Merge pull request Azure#11487 from Azure/origins/users/rahul/okta-ru…

…le-fixes OktaSSO - Minor update to analytic rules
innofactororg · Nov 26, 2024 · b45e362 · b45e362
2 parents c3ce96d + 735493f
commit b45e362
Show file tree

Hide file tree

Showing 6 changed files with 55 additions and 59 deletions.
diff --git a/Solutions/Okta Single Sign-On/Analytic Rules/DeviceRegistrationMaliciousIP.yaml b/Solutions/Okta Single Sign-On/Analytic Rules/DeviceRegistrationMaliciousIP.yaml
@@ -32,7 +32,7 @@ query: |
   let ThreatInsightEvents = OktaSSO
   | where eventType_s in (ThreatInsightOperations)
   | extend SuspiciousIP = actor_displayName_s
-  | project TimeGenerated, debugContext_debugData_threatDetections_s, client_userAgent_rawUserAgent_s, severity_s, outcome_result_s, eventType_s, displayMessage_s, SuspiciousIP, transaction_id_s;
+  | project TimeGenerated, column_ifexists('debugContext_debugData_threatDetections_s', ""), client_userAgent_rawUserAgent_s, severity_s, outcome_result_s, eventType_s, displayMessage_s, SuspiciousIP, transaction_id_s;
   DeviceRegistrations 
   | join kind=inner (ThreatInsightEvents) on $left.client_ipAddress_s == $right.SuspiciousIP
 entityMappings:
@@ -46,5 +46,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: client_ipAddress_s
-version: 1.1.0
+version: 1.1.1
 kind: Scheduled
diff --git a/Solutions/Okta Single Sign-On/Analytic Rules/HighRiskAdminActivity.yaml b/Solutions/Okta Single Sign-On/Analytic Rules/HighRiskAdminActivity.yaml
@@ -27,6 +27,7 @@ query: |
   | summarize  StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by  actor_alternateId_s, actor_displayName_s, client_userAgent_os_s, client_userAgent_browser_s, client_device_s, client_userAgent_rawUserAgent_s, client_ipAddress_s, client_geographicalContext_country_s, client_geographicalContext_city_s, displayMessage_s, outcome_result_s, outcome_reason_s, column_ifexists('debugContext_debugData_logOnlySecurityData_s', ""), debugContext_debugData_threatSuspected_s, client_geographicalContext_geolocation_lat_d, client_geographicalContext_geolocation_lon_d, authenticationContext_externalSessionId_s;
   let HighRiskEvents = OktaSSO
   | where eventType_s in ('policy.evaluate_sign_on' , 'user.session.start')
+  | extend debugContext_debugData_logOnlySecurityData_s = column_ifexists('debugContext_debugData_logOnlySecurityData_s', '{}')
   | where parse_json(tostring(parse_json(debugContext_debugData_logOnlySecurityData_s).risk)).level =~ "HIGH"
   | where outcome_result_s =~ 'SUCCESS'
   | extend reasons = tostring(parse_json(tostring(parse_json(debugContext_debugData_logOnlySecurityData_s).risk)).reasons)
@@ -46,5 +47,5 @@ entityMappings:
         columnName: client_ipAddress_s
 customDetails:
   SessionId: authenticationContext_externalSessionId_s
-version: 1.1.0
+version: 1.1.1
 kind: Scheduled
diff --git a/Solutions/Okta Single Sign-On/Analytic Rules/MFAFatigue.yaml b/Solutions/Okta Single Sign-On/Analytic Rules/MFAFatigue.yaml
@@ -23,7 +23,7 @@ relevantTechniques:
 query: |
   let PushThreshold = 10;
   OktaSSO
-  | where ((eventType_s =="user.authentication.auth_via_mfa" and debugContext_debugData_factor_s == "OKTA_VERIFY_PUSH") or eventType_s == "system.push.send_factor_verify_push" or eventType_s == "user.mfa.okta_verify.deny_push") 
+  | where ((eventType_s =="user.authentication.auth_via_mfa" and column_ifexists('debugContext_debugData_factor_s', '') == "OKTA_VERIFY_PUSH") or eventType_s == "system.push.send_factor_verify_push" or eventType_s == "user.mfa.okta_verify.deny_push") 
   | summarize IPAddress = make_set(client_ipAddress_s,100), City = make_set(client_geographicalContext_city_s,100),
             successes = countif(eventType_s == "user.authentication.auth_via_mfa"),
             denies = countif(eventType_s == "user.mfa.okta_verify.deny_push"),
@@ -45,5 +45,5 @@ entityMappings:
         columnName: actor_alternateId_s
       - identifier: DisplayName
         columnName: actor_displayName_s
-version: 1.1.0
+version: 1.1.1
 kind: Scheduled
diff --git a/Solutions/Okta Single Sign-On/Analytic Rules/NewDeviceLocationCriticalOperation.yaml b/Solutions/Okta Single Sign-On/Analytic Rules/NewDeviceLocationCriticalOperation.yaml
@@ -27,6 +27,7 @@ query: |
   let UserLoginNewCountryDevice = OktaSSO
   | where eventType_s == "user.session.start"
   | where outcome_result_s == "SUCCESS"
+  | extend debugContext_debugData_logOnlySecurityData_s = column_ifexists('debugContext_debugData_logOnlySecurityData_s', '{}')
   | where parse_json(tostring(parse_json(debugContext_debugData_logOnlySecurityData_s).behaviors)).["New Country"] == "POSITIVE"
   | where parse_json(tostring(parse_json(debugContext_debugData_logOnlySecurityData_s).behaviors)).["New Geo-Location"] == "POSITIVE"
   | where parse_json(tostring(parse_json(debugContext_debugData_logOnlySecurityData_s).behaviors)).["New Device"] == "POSITIVE"
@@ -56,5 +57,5 @@ alertDetailsOverride:
   alertDisplayNameFormat: New Device/Location {{Location}} sign-in along with critical operation
   alertDescriptionFormat: |
     This query identifies users seen login from new geo location/country {{Location}} as well as a new device and performing critical operations
-version: 1.1.0
+version: 1.1.1
 kind: Scheduled
diff --git a/Solutions/Okta Single Sign-On/Package/3.1.0.zip b/Solutions/Okta Single Sign-On/Package/3.1.0.zip