Azure-Sentinel/Playbooks/AS-Okta-NetworkZoneUpdate
..
Images
README.md
azuredeploy.json

README.md

AS-Okta-NetworkZoneUpdate

Author: Accelerynt

For any technical questions, please contact info@accelerynt.com

Deploy to Azure Deploy to Azure Gov

This playbook is intended to be run from a Microsoft Sentinel Incident. It will add the IP address from Microsoft Sentinel Incidents to an Okta Network Zone of your choosing.

NetworkZone_Demo_1

NetworkZone_Demo_2

Requirements

The following items are required under the template settings during deployment:

Setup

Create an Azure Key Vault Secret:

Navigate to the Azure Key Vaults page: https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults

Navigate to an existing Key Vault or create a new one. From the Key Vault overview page, click the "Secrets" menu option, found under the "Settings" section. Click "Generate/Import".

NetworkZone_Key_Vault_1

Choose a name for the secret, such as "AS-Okta-NetworkZoneUpdate-API-Token", and enter the Okta API Token copied previously in the "Value" field. All other settings can be left as is. Click "Create".

NetworkZone_Key_Vault_2

Once your secret has been added to the vault, navigate to the "Access policies" menu option, also found under the "Settings" section on the Key Vault page menu. Leave this page open, as you will need to return to it once the playbook has been deployed. See Granting Access to Azure Key Vault.

NetworkZone_Key_Vault_3

Deployment

To configure and deploy this playbook:

Open your browser and ensure you are logged into your Microsoft Sentinel workspace. In a separate tab, open the link to our playbook on the Accelerynt Security GitHub Repository:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Okta-NetworkZoneUpdate

Deploy to Azure Deploy to Azure Gov

Click the “Deploy to Azure” button at the bottom and it will bring you to the custom deployment template.

In the Project Details section:

  • Select the “Subscription” and “Resource Group” from the dropdown boxes you would like the playbook deployed to.

In the Instance Details section:

  • Playbook Name: This can be left as "AS-Okta-NetworkZoneUpdate" or you may change it.

  • Okta Subdomain: Enter the name of the subdomain (tenant) in the Okta Org URL. For example, with the URL https://example-admin.okta.com/, "example-admin" would be entered here.

  • Okta Network Zone: Enter the name of the Okta Network Zone that the Microsoft Sentinel Incident IP addresses should be added to. It should be noted IPs are only accepted in a CIDR range notation. Individual IPs processed by this playbook will have a "/32" appended to them to fit this format.

  • Key Vault Name: Enter the name of the Key Vault referenced in Create an Azure Key Vault Secret.

  • Secret Name: Enter the name of the Key Vault Secret created in Create an Azure Key Vault Secret.

Towards the bottom, click on “Review + create”.

NetworkZone_Deploy_1

Once the resources have validated, click on "Create".

NetworkZone_Deploy_2

The resources should take around a minute to deploy. Once the deployment is complete, you can expand the "Deployment details" section to view them. Click the one corresponding to the Logic App.

NetworkZone_Deploy_3

Click on the “Edit” button. This will bring us into the Logic Apps Designer.

NetworkZone_Deploy_4

The first and second steps labeled "Connections" use a connection created during the deployment of this playbook. Before the playbook can be run, this connection will either need to be authorized in the indicated steps, or an existing authorized connection may be alternatively selected.

NetworkZone_Deploy_5

To validate the connections created for this playbook, expand the "Connections" step and click the exclamation point icon next to the name matching the playbook.

NetworkZone_Deploy_6

When prompted, sign in to validate the connection.

NetworkZone_Deploy_7
The same connection may need to be reselected for the second step. After a valid connection is established for the first two steps, click the "Save" button.

NetworkZone_Deploy_8

Granting Access to Azure Key Vault

Before the Logic App can run successfully, the Key Vault connection created during deployment must be granted access to the Key Vault storing your Okta API Token.

From the Key Vault "Access policies" page, click "Create".

NetworkZone_Access_1

Select the "Get" checkbox under "Secret permissions", then click "Next".

NetworkZone_Access_2

Paste "AS-Okta-NetworkZoneUpdate" into the principal search box and click the option that appears. Click "Next" towards the bottom of the page.

NetworkZone_Access_3

Navigate to the "Review + create" section and click "Create".

NetworkZone_Access_4