diff --git a/Solutions/Okta Single Sign-On/Package/3.1.0.zip b/Solutions/Okta Single Sign-On/Package/3.1.0.zip new file mode 100644 index 00000000000..f11d431d61a Binary files /dev/null and b/Solutions/Okta Single Sign-On/Package/3.1.0.zip differ diff --git a/Solutions/Okta Single Sign-On/Package/mainTemplate.json b/Solutions/Okta Single Sign-On/Package/mainTemplate.json index 171b320b485..471c0f8a24f 100644 --- a/Solutions/Okta Single Sign-On/Package/mainTemplate.json +++ b/Solutions/Okta Single Sign-On/Package/mainTemplate.json @@ -55,7 +55,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Okta Single Sign-On", - "_solutionVersion": "3.0.9", + "_solutionVersion": "3.0.10", "solutionId": "azuresentinel.azure-sentinel-solution-okta", "_solutionId": "[variables('solutionId')]", "analyticRuleObject1": { @@ -231,7 +231,7 @@ "_parserName1": "[concat(parameters('workspace'),'/','OktaSSO')]", "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'OktaSSO')]", "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('OktaSSO-Parser')))]", - "parserVersion1": "1.0.1", + "parserVersion1": "1.0.2", "parserContentId1": "OktaSSO-Parser" }, @@ -249,7 +249,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FailedLoginsFromUnknownOrInvalidUser_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "FailedLoginsFromUnknownOrInvalidUser_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -297,22 +297,22 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "FullName" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -368,7 +368,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LoginfromUsersfromDifferentCountrieswithin3hours_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "LoginfromUsersfromDifferentCountrieswithin3hours_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -416,13 +416,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "FullName" } - ], - "entityType": "Account" + ] } ] } @@ -478,7 +478,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "PasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -526,13 +526,13 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -588,7 +588,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PhishingDetection_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "PhishingDetection_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -636,6 +636,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "actor_alternateId_s", @@ -645,22 +646,21 @@ "columnName": "actor_displayName_s", "identifier": "DisplayName" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "columnName": "client_ipAddress_s", "identifier": "Address" } - ], - "entityType": "IP" + ] } ], "customDetails": { - "UserAgent": "client_userAgent_rawUserAgent_s", - "Location": "Location" + "Location": "Location", + "UserAgent": "client_userAgent_rawUserAgent_s" } } }, @@ -715,7 +715,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewDeviceLocationCriticalOperation_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "NewDeviceLocationCriticalOperation_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -765,6 +765,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "actor_alternateId_s", @@ -774,22 +775,21 @@ "columnName": "actor_displayName_s", "identifier": "DisplayName" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "columnName": "client_ipAddress_s", "identifier": "Address" } - ], - "entityType": "IP" + ] } ], "customDetails": { - "SessionId": "[variables('_SessionId')]", - "Location": "Location" + "Location": "Location", + "SessionId": "authenticationContext_externalSessionId_s" }, "alertDetailsOverride": { "alertDisplayNameFormat": "New Device/Location {{Location}} sign-in along with critical operation", @@ -848,7 +848,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MFAFatigue_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "MFAFatigue_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -896,6 +896,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "actor_alternateId_s", @@ -905,8 +906,7 @@ "columnName": "actor_displayName_s", "identifier": "DisplayName" } - ], - "entityType": "Account" + ] } ] } @@ -962,7 +962,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "HighRiskAdminActivity_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "HighRiskAdminActivity_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -1010,6 +1010,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "actor_alternateId_s", @@ -1019,17 +1020,16 @@ "columnName": "actor_displayName_s", "identifier": "DisplayName" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "columnName": "client_ipAddress_s", "identifier": "Address" } - ], - "entityType": "IP" + ] } ], "customDetails": { @@ -1088,7 +1088,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DeviceRegistrationMaliciousIP_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "DeviceRegistrationMaliciousIP_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -1136,6 +1136,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "actor_alternateId_s", @@ -1145,17 +1146,16 @@ "columnName": "actor_displayName_s", "identifier": "DisplayName" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "columnName": "client_ipAddress_s", "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -1211,7 +1211,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserSessionImpersonation_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "UserSessionImpersonation_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -1263,6 +1263,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "actor_alternateId_s", @@ -1272,8 +1273,7 @@ "columnName": "actor_displayName_s", "identifier": "DisplayName" } - ], - "entityType": "Account" + ] } ] } @@ -1329,7 +1329,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Okta Single Sign-On data connector with template version 3.0.9", + "description": "Okta Single Sign-On data connector with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -2685,7 +2685,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AdminPrivilegeGrant_HuntingQueries Hunting Query with template version 3.0.9", + "description": "AdminPrivilegeGrant_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -2770,7 +2770,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CreateAPIToken_HuntingQueries Hunting Query with template version 3.0.9", + "description": "CreateAPIToken_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -2855,7 +2855,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpersonationSession_HuntingQueries Hunting Query with template version 3.0.9", + "description": "ImpersonationSession_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -2940,7 +2940,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareMFAOperation_HuntingQueries Hunting Query with template version 3.0.9", + "description": "RareMFAOperation_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -3025,7 +3025,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserPasswordReset_HuntingQueries Hunting Query with template version 3.0.9", + "description": "UserPasswordReset_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -3110,7 +3110,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewDeviceRegistration_HuntingQueries Hunting Query with template version 3.0.9", + "description": "NewDeviceRegistration_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -3195,7 +3195,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LoginsVPSProvider_HuntingQueries Hunting Query with template version 3.0.9", + "description": "LoginsVPSProvider_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -3280,7 +3280,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LoginNordVPN_HuntingQueries Hunting Query with template version 3.0.9", + "description": "LoginNordVPN_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -3365,7 +3365,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LoginFromMultipleLocations_HuntingQueries Hunting Query with template version 3.0.9", + "description": "LoginFromMultipleLocations_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -3450,7 +3450,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LegacyAuthentication_HuntingQueries Hunting Query with template version 3.0.9", + "description": "LegacyAuthentication_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -3535,7 +3535,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OktaCustomConnector Playbook with template version 3.0.9", + "description": "OktaCustomConnector Playbook with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -4798,7 +4798,7 @@ ], "metadata": { "comments": "This OKTA connector uses okta API to perform different actions on the user accounts.", - "lastUpdateTime": "2024-10-14T18:36:21.775Z", + "lastUpdateTime": "2024-11-06T10:55:28.330Z", "releaseNotes": { "version": "1.0", "title": "[variables('blanks')]", @@ -4830,7 +4830,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Okta-EnrichIncidentWithUserDetails Playbook with template version 3.0.9", + "description": "Okta-EnrichIncidentWithUserDetails Playbook with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -5189,7 +5189,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Okta-PromptUser Playbook with template version 3.0.9", + "description": "Okta-PromptUser Playbook with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -5640,7 +5640,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Okta-ResponseFromTeams Playbook with template version 3.0.9", + "description": "Okta-ResponseFromTeams Playbook with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -6147,7 +6147,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OktaSingleSignOn Workbook with template version 3.0.9", + "description": "OktaSingleSignOn Workbook with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -6243,7 +6243,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OktaSSO Data Parser with template version 3.0.9", + "description": "OktaSSO Data Parser with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -6260,7 +6260,7 @@ "displayName": "Backward Compatibility Parser for Okta SSO", "category": "Microsoft Sentinel Parser", "functionAlias": "OktaSSO", - "query": "let Okta_SSO = view () {\nlet Oktav1_empty = datatable(\n actor_alternateId_s:string,\n actor_detailEntry_s:string,\n actor_displayName_s:string,\n actor_id_s:string,\n actor_type_s:string,\n authenticationContext_authenticationProvider_s:string,\n authenticationContext_authenticationStep_d:double,\n authenticationContext_credentialProvider_s:string,\n authenticationContext_credentialType_s:string,\n authenticationContext_externalSessionId_s:string,\n authenticationContext_interface_s:string,\n authenticationContext_issuerId_s:string,\n authenticationContext_issuerType_s:string,\n client_device_s:string,\n client_geographicalContext_city_s:string,\n client_geographicalContext_country_s:string,\n client_geographicalContext_geolocation_lat_d:double,\n client_geographicalContext_geolocation_lon_d:double,\n client_geographicalContext_postalCode_s:string,\n client_geographicalContext_state_s:string,\n client_id_s:string,\n client_ipAddress_s:string,\n client_userAgent_browser_s:string,\n client_userAgent_os_s:string,\n client_userAgent_rawUserAgent_s:string,\n client_zone_s:string,\n debugContext_debugData_s:string,\n displayMessage_s:string,\n eventType_s:string,\n legacyEventType_s:string,\n uuid_g:string,\n outcome_reason_s:string,\n outcome_result_s:string,\n request_ipChain_s:string,\n securityContext_asNumber_d:double,\n securityContext_asOrg_s:string,\n securityContext_domain_s:string,\n securityContext_isp_s:string,\n securityContext_isProxy_b:bool,\n severity_s:string,\n target_s:string,\n transaction_details_s:string,\n transaction_id_s:string,\n transaction_type_s:string,\n version_s:string\n )[];\n let Oktav2_empty = datatable(\n TimeGenerated:datetime,\n OriginalActorAlternateId:string,\n ActorDetailEntry:string,\n ActorDisplayName:string,\n OriginalUserId:string,\n OriginalUserType:string,\n AuthenticationContextAuthenticationProvider:string,\n AuthenticationContextAuthenticationStep: real,\n AuthenticationContextCredentialProvider: string,\n LogonMethod: string,\n ActorSessionId: string,\n AuthenticationContextInterface:string,\n AuthenticationContextIssuerId:string,\n AuthenticationContextIssuerType:string,\n OriginalClientDevice:string,\n SrcGeoCity:string,\n SrcGeoCountry:string,\n SrcGeoLatitude: double,\n SrcGeoLongtitude: double,\n SrcGeoPostalCode: string,\n SrcGeoRegion: string,\n SrcDvcId: string,\n SrcIpAddr: string,\n ActingAppName: string,\n SrcDvcOs: string,\n HttpUserAgent: string,\n SrcZone: string,\n DebugData: string,\n EventMessage: string,\n EventOriginalType: string,\n LegacyEventType: string,\n EventOriginalUid: string,\n EventOriginalResultDetails: string,\n OriginalOutcomeResult: string,\n Request: string,\n SecurityContextAsNumber: real,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SrcIsp: string,\n SecurityContextIsProxy: bool,\n OriginalSeverity: string,\n OriginalTarget: string,\n TransactionDetail: string,\n TransactionId: string,\n TransactionType: string,\n Version: string\n)[];\nlet Oktav2 = union isfuzzy=true Oktav2_empty, OktaV2_CL |\n project TimeGenerated,\n actor_alternateId_s=OriginalActorAlternateId,\n actor_detailEntry_s=tostring(ActorDetailEntry),\n actor_displayName_s=ActorDisplayName,\n actor_id_s=OriginalUserId,\n actor_type_s=OriginalUserType,\n authenticationContext_authenticationProvider_s=AuthenticationContextAuthenticationProvider,\n authenticationContext_authenticationStep_d=toreal(AuthenticationContextAuthenticationStep),\n authenticationContext_credentialProvider_s=AuthenticationContextCredentialProvider,\n authenticationContext_credentialType_s=LogonMethod,\n authenticationContext_externalSessionId_s=ActorSessionId,\n authenticationContext_interface_s=AuthenticationContextInterface,\n authenticationContext_issuerId_s=AuthenticationContextIssuerId,\n authenticationContext_issuerType_s=AuthenticationContextIssuerType,\n client_device_s=OriginalClientDevice,\n client_geographicalContext_city_s=SrcGeoCity,\n client_geographicalContext_country_s=SrcGeoCountry,\n client_geographicalContext_geolocation_lat_d=SrcGeoLatitude,\n client_geographicalContext_geolocation_lon_d=SrcGeoLongtitude,\n client_geographicalContext_postalCode_s=SrcGeoPostalCode,\n client_geographicalContext_state_s=SrcGeoRegion,\n client_id_s=SrcDvcId,\n client_ipAddress_s=SrcIpAddr,\n client_userAgent_browser_s=ActingAppName,\n client_userAgent_os_s=SrcDvcOs,\n client_userAgent_rawUserAgent_s=HttpUserAgent,\n client_zone_s=SrcZone,\n debugContext_debugData_s=tostring(DebugData),\n displayMessage_s=EventMessage,\n eventType_s=EventOriginalType,\n legacyEventType_s=LegacyEventType,\n uuid_g=EventOriginalUid,\n outcome_reason_s=EventOriginalResultDetails,\n outcome_result_s=OriginalOutcomeResult,\n request_ipChain_s=tostring(Request),\n securityContext_asNumber_d=toreal(SecurityContextAsNumber),\n securityContext_asOrg_s=SecurityContextAsOrg,\n securityContext_domain_s=SecurityContextDomain,\n securityContext_isp_s=SrcIsp,\n securityContext_isProxy_b=SecurityContextIsProxy,\n severity_s=OriginalSeverity,\n target_s=tostring(OriginalTarget),\n transaction_details_s=tostring(TransactionDetail),\n transaction_id_s=TransactionId,\n transaction_type_s=TransactionType,\n version_s = Version;\n union isfuzzy=true Oktav1_empty, Oktav2, Okta_CL\n};\nOkta_SSO()\n", + "query": "let Okta_SSO = view () {\nlet Oktav1_empty = datatable(\n actor_alternateId_s:string,\n actor_detailEntry_s:string,\n actor_displayName_s:string,\n actor_id_s:string,\n actor_type_s:string,\n authenticationContext_authenticationProvider_s:string,\n authenticationContext_authenticationStep_d:double,\n authenticationContext_credentialProvider_s:string,\n authenticationContext_credentialType_s:string,\n authenticationContext_externalSessionId_s:string,\n authenticationContext_interface_s:string,\n authenticationContext_issuerId_s:string,\n authenticationContext_issuerType_s:string,\n client_device_s:string,\n client_geographicalContext_city_s:string,\n client_geographicalContext_country_s:string,\n client_geographicalContext_geolocation_lat_d:double,\n client_geographicalContext_geolocation_lon_d:double,\n client_geographicalContext_postalCode_s:string,\n client_geographicalContext_state_s:string,\n client_id_s:string,\n client_ipAddress_s:string,\n client_userAgent_browser_s:string,\n client_userAgent_os_s:string,\n client_userAgent_rawUserAgent_s:string,\n client_zone_s:string,\n debugContext_debugData_s:string,\n displayMessage_s:string,\n eventType_s:string,\n legacyEventType_s:string,\n uuid_g:string,\n outcome_reason_s:string,\n outcome_result_s:string,\n request_ipChain_s:string,\n securityContext_asNumber_d:double,\n securityContext_asOrg_s:string,\n securityContext_domain_s:string,\n securityContext_isp_s:string,\n securityContext_isProxy_b:bool,\n severity_s:string,\n target_s:string,\n transaction_details_s:string,\n transaction_id_s:string,\n transaction_type_s:string,\n version_s:string\n )[];\n let Oktav2_empty = datatable(\n TimeGenerated:datetime,\n OriginalActorAlternateId:string,\n ActorDetailEntry:dynamic,\n ActorDisplayName:string,\n OriginalUserId:string,\n OriginalUserType:string,\n AuthenticationContextAuthenticationProvider:string,\n AuthenticationContextAuthenticationStep: int,\n AuthenticationContextCredentialProvider: string,\n LogonMethod: string,\n ActorSessionId: string,\n AuthenticationContextInterface:string,\n AuthenticationContextIssuerId:string,\n AuthenticationContextIssuerType:string,\n OriginalClientDevice:string,\n SrcGeoCity:string,\n SrcGeoCountry:string,\n SrcGeoLatitude: double,\n SrcGeoLongtitude: double,\n SrcGeoPostalCode: string,\n SrcGeoRegion: string,\n SrcDvcId: string,\n SrcIpAddr: string,\n ActingAppName: string,\n SrcDvcOs: string,\n HttpUserAgent: string,\n SrcZone: string,\n DebugData: dynamic,\n EventMessage: string,\n EventOriginalType: string,\n LegacyEventType: string,\n EventOriginalUid: string,\n EventOriginalResultDetails: string,\n OriginalOutcomeResult: string,\n Request: dynamic,\n SecurityContextAsNumber: int,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SrcIsp: string,\n DomainName: string ,\n SecurityContextIsProxy: bool,\n OriginalSeverity: string,\n OriginalTarget: dynamic,\n TransactionDetail: dynamic,\n TransactionId: string,\n TransactionType: string,\n Version: string\n)[];\nlet Oktav2 = union isfuzzy=true Oktav2_empty, OktaV2_CL |\n project TimeGenerated,\n actor_alternateId_s=OriginalActorAlternateId,\n actor_detailEntry_s=tostring(ActorDetailEntry),\n domain_s=DomainName,\n actor_displayName_s=ActorDisplayName,\n actor_id_s=OriginalUserId,\n actor_type_s=OriginalUserType,\n authenticationContext_authenticationProvider_s=AuthenticationContextAuthenticationProvider,\n authenticationContext_authenticationStep_d=toreal(AuthenticationContextAuthenticationStep),\n authenticationContext_credentialProvider_s=AuthenticationContextCredentialProvider,\n authenticationContext_credentialType_s=LogonMethod,\n authenticationContext_externalSessionId_s=ActorSessionId,\n authenticationContext_interface_s=AuthenticationContextInterface,\n authenticationContext_issuerId_s=AuthenticationContextIssuerId,\n authenticationContext_issuerType_s=AuthenticationContextIssuerType,\n client_device_s=OriginalClientDevice,\n client_geographicalContext_city_s=SrcGeoCity,\n client_geographicalContext_country_s=SrcGeoCountry,\n client_geographicalContext_geolocation_lat_d=SrcGeoLatitude,\n client_geographicalContext_geolocation_lon_d=SrcGeoLongtitude,\n client_geographicalContext_postalCode_s=SrcGeoPostalCode,\n client_geographicalContext_state_s=SrcGeoRegion,\n client_id_s=SrcDvcId,\n client_ipAddress_s=SrcIpAddr,\n client_userAgent_browser_s=ActingAppName,\n client_userAgent_os_s=SrcDvcOs,\n client_userAgent_rawUserAgent_s=HttpUserAgent,\n client_zone_s=SrcZone,\n debugContext_debugData_s=tostring(DebugData),\n displayMessage_s=EventMessage,\n eventType_s=EventOriginalType,\n legacyEventType_s=LegacyEventType,\n uuid_g=EventOriginalUid,\n outcome_reason_s=EventOriginalResultDetails,\n outcome_result_s=OriginalOutcomeResult,\n request_ipChain_s=tostring(Request),\n securityContext_asNumber_d=toreal(SecurityContextAsNumber),\n securityContext_asOrg_s=SecurityContextAsOrg,\n securityContext_domain_s=SecurityContextDomain,\n securityContext_isp_s=SrcIsp,\n securityContext_isProxy_b=SecurityContextIsProxy,\n severity_s=OriginalSeverity,\n target_s=tostring(OriginalTarget),\n transaction_details_s=tostring(TransactionDetail),\n transaction_id_s=TransactionId,\n transaction_type_s=TransactionType,\n version_s = Version;\n union isfuzzy=true Oktav1_empty, Oktav2, Okta_CL\n};\nOkta_SSO()\n", "functionParameters": "", "version": 2, "tags": [ @@ -6310,8 +6310,8 @@ "contentId": "[variables('parserObject1').parserContentId1]", "contentKind": "Parser", "displayName": "Backward Compatibility Parser for Okta SSO", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.1')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.1')))]", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.2')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.2')))]", "version": "[variables('parserObject1').parserVersion1]" } }, @@ -6325,7 +6325,7 @@ "displayName": "Backward Compatibility Parser for Okta SSO", "category": "Microsoft Sentinel Parser", "functionAlias": "OktaSSO", - "query": "let Okta_SSO = view () {\nlet Oktav1_empty = datatable(\n actor_alternateId_s:string,\n actor_detailEntry_s:string,\n actor_displayName_s:string,\n actor_id_s:string,\n actor_type_s:string,\n authenticationContext_authenticationProvider_s:string,\n authenticationContext_authenticationStep_d:double,\n authenticationContext_credentialProvider_s:string,\n authenticationContext_credentialType_s:string,\n authenticationContext_externalSessionId_s:string,\n authenticationContext_interface_s:string,\n authenticationContext_issuerId_s:string,\n authenticationContext_issuerType_s:string,\n client_device_s:string,\n client_geographicalContext_city_s:string,\n client_geographicalContext_country_s:string,\n client_geographicalContext_geolocation_lat_d:double,\n client_geographicalContext_geolocation_lon_d:double,\n client_geographicalContext_postalCode_s:string,\n client_geographicalContext_state_s:string,\n client_id_s:string,\n client_ipAddress_s:string,\n client_userAgent_browser_s:string,\n client_userAgent_os_s:string,\n client_userAgent_rawUserAgent_s:string,\n client_zone_s:string,\n debugContext_debugData_s:string,\n displayMessage_s:string,\n eventType_s:string,\n legacyEventType_s:string,\n uuid_g:string,\n outcome_reason_s:string,\n outcome_result_s:string,\n request_ipChain_s:string,\n securityContext_asNumber_d:double,\n securityContext_asOrg_s:string,\n securityContext_domain_s:string,\n securityContext_isp_s:string,\n securityContext_isProxy_b:bool,\n severity_s:string,\n target_s:string,\n transaction_details_s:string,\n transaction_id_s:string,\n transaction_type_s:string,\n version_s:string\n )[];\n let Oktav2_empty = datatable(\n TimeGenerated:datetime,\n OriginalActorAlternateId:string,\n ActorDetailEntry:string,\n ActorDisplayName:string,\n OriginalUserId:string,\n OriginalUserType:string,\n AuthenticationContextAuthenticationProvider:string,\n AuthenticationContextAuthenticationStep: real,\n AuthenticationContextCredentialProvider: string,\n LogonMethod: string,\n ActorSessionId: string,\n AuthenticationContextInterface:string,\n AuthenticationContextIssuerId:string,\n AuthenticationContextIssuerType:string,\n OriginalClientDevice:string,\n SrcGeoCity:string,\n SrcGeoCountry:string,\n SrcGeoLatitude: double,\n SrcGeoLongtitude: double,\n SrcGeoPostalCode: string,\n SrcGeoRegion: string,\n SrcDvcId: string,\n SrcIpAddr: string,\n ActingAppName: string,\n SrcDvcOs: string,\n HttpUserAgent: string,\n SrcZone: string,\n DebugData: string,\n EventMessage: string,\n EventOriginalType: string,\n LegacyEventType: string,\n EventOriginalUid: string,\n EventOriginalResultDetails: string,\n OriginalOutcomeResult: string,\n Request: string,\n SecurityContextAsNumber: real,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SrcIsp: string,\n SecurityContextIsProxy: bool,\n OriginalSeverity: string,\n OriginalTarget: string,\n TransactionDetail: string,\n TransactionId: string,\n TransactionType: string,\n Version: string\n)[];\nlet Oktav2 = union isfuzzy=true Oktav2_empty, OktaV2_CL |\n project TimeGenerated,\n actor_alternateId_s=OriginalActorAlternateId,\n actor_detailEntry_s=tostring(ActorDetailEntry),\n actor_displayName_s=ActorDisplayName,\n actor_id_s=OriginalUserId,\n actor_type_s=OriginalUserType,\n authenticationContext_authenticationProvider_s=AuthenticationContextAuthenticationProvider,\n authenticationContext_authenticationStep_d=toreal(AuthenticationContextAuthenticationStep),\n authenticationContext_credentialProvider_s=AuthenticationContextCredentialProvider,\n authenticationContext_credentialType_s=LogonMethod,\n authenticationContext_externalSessionId_s=ActorSessionId,\n authenticationContext_interface_s=AuthenticationContextInterface,\n authenticationContext_issuerId_s=AuthenticationContextIssuerId,\n authenticationContext_issuerType_s=AuthenticationContextIssuerType,\n client_device_s=OriginalClientDevice,\n client_geographicalContext_city_s=SrcGeoCity,\n client_geographicalContext_country_s=SrcGeoCountry,\n client_geographicalContext_geolocation_lat_d=SrcGeoLatitude,\n client_geographicalContext_geolocation_lon_d=SrcGeoLongtitude,\n client_geographicalContext_postalCode_s=SrcGeoPostalCode,\n client_geographicalContext_state_s=SrcGeoRegion,\n client_id_s=SrcDvcId,\n client_ipAddress_s=SrcIpAddr,\n client_userAgent_browser_s=ActingAppName,\n client_userAgent_os_s=SrcDvcOs,\n client_userAgent_rawUserAgent_s=HttpUserAgent,\n client_zone_s=SrcZone,\n debugContext_debugData_s=tostring(DebugData),\n displayMessage_s=EventMessage,\n eventType_s=EventOriginalType,\n legacyEventType_s=LegacyEventType,\n uuid_g=EventOriginalUid,\n outcome_reason_s=EventOriginalResultDetails,\n outcome_result_s=OriginalOutcomeResult,\n request_ipChain_s=tostring(Request),\n securityContext_asNumber_d=toreal(SecurityContextAsNumber),\n securityContext_asOrg_s=SecurityContextAsOrg,\n securityContext_domain_s=SecurityContextDomain,\n securityContext_isp_s=SrcIsp,\n securityContext_isProxy_b=SecurityContextIsProxy,\n severity_s=OriginalSeverity,\n target_s=tostring(OriginalTarget),\n transaction_details_s=tostring(TransactionDetail),\n transaction_id_s=TransactionId,\n transaction_type_s=TransactionType,\n version_s = Version;\n union isfuzzy=true Oktav1_empty, Oktav2, Okta_CL\n};\nOkta_SSO()\n", + "query": "let Okta_SSO = view () {\nlet Oktav1_empty = datatable(\n actor_alternateId_s:string,\n actor_detailEntry_s:string,\n actor_displayName_s:string,\n actor_id_s:string,\n actor_type_s:string,\n authenticationContext_authenticationProvider_s:string,\n authenticationContext_authenticationStep_d:double,\n authenticationContext_credentialProvider_s:string,\n authenticationContext_credentialType_s:string,\n authenticationContext_externalSessionId_s:string,\n authenticationContext_interface_s:string,\n authenticationContext_issuerId_s:string,\n authenticationContext_issuerType_s:string,\n client_device_s:string,\n client_geographicalContext_city_s:string,\n client_geographicalContext_country_s:string,\n client_geographicalContext_geolocation_lat_d:double,\n client_geographicalContext_geolocation_lon_d:double,\n client_geographicalContext_postalCode_s:string,\n client_geographicalContext_state_s:string,\n client_id_s:string,\n client_ipAddress_s:string,\n client_userAgent_browser_s:string,\n client_userAgent_os_s:string,\n client_userAgent_rawUserAgent_s:string,\n client_zone_s:string,\n debugContext_debugData_s:string,\n displayMessage_s:string,\n eventType_s:string,\n legacyEventType_s:string,\n uuid_g:string,\n outcome_reason_s:string,\n outcome_result_s:string,\n request_ipChain_s:string,\n securityContext_asNumber_d:double,\n securityContext_asOrg_s:string,\n securityContext_domain_s:string,\n securityContext_isp_s:string,\n securityContext_isProxy_b:bool,\n severity_s:string,\n target_s:string,\n transaction_details_s:string,\n transaction_id_s:string,\n transaction_type_s:string,\n version_s:string\n )[];\n let Oktav2_empty = datatable(\n TimeGenerated:datetime,\n OriginalActorAlternateId:string,\n ActorDetailEntry:dynamic,\n ActorDisplayName:string,\n OriginalUserId:string,\n OriginalUserType:string,\n AuthenticationContextAuthenticationProvider:string,\n AuthenticationContextAuthenticationStep: int,\n AuthenticationContextCredentialProvider: string,\n LogonMethod: string,\n ActorSessionId: string,\n AuthenticationContextInterface:string,\n AuthenticationContextIssuerId:string,\n AuthenticationContextIssuerType:string,\n OriginalClientDevice:string,\n SrcGeoCity:string,\n SrcGeoCountry:string,\n SrcGeoLatitude: double,\n SrcGeoLongtitude: double,\n SrcGeoPostalCode: string,\n SrcGeoRegion: string,\n SrcDvcId: string,\n SrcIpAddr: string,\n ActingAppName: string,\n SrcDvcOs: string,\n HttpUserAgent: string,\n SrcZone: string,\n DebugData: dynamic,\n EventMessage: string,\n EventOriginalType: string,\n LegacyEventType: string,\n EventOriginalUid: string,\n EventOriginalResultDetails: string,\n OriginalOutcomeResult: string,\n Request: dynamic,\n SecurityContextAsNumber: int,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SrcIsp: string,\n DomainName: string ,\n SecurityContextIsProxy: bool,\n OriginalSeverity: string,\n OriginalTarget: dynamic,\n TransactionDetail: dynamic,\n TransactionId: string,\n TransactionType: string,\n Version: string\n)[];\nlet Oktav2 = union isfuzzy=true Oktav2_empty, OktaV2_CL |\n project TimeGenerated,\n actor_alternateId_s=OriginalActorAlternateId,\n actor_detailEntry_s=tostring(ActorDetailEntry),\n domain_s=DomainName,\n actor_displayName_s=ActorDisplayName,\n actor_id_s=OriginalUserId,\n actor_type_s=OriginalUserType,\n authenticationContext_authenticationProvider_s=AuthenticationContextAuthenticationProvider,\n authenticationContext_authenticationStep_d=toreal(AuthenticationContextAuthenticationStep),\n authenticationContext_credentialProvider_s=AuthenticationContextCredentialProvider,\n authenticationContext_credentialType_s=LogonMethod,\n authenticationContext_externalSessionId_s=ActorSessionId,\n authenticationContext_interface_s=AuthenticationContextInterface,\n authenticationContext_issuerId_s=AuthenticationContextIssuerId,\n authenticationContext_issuerType_s=AuthenticationContextIssuerType,\n client_device_s=OriginalClientDevice,\n client_geographicalContext_city_s=SrcGeoCity,\n client_geographicalContext_country_s=SrcGeoCountry,\n client_geographicalContext_geolocation_lat_d=SrcGeoLatitude,\n client_geographicalContext_geolocation_lon_d=SrcGeoLongtitude,\n client_geographicalContext_postalCode_s=SrcGeoPostalCode,\n client_geographicalContext_state_s=SrcGeoRegion,\n client_id_s=SrcDvcId,\n client_ipAddress_s=SrcIpAddr,\n client_userAgent_browser_s=ActingAppName,\n client_userAgent_os_s=SrcDvcOs,\n client_userAgent_rawUserAgent_s=HttpUserAgent,\n client_zone_s=SrcZone,\n debugContext_debugData_s=tostring(DebugData),\n displayMessage_s=EventMessage,\n eventType_s=EventOriginalType,\n legacyEventType_s=LegacyEventType,\n uuid_g=EventOriginalUid,\n outcome_reason_s=EventOriginalResultDetails,\n outcome_result_s=OriginalOutcomeResult,\n request_ipChain_s=tostring(Request),\n securityContext_asNumber_d=toreal(SecurityContextAsNumber),\n securityContext_asOrg_s=SecurityContextAsOrg,\n securityContext_domain_s=SecurityContextDomain,\n securityContext_isp_s=SrcIsp,\n securityContext_isProxy_b=SecurityContextIsProxy,\n severity_s=OriginalSeverity,\n target_s=tostring(OriginalTarget),\n transaction_details_s=tostring(TransactionDetail),\n transaction_id_s=TransactionId,\n transaction_type_s=TransactionType,\n version_s = Version;\n union isfuzzy=true Oktav1_empty, Oktav2, Okta_CL\n};\nOkta_SSO()\n", "functionParameters": "", "version": 2, "tags": [ @@ -6371,7 +6371,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.9", + "version": "3.0.10", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Okta Single Sign-On",