Skip to content

Commit

Permalink
Updated custom properties mapping in Okta with 'x_' prefix (#1387)
Browse files Browse the repository at this point in the history
  • Loading branch information
@SharmilaMS-Hcl
SharmilaMS-Hcl authored Mar 20, 2023
1 parent 244ce47 commit 8795a37
Show file tree
Hide file tree
Showing 8 changed files with 187 additions and 215 deletions.
84 changes: 42 additions & 42 deletions adapter-guide/connectors/okta_supported_stix.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
##### Updated on 03/08/23
##### Updated on 03/15/23
## Okta
### Supported STIX Operators
*Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).*
Expand All @@ -25,20 +25,20 @@
| **ipv4-addr**:value | request.ipChain.ip |
| **autonomous-system**:number | securityContext.asNumber |
| **autonomous-system**:name | securityContext.asOrg |
| **autonomous-system**:extensions.'x-okta-autonomous-system'.isp | securityContext.isp |
| **autonomous-system**:extensions.'x-okta-autonomous-system'.domain_ref.name | securityContext.domain |
| **autonomous-system**:x_isp | securityContext.isp |
| **autonomous-system**:x_domain_ref.name | securityContext.domain |
| **domain-name**:value | securityContext.domain |
| **user-account**:user_id | actor.id |
| **user-account**:display_name | actor.displayName |
| **user-account**:account_login | actor.alternateId |
| **user-account**:extensions.'x-okta-actor'.type | actor.type |
| **user-account**:x_actor_type | actor.type |
| **x-okta-target**:target_id | target.id |
| **x-okta-target**:display_name | target.displayName |
| **x-okta-target**:alternate_id | target.alternateId |
| **x-okta-target**:target_type | target.type |
| **software**:name | client.userAgent.browser |
| **software**:extensions.'x-okta-software'.raw_user_agent | client.userAgent.rawUserAgent |
| **software**:extensions.'x-okta-software'.client_os | client.userAgent.os |
| **software**:x_raw_user_agent | client.userAgent.rawUserAgent |
| **software**:x_client_os | client.userAgent.os |
| **x-okta-client**:client_id | client.id |
| **x-okta-client**:client_ip | client.ipAddress |
| **x-okta-client**:device | client.device |
Expand All @@ -60,21 +60,21 @@
| **x-oca-event**:category[*] | transaction.type |
| **x-oca-event**:outcome | outcome.result |
| **x-oca-event**:ip_refs[*].value | request.ipChain.ip |
| **x-oca-event**:extensions.'x-okta-event'.event_unique_id | uuid |
| **x-oca-event**:extensions.'x-okta-event'.severity | severity |
| **x-oca-event**:extensions.'x-okta-event'.event_description | displayMessage |
| **x-oca-event**:extensions.'x-okta-event'.transaction_id | transaction.id |
| **x-oca-event**:extensions.'x-okta-event'.request_api_token_id | transaction.detail.requestApiTokenId |
| **x-oca-event**:extensions.'x-okta-event'.legacy_event_type | legacyEventType |
| **x-oca-event**:extensions.'x-okta-event'.outcome_reason | outcome.reason |
| **x-oca-event**:extensions.'x-okta-event'.actor_ref.account_login | actor.alternateId |
| **x-oca-event**:extensions.'x-okta-event'.actor_ref.user_id | actor.id |
| **x-oca-event**:extensions.'x-okta-event'.client_ref.client_ip | client.ipAddress |
| **x-oca-event**:extensions.'x-okta-event'.authentication_context_ref.session_id | authenticationContext.externalSessionId |
| **x-oca-event**:extensions.'x-okta-event'.target_refs[*].target_type | target.type |
| **x-oca-event**:extensions.'x-okta-event'.target_refs[*].display_name | target.displayName |
| **x-oca-event**:extensions.'x-okta-event'.target_refs[*].target_id | target.id |
| **x-oca-event**:extensions.'x-okta-event'.client_ref.id | client.id |
| **x-oca-event**:x_event_unique_id | uuid |
| **x-oca-event**:x_severity | severity |
| **x-oca-event**:x_event_description | displayMessage |
| **x-oca-event**:x_transaction_id | transaction.id |
| **x-oca-event**:x_request_api_token_id | transaction.detail.requestApiTokenId |
| **x-oca-event**:x_legacy_event_type | legacyEventType |
| **x-oca-event**:x_outcome_reason | outcome.reason |
| **x-oca-event**:x_actor_ref.account_login | actor.alternateId |
| **x-oca-event**:x_actor_ref.user_id | actor.id |
| **x-oca-event**:x_client_ref.client_ip | client.ipAddress |
| **x-oca-event**:x_authentication_context_ref.session_id | authenticationContext.externalSessionId |
| **x-oca-event**:x_target_refs[*].target_type| target.type |
| **x-oca-event**:x_target_refs[*].display_name | target.displayName |
| **x-oca-event**:x_target_refs[*].target_id | target.id |
| **x-oca-event**:x_client_ref.id | client.id |
| **x-okta-debug-context**:behaviors | debugContext.debugData.behaviors |
| **x-okta-debug-context**:request_uri | debugContext.debugData.requestUri |
| **x-okta-debug-context**:request_id | debugContext.debugData.requestId |
Expand All @@ -91,43 +91,43 @@
|--|--|--|
| autonomous-system | number | asNumber |
| autonomous-system | name | asOrg |
| autonomous-system | extensions.x-okta-autonomous-system.isp | isp |
| autonomous-system | extensions.x-okta-autonomous-system.domain_ref | domain |
| autonomous-system | x_isp | isp |
| autonomous-system | x_domain_ref | domain |
| <br> | | |
| domain-name | value | domain |
| <br> | | |
| ipv4-addr | value | ip |
| ipv4-addr | value | ipAddress |
| <br> | | |
| software | extensions.x-okta-software.raw_user_agent | rawUserAgent |
| software | extensions.x-okta-software.client_os | os |
| software | name | browser |
| software | x_raw_user_agent | rawUserAgent |
| software | x_client_os | os |
| <br> | | |
| user-account | user_id | id |
| user-account | display_name | displayName |
| user-account | account_login | alternateId |
| user-account | extensions.x-okta-actor.type | type |
| user-account | extensions.x-okta-actor.detail_entry | detailEntry |
| user-account | x_actor_type | type |
| user-account | x_detail_entry | detailEntry |
| <br> | | |
| x-oca-event | action | eventType |
| x-oca-event | extensions.x-okta-event.event_unique_id | uuid |
| x-oca-event | x_event_unique_id | uuid |
| x-oca-event | outcome | result |
| x-oca-event | extensions.x-okta-event.outcome_reason | reason |
| x-oca-event | extensions.x-okta-event.legacy_event_type | legacyEventType |
| x-oca-event | extensions.x-okta-event.event_description | displayMessage |
| x-oca-event | extensions.x-okta-event.severity | severity |
| x-oca-event | x_outcome_reason| reason |
| x-oca-event | x_legacy_event_type | legacyEventType |
| x-oca-event | x_event_description | displayMessage |
| x-oca-event | x_severity | severity |
| x-oca-event | ip_refs | ip |
| x-oca-event | extensions.x-okta-event.actor_ref | id |
| x-oca-event | extensions.x-okta-event.target_refs | groupReference |
| x-oca-event | extensions.x-okta-event.client_ref | id |
| x-oca-event | x_actor_ref | id |
| x-oca-event | x_target_refs | groupReference |
| x-oca-event | x_client_ref | id |
| x-oca-event | ip_refs | ipAddress |
| x-oca-event | extensions.x-okta-event.client_ref | device |
| x-oca-event | extensions.x-okta-event.client_ref | country |
| x-oca-event | extensions.x-okta-event.transaction_id | id |
| x-oca-event | x_client_ref | device |
| x-oca-event | x_client_ref| country |
| x-oca-event | x_transaction_id | id |
| x-oca-event | x_request_api_token_id | requestApiTokenId |
| x-oca-event | category | type |
| x-oca-event | extensions.x-okta-event.request_api_token_id | requestApiTokenId |
| x-oca-event | extensions.x-okta-event.debug_ref | groupReference |
| x-oca-event | extensions.x-okta-event.authentication_context_ref | externalSessionId |
| x-oca-event | x_authentication_context_ref | externalSessionId |
| x-oca-event | x_debug_ref | groupReference |
| <br> | | |
| x-okta-authentication-context | authentication_provider | authenticationProvider |
| x-okta-authentication-context | credential_provider | credentialProvider |
Expand Down Expand Up @@ -156,4 +156,4 @@
| x-okta-target | alternate_id | alternateId |
| x-okta-target | target_type | type |
| x-okta-target | detail_entry | detailEntry |
| <br> | | |
| <br> | | |
104 changes: 36 additions & 68 deletions stix_shifter_modules/okta/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -183,49 +183,37 @@ results
"0": {
"type": "user-account",
"user_id": "00u7rkrly9sNvp7sa5d7",
"extensions": {
"x-okta-actor": {
"type": "User"
}
},
"x_actor_type": "User",
"account_login": "user@login.com",
"display_name": "User1"
},
"1": {
"type": "x-oca-event",
"extensions": {
"x-okta-event": {
"actor_ref": "0",
"client_ref": "3",
"authentication_context_ref": "5",
"event_description": "User report suspicious activity",
"severity": "WARN",
"debug_ref": "7",
"legacy_event_type": "core.user.account.report_suspicious_activity_by_enduser",
"transaction_id": "Y6wTfThOwKPnxngKYrJ0pgAAB3g",
"event_unique_id": "4fa2f7e4-8696-11ed-8688-39c4b4d86042",
"target_refs": [
"8"
]
}
},
"x_actor_ref": "0",
"x_client_ref": "3",
"ip_refs": [
"4"
],
"x_authentication_context_ref": "5",
"x_event_description": "User report suspicious activity",
"action": "user.account.report_suspicious_activity_by_enduser",
"outcome": "SUCCESS",
"x_severity": "WARN",
"x_debug_ref": "7",
"x_legacy_event_type": "core.user.account.report_suspicious_activity_by_enduser",
"category": [
"WEB"
],
"x_transaction_id": "Y6wTfThOwKPnxngKYrJ0pgAAB3g",
"x_event_unique_id": "4fa2f7e4-8696-11ed-8688-39c4b4d86042",
"x_target_refs": [
"8"
]
},
"2": {
"type": "software",
"extensions": {
"x-okta-software": {
"raw_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
"client_os": "Windows 10"
}
},
"x_raw_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
"x_client_os": "Windows 10",
"name": "CHROME"
},
"3": {
Expand Down Expand Up @@ -256,11 +244,7 @@ results
"type": "autonomous-system",
"number": 17488,
"name": "hathway cable and datacom limited",
"extensions": {
"x-okta-autonomous-system": {
"isp": "hathway ip over cable internet"
}
}
"x_isp": "hathway ip over cable internet"
},
"7": {
"type": "x-okta-debug-context",
Expand Down Expand Up @@ -304,7 +288,7 @@ results
#### Multiple Observation

```shell
translate okta query '{}' "([ipv4-addr:value NOT = '5.0.1.5' AND user-account:display_name MATCHES 'abc'] AND [x-okta-authentication-context:credential_type = 'IWA'])START t'2022-12-10T16:43:26.000Z' STOP t'2023-01-15T16:43:26.003Z' OR [x-oca-event:extensions.'x-okta-event'.legacy_event_type = 'app.ldap.login.disabled_account' AND x-oca-event:outcome = 'FAILURE']START t'2023-01-01T16:43:26.000Z' STOP t'2023-02-10T16:43:26.003Z' AND [ x-oca-event:extensions.'x-okta-event'.outcome_reason = 'NETWORK_ZONE_BLACKLIST']"
translate okta query '{}' "([ipv4-addr:value NOT = '5.0.1.5' AND user-account:display_name MATCHES 'abc'] AND [x-okta-authentication-context:credential_type = 'IWA'])START t'2022-12-10T16:43:26.000Z' STOP t'2023-01-15T16:43:26.003Z' OR [x-oca-event:x_legacy_event_type = 'app.ldap.login.disabled_account' AND x-oca-event:outcome = 'FAILURE']START t'2023-01-01T16:43:26.000Z' STOP t'2023-02-10T16:43:26.003Z' AND [ x-oca-event:x_outcome_reason = 'NETWORK_ZONE_BLACKLIST']"
```

#### STIX Multiple observation - output
Expand Down Expand Up @@ -353,51 +337,39 @@ okta
"0": {
"type": "user-account",
"user_id": "00u7rkrly9sNvp7sa5d7",
"extensions": {
"x-okta-actor": {
"type": "User"
}
},
"x_actor_type": "User",
"account_login": "zbc@login.com",
"display_name": "zbc"
},
"1": {
"type": "x-oca-event",
"extensions": {
"x-okta-event": {
"actor_ref": "0",
"client_ref": "3",
"authentication_context_ref": "5",
"event_description": "Evaluation of sign-on policy",
"outcome_reason": "Sign-on policy evaluation resulted in CHALLENGE",
"severity": "INFO",
"debug_ref": "8",
"transaction_id": "Y7Jo7I8JgCIFXoYvGC9mYgAABc0",
"event_unique_id": "c2f00eb4-8a5c-11ed-b791-497a3600da6e",
"target_refs": [
"9",
"10",
"11"
]
}
},
"x_actor_ref": "0",
"x_client_ref": "3",
"ip_refs": [
"4"
],
"x_authentication_context_ref": "5",
"x_event_description": "Evaluation of sign-on policy",
"action": "policy.evaluate_sign_on",
"outcome": "CHALLENGE",
"x_outcome_reason": "Sign-on policy evaluation resulted in CHALLENGE",
"x_severity": "INFO",
"x_debug_ref": "8",
"category": [
"WEB"
],
"x_transaction_id": "Y7Jo7I8JgCIFXoYvGC9mYgAABc0",
"x_event_unique_id": "c2f00eb4-8a5c-11ed-b791-497a3600da6e",
"x_target_refs": [
"9",
"10",
"11"
]
},
"2": {
"type": "software",
"extensions": {
"x-okta-software": {
"raw_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
"client_os": "Windows 10"
}
},
"x_raw_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
"x_client_os": "Windows 10",
"name": "CHROME"
},
"3": {
Expand Down Expand Up @@ -428,12 +400,8 @@ okta
"type": "autonomous-system",
"number": 14618,
"name": "amazon technologies inc.",
"extensions": {
"x-okta-autonomous-system": {
"isp": "amazon.com inc.",
"domain_ref": "7"
}
}
"x_isp": "amazon.com inc.",
"x_domain_ref": "7"
},
"7": {
"type": "domain-name",
Expand Down
Loading

0 comments on commit 8795a37

Please sign in to comment.