-On", @@ -6560,4 +6562,4 @@ } ], "outputs": {} -} +} \ No newline at end of file diff --git a/Solutions/Okta Single Sign-On/ReleaseNotes.md b/Solutions/Okta Single Sign-On/ReleaseNotes.md index a1f38a99515..e4f55b2e1de 100644 --- a/Solutions/Okta Single Sign-On/ReleaseNotes.md +++ b/Solutions/Okta Single Sign-On/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------------------------| +| 3.1.7 | 28-04-2026 | Update query with OktaSSO **parser** so that the OktaV2_CL table is considered. | | 3.1.6 | 14-04-2026 | Deprecate Okta Single Sign-On (using Azure Function) | | 3.1.5 | 02-04-2026 | Rename CCF solution to Okta Single Sign-On (via Codeless Connector Framework).
Add SessionId variable and reference in template. | | 3.1.4 | 13-01-2026 | Updated non-functional link from MFA Fatigue (OKTA) **Analytic rule** |