Azure-Sentinel/Playbooks/Okta

Okta Logic Apps connector and playbook templates

Table of Contents

1. Overview
2. Deploy Custom Connector + 3 Playbook templates
3. Authentication
4. Prerequisites
5. Deployment
6. Post Deployment Steps
7. Components of this integration

Overview

Okta is an enterprise-grade, identity management service, built for the cloud, but compatible with many on-premises applications. With Okta, IT can manage any employee's access to any application or device. Okta runs in the cloud, on a secure, reliable, extensively audited platform, which integrates deeply with on-premises applications, directories, and identity management systems.

Deploy Custom Connector + 3 Playbook templates

This package includes:

• Custom connector for Okta
• Three playbook templates leverage Okta custom connector

You can choose to deploy the whole package : connector + all three playbook templates, or each one seperately from it's specific folder.

Okta connector documentation

Authentication

Authentication methods this connector supports- API Key authentication

Prerequisites for using and deploying Custom Connector

1. Okta service end point should be known (ex : https://{yourOktaDomain}/)
2. Generate an API key.Refer this link how to generate the API Key
3. API key needs to have admin previligies to perform specific actions like expire password on okta accounts

Deployment instructions

1. Deploy the Custom Connector and playbooks by clicking on "Deploy to Azure" button. This will take you to deplyoing an ARM Template wizard.
2. Fill in the required parameteres:

a. For custom connector :

• Custom Connector name : Enter the Custom connector name (ex:contoso Okta connector)

• Service Endpoint : Enter the okta service end point (ex:https://{yourOktaDomain})

b. For Okta-EnrichIncidentWithUserDetails playbook :

• Enrich Incident Playbook Name : Enter the playbook name here (Ex:OktaPlaybook)

c. For Okta-PromptUser playbook :

• Prompt User Playbook Name : Enter the playbook name here (Ex:OktaPlaybook)

• Teams GroupId : Enter the Teams channel id to send the adaptive card

• Teams ChannelId : Enter the Teams Group id to send the adaptive card Refer the below link to get the channel id and group id

d. For Okta-ResponseFromTeams playbook :

• Response From Teams Playbook Name : Enter the playbook name here (Ex:OktaPlaybook)

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, you will need to authorize each connection.

1. Click the Azure Sentinel connection resource
2. Click edit API connection
3. Click Authorize
4. Sign in
5. Click Save
6. Repeat steps for other connections such as Teams connection and Okta Api Connection (For authorizing the Okta API connection, API Key needs to be provided)

b. Configurations in Sentinel

1. In Azure sentinel analytical rules should be configured to trigger an incident with risky user account
2. Configure the automation rules to trigger the playbooks

Components of this integration

Connector

• OktaCustomConnector

Playbooks

• Okta-Response From Teams : Playbook to perform different actions on user on Okta and add user deatils to incident
• Okta-Enrich incident with user details : Playbook to enrich incident with user deatils and user groupdetails
• Okta-PromptUser : Playbook to prompt risky user about the malicious activity