diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json index a0774d1b501..e65c9edecdc 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json @@ -27,7 +27,7 @@ "displayName": "Authentication ASIM parser for Okta", "category": "ASIM", "FunctionAlias": "ASimAuthenticationOktaSSO", - "query": "let parser=(disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let emptyOctV1Table = datatable(TimeGenerated:datetime)[];\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n let OktaV1 = union isfuzzy=true emptyOctV1Table, Okta_CL \n | where not(disabled)\n | extend\n outcome_result_s=column_ifexists('outcome_result_s', \"\")\n ,\n eventType_s=column_ifexists('eventType_s', \"\")\n ,\n legacyEventType_s=column_ifexists('legacyEventType_s', \"\")\n ,\n client_geographicalContext_geolocation_lat_d=column_ifexists('client_geographicalContext_geolocation_lat_d', \"\")\n ,\n client_geographicalContext_geolocation_lon_d=column_ifexists('client_geographicalContext_geolocation_lon_d', \"\")\n | where eventType_s in (OktaSigninEvents)\n | extend \n EventProduct='Okta'\n ,\n EventVendor='Okta'\n ,\n EventSchema = 'Authentication'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial')\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')\n ,\n EventSubType=legacyEventType_s\n ,\n EventMessage=column_ifexists('displayMessage_s', \"\")\n ,\n EventOriginalResultDetails=column_ifexists('outcome_reason_s', \"\")\n ,\n EventOriginalUid = column_ifexists('uuid_g', \"\")\n ,\n TargetUserIdType='OktaId'\n ,\n TargetUsernameType='UPN'\n ,\n TargetSessionId=column_ifexists('authenticationContext_externalSessionId_s', \"\")\n ,\n TargetUserId=column_ifexists('actor_id_s', \"\")\n ,\n TargetUsername=column_ifexists('actor_alternateId_s', \"\")\n ,\n TargetUserType=column_ifexists('actor_type_s', \"\")\n ,\n SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\n ,\n SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\n ,\n SrcDvcOs=column_ifexists('client_userAgent_os_s', \"\")\n ,\n SrcIsp=column_ifexists('securityContext_isp_s', \"\")\n ,\n SrcGeoCity=column_ifexists('client_geographicalContext_city_s', \"\")\n ,\n SrcGeoCountry=column_ifexists('client_geographicalContext_country_s', \"\")\n ,\n SrcIpAddr = column_ifexists('client_ipAddress_s', \"\")\n ,\n ActingAppName=column_ifexists('client_userAgent_browser_s', \"\")\n ,\n ActingAppType=\"Browser\"\n ,\n LogonMethod=column_ifexists('authenticationContext_credentialType_s', \"\")\n ,\n HttpUserAgent=column_ifexists('client_userAgent_rawUserAgent_s', \"\")\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n | project-away *_s, *_d, *_b, *_g, *_t;\n OktaV1\n};\nparser(disabled = disabled)", + "query": "let parser=(disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let OutcomeReasonLookup = datatable(outcome_reason_s: string, EventResultDetails: string)\n [\n \"LOCKED_OUT\", \"User locked\",\n \"INVALID_CREDENTIALS\", \"Incorrect password\",\n \"UNKNOWN_USER\", \"No such user\",\n \"VERIFICATION_ERROR\", \"Incorrect key\",\n \"SSO_AUTHENTICATION_FAILURE\", \"Logon violates policy\",\n \"PASSWORD_EXPIRED\", \"Password expired\",\n \"USER_ACCOUNT_EXPIRED\", \"Account expired\",\n \"DEL_AUTH_TIMEOUT\", \"Session expired\",\n \"PASSWORD_BASED_LOGIN_DISALLOWED\", \"Logon violates policy\"\n ];\n let SrcDeviceTypeLookup = datatable(client_device_s: string, SrcDeviceType: string)\n [\n \"Computer\", \"Computer\",\n \"Mobile\", \"Mobile Device\",\n \"Tablet\", \"Mobile Device\"\n ];\n let ActorUserTypeLookup = datatable(ActorOriginalUserType: string, ActorUserType: string)\n [\n \"User\", \"Regular\",\n \"SystemPrincipal\", \"System\"\n ];\n let emptyOktaTable = datatable(\n TimeGenerated: datetime,\n outcome_result_s: string,\n eventType_s: string,\n legacyEventType_s: string,\n client_geographicalContext_geolocation_lat_d: double,\n client_geographicalContext_geolocation_lon_d: double,\n displayMessage_s: string,\n outcome_reason_s: string,\n uuid_g: string,\n actor_id_s: string,\n actor_alternateId_s: string,\n authenticationContext_externalSessionId_s: string,\n actor_type_s: string,\n client_userAgent_os_s: string,\n securityContext_isp_s: string,\n client_geographicalContext_city_s: string,\n client_geographicalContext_country_s: string,\n client_ipAddress_s: string,\n client_userAgent_browser_s: string,\n authenticationContext_credentialType_s: string,\n client_userAgent_rawUserAgent_s: string,\n client_geographicalContext_state_s: string,\n client_device_s: string\n )[];\n let OktaTable = union isfuzzy=true emptyOktaTable, Okta_CL;\n OktaTable\n | where not(disabled)\n | lookup OutcomeReasonLookup on outcome_reason_s\n | extend EventResultDetails = iif(outcome_result_s in (OktaFailedOutcome), coalesce(EventResultDetails, \"Other\"), \"\")\n | extend\n Type = \"Okta_CL\",\n EventProduct='Okta',\n EventVendor='Okta',\n EventSchema = 'Authentication',\n EventCount=int(1),\n EventSchemaVersion='0.1.3',\n EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial'),\n EventStartTime=TimeGenerated,\n EventEndTime=TimeGenerated,\n EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff'),\n TargetUserIdType = \"OktaId\",\n ActingAppType = \"Browser\"\n | project-rename\n EventOriginalSubType=legacyEventType_s,\n EventMessage=displayMessage_s,\n EventOriginalResultDetails=outcome_reason_s,\n EventOriginalUid=uuid_g,\n TargetUserId = actor_id_s,\n TargetUsername = actor_alternateId_s,\n TargetSessionId = authenticationContext_externalSessionId_s,\n ActorOriginalUserType = actor_type_s,\n SrcGeoLatitude = client_geographicalContext_geolocation_lat_d,\n SrcGeoLongitude = client_geographicalContext_geolocation_lon_d,\n SrcDvcOs = client_userAgent_os_s,\n SrcIsp = securityContext_isp_s,\n SrcGeoCity = client_geographicalContext_city_s,\n SrcGeoCountry = client_geographicalContext_country_s,\n SrcIpAddr = client_ipAddress_s,\n ActingAppName = client_userAgent_browser_s,\n LogonMethod = authenticationContext_credentialType_s,\n HttpUserAgent = client_userAgent_rawUserAgent_s,\n SrcGeoRegion = client_geographicalContext_state_s\n | extend\n ActorUserId = TargetUserId,\n ActorUsername = TargetUsername,\n ActorUserIdType = TargetUserIdType\n | lookup ActorUserTypeLookup on ActorOriginalUserType\n | extend\n TargetUserType = ActorUserType,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | lookup SrcDeviceTypeLookup on client_device_s\n | extend SrcDeviceType = coalesce(SrcDeviceType, \"Other\")\n | extend \n User=TargetUsername,\n Dvc=EventVendor,\n IpAddr=SrcIpAddr\n | project\n TimeGenerated,\n Type,\n EventResultDetails,\n EventProduct,\n EventVendor,\n EventSchema,\n EventCount,\n EventSchemaVersion,\n EventResult,\n EventStartTime,\n EventEndTime,\n EventType,\n EventOriginalSubType,\n EventMessage,\n EventOriginalResultDetails,\n EventOriginalUid,\n TargetUserIdType,\n TargetUserId,\n TargetUsername,\n TargetSessionId,\n ActorOriginalUserType,\n SrcGeoLatitude,\n SrcGeoLongitude,\n SrcDvcOs,\n SrcIsp,\n SrcGeoCity,\n SrcGeoCountry,\n SrcIpAddr,\n ActingAppType,\n LogonMethod,\n HttpUserAgent,\n ActorUserId,\n ActorUsername,\n ActorUserIdType,\n ActorUserType,\n TargetUserType,\n TargetUsernameType,\n ActorUsernameType,\n SrcDeviceType,\n User,\n Dvc,\n IpAddr\n};\nparser(disabled = disabled)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaV2/ASimAuthenticationOktaV2.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaV2/ASimAuthenticationOktaV2.json index 364eeb70579..b8fe7efdea6 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaV2/ASimAuthenticationOktaV2.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaV2/ASimAuthenticationOktaV2.json @@ -27,7 +27,7 @@ "displayName": "Authentication ASIM parser for OktaV2", "category": "ASIM", "FunctionAlias": "ASimAuthenticationOktaV2", - "query": "let parser=(disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let emptyOctaV2Table = datatable(\n TimeGenerated: datetime,\n ActorDetailEntry: dynamic,\n ActorDisplayName: string,\n AuthenticationContext: string,\n AuthenticationProvider: string,\n AuthenticationStep: string,\n AuthenticationContextAuthenticationProvider: string,\n AuthenticationContextAuthenticationStep: int,\n AuthenticationContextCredentialProvider: string,\n AuthenticationContextInterface: string,\n AuthenticationContextIssuerId: string,\n AuthenticationContextIssuerType: string,\n DebugData: dynamic,\n DvcAction: string,\n EventResult:string,\n OriginalActorAlternateId: string,\n OriginalClientDevice: string,\n OriginalOutcomeResult: string,\n OriginalSeverity: string,\n OriginalTarget: dynamic,\n OriginalUserId: string,\n OriginalUserType: string,\n Request: dynamic,\n SecurityContextAsNumber: int,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SecurityContextIsProxy: bool,\n TransactionDetail: dynamic,\n TransactionId: string,\n TransactionType: string\n)[];\n let OktaV2 = union isfuzzy=true emptyOctaV2Table, OktaV2_CL\n | where not(disabled) \n | extend\n EventOriginalType=column_ifexists('EventOriginalType', \"\") \n ,\n OriginalActorAlternateId = column_ifexists('OriginalActorAlternateId', \"\")\n ,\n ActorUsername=column_ifexists('ActorUsername', \"\")\n ,\n SrcIpAddr = column_ifexists('SrcIpAddr', \"\")\n | where EventOriginalType in (OktaSigninEvents)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | extend \n EventProduct='Okta'\n ,\n EventSchema = 'Authentication'\n ,\n EventVendor='Okta'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff') \n ,\n TargetSessionId=column_ifexists('ActorSessionId', \"\")\n ,\n TargetUserId= column_ifexists('ActorUserId', \"\")\n ,\n TargetUsername=column_ifexists('ActorUsername', \"\")\n ,\n TargetUserType=column_ifexists('ActorUserType', \"\")\n ,\n TargetUserIdType=column_ifexists('ActorUserIdType', \"\")\n ,\n TargetUsernameType=column_ifexists('ActorUsernameType', \"\")\n ,\n SrcIpAddr = column_ifexists('SrcIpAddr', \"\")\n //** extend non-normalized fields to be projected-away \n ,\n ActorDetailEntry,\n ActorDisplayName,\n AuthenticationContextAuthenticationProvider,\n AuthenticationContextAuthenticationStep,\n AuthenticationContextCredentialProvider,\n AuthenticationContextInterface,\n AuthenticationContextIssuerId,\n AuthenticationContextIssuerType\n ,\n DebugData,\n DvcAction,\n OriginalActorAlternateId,\n OriginalClientDevice,\n OriginalOutcomeResult,\n OriginalSeverity,\n OriginalTarget,\n OriginalUserId,\n OriginalUserType,\n Request,\n SecurityContextAsNumber,\n SecurityContextAsOrg,\n SecurityContextDomain,\n SecurityContextIsProxy\n ,\n TransactionDetail,\n TransactionId,\n TransactionType\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n | project-away\n ActorDetailEntry,\n ActorDisplayName,\n AuthenticationContextAuthenticationProvider,\n AuthenticationContextAuthenticationStep,\n AuthenticationContextCredentialProvider,\n AuthenticationContextInterface,\n AuthenticationContextIssuerId,\n AuthenticationContextIssuerType,\n DebugData,\n DvcAction,\n OriginalActorAlternateId,\n OriginalClientDevice,\n OriginalOutcomeResult,\n OriginalSeverity,\n OriginalTarget,\n OriginalUserId,\n OriginalUserType,\n Request,\n SecurityContextAsNumber,\n SecurityContextAsOrg,\n SecurityContextDomain,\n SecurityContextIsProxy,\n TransactionId,\n TransactionType;\n OktaV2\n};\nparser(disabled = disabled)", + "query": "let parser=(disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let SrcDeviceTypeLookup = datatable(OriginalClientDevice: string, SrcDeviceType: string)\n [\n \"Computer\", \"Computer\",\n \"Mobile\", \"Mobile Device\",\n \"Tablet\", \"Mobile Device\"\n ];\n let OutcomeReasonLookup = datatable(EventOriginalResultDetails: string, EventResultDetails: string)\n [\n \"LOCKED_OUT\", \"User locked\",\n \"INVALID_CREDENTIALS\", \"Incorrect password\",\n \"UNKNOWN_USER\", \"No such user\",\n \"VERIFICATION_ERROR\", \"Incorrect key\",\n \"SSO_AUTHENTICATION_FAILURE\", \"Logon violates policy\",\n \"PASSWORD_EXPIRED\", \"Password expired\",\n \"USER_ACCOUNT_EXPIRED\", \"Account expired\",\n \"DEL_AUTH_TIMEOUT\", \"Session expired\",\n \"PASSWORD_BASED_LOGIN_DISALLOWED\", \"Logon violates policy\"\n ];\n OktaV2_CL\n | where not(disabled)\n | where EventOriginalType in (OktaSigninEvents)\n | lookup OutcomeReasonLookup on EventOriginalResultDetails\n | extend EventResultDetails = iif(OriginalOutcomeResult in (OktaFailedOutcome), coalesce(EventResultDetails, \"Other\"), \"\")\n | lookup SrcDeviceTypeLookup on OriginalClientDevice\n | extend SrcDeviceType = coalesce(SrcDeviceType, \"Other\")\n | extend\n Type = \"OktaV2_CL\",\n EventProduct = \"Okta\",\n EventSchema = \"Authentication\",\n EventVendor = \"Okta\",\n EventCount = int(1),\n EventSchemaVersion='0.1.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff'),\n ActorUsername = coalesce(ActorUsername, OriginalActorAlternateId),\n ActorUserIdType = \"OktaId\",\n EventResult = coalesce(EventResult,\n case (\n OriginalOutcomeResult in (OktaSuccessfulOutcome), 'Success',\n OriginalOutcomeResult in (OktaFailedOutcome), 'Failure',\n 'Partial')),\n SrcIpAddr,\n ActorSessionId,\n ActorUserId,\n SrcGeoRegion,\n SrcGeoCity,\n SrcGeoCountry,\n SrcDvcOs,\n SrcDvcId,\n SrcDvcIdType,\n DvcAction,\n EventOriginalUid,\n TargetSessionId = ActorSessionId,\n TargetUserId = ActorUserId,\n TargetUsername = ActorUsername,\n TargetUserType = ActorUserType,\n TargetUserIdType = ActorUserIdType\n | extend TargetUserType = case(\n TargetUserType == \"System Principal\", \"System\",\n TargetUserType\n )\n | extend\n ActorUserType = TargetUserType,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n // ** Aliases\n | extend \n User=TargetUsername,\n Dvc=EventVendor,\n IpAddr=SrcIpAddr\n | project\n TimeGenerated,\n EventOriginalType,\n EventOriginalResultDetails,\n EventOriginalUid,\n EventResultDetails,\n SrcDeviceType,\n Type,\n EventProduct,\n EventSchema,\n EventVendor,\n EventCount,\n EventSchemaVersion,\n EventStartTime,\n EventEndTime,\n EventType,\n TargetSessionId,\n TargetUserId,\n TargetUsername,\n TargetUserType,\n TargetUserIdType,\n SrcIpAddr,\n ActorSessionId,\n ActorUserId,\n ActorUsername,\n ActorUserType,\n ActorUserIdType,\n EventResult,\n SrcGeoRegion,\n SrcGeoCity,\n SrcGeoCountry,\n SrcDvcOs,\n SrcDvcId,\n SrcDvcIdType,\n DvcAction,\n TargetUsernameType,\n ActorUsernameType,\n User,\n Dvc,\n IpAddr\n};\nparser(disabled = disabled)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json index 5c93edde319..ee47c5c18f9 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json @@ -27,7 +27,7 @@ "displayName": "Authentication ASIM filtering parser for Okta", "category": "ASIM", "FunctionAlias": "vimAuthenticationOktaSSO", - "query": "let OktaSignin = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let emptyOctV1Table = datatable(TimeGenerated: datetime)[];\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n let OktaV1 = union isfuzzy=true emptyOctV1Table, Okta_CL \n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | extend \n outcome_result_s=column_ifexists('outcome_result_s', \"\"),\n eventType_s=column_ifexists('eventType_s', \"\"),\n legacyEventType_s=column_ifexists('legacyEventType_s', \"\"),\n client_geographicalContext_geolocation_lat_d = column_ifexists('client_geographicalContext_geolocation_lat_d', \"\"),\n client_geographicalContext_geolocation_lon_d = column_ifexists('client_geographicalContext_geolocation_lon_d', \"\"),\n actor_alternateId_s = column_ifexists('actor_alternateId_s', \"\"),\n client_ipAddress_s = column_ifexists('client_ipAddress_s', \"\")\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or actor_alternateId_s has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(client_ipAddress_s, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | where eventType_s in (OktaSigninEvents)\n | extend \n EventProduct='Okta'\n ,\n EventVendor='Okta'\n ,\n EventSchema = 'Authentication'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial')\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')\n ,\n EventSubType=legacyEventType_s\n ,\n EventMessage=column_ifexists('displayMessage_s', \"\")\n ,\n EventOriginalResultDetails=column_ifexists('outcome_reason_s', \"\")\n ,\n EventOriginalUid = column_ifexists('uuid_g', \"\")\n ,\n TargetUserIdType='OktaId'\n ,\n TargetUsernameType='UPN'\n ,\n TargetSessionId=column_ifexists('authenticationContext_externalSessionId_s', \"\")\n ,\n TargetUserId=column_ifexists('actor_id_s', \"\")\n ,\n TargetUsername=column_ifexists('actor_alternateId_s', \"\")\n ,\n TargetUserType=column_ifexists('actor_type_s', \"\")\n ,\n SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\n ,\n SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\n ,\n SrcDvcOs=column_ifexists('client_userAgent_os_s', \"\")\n ,\n SrcIsp=column_ifexists('securityContext_isp_s', \"\")\n ,\n SrcGeoCity=column_ifexists('client_geographicalContext_city_s', \"\")\n ,\n SrcGeoCountry=column_ifexists('client_geographicalContext_country_s', \"\")\n ,\n SrcIpAddr = column_ifexists('client_ipAddress_s', \"\")\n ,\n ActingAppName=column_ifexists('client_userAgent_browser_s', \"\")\n ,\n ActingAppType=\"Browser\"\n ,\n LogonMethod=column_ifexists('authenticationContext_credentialType_s', \"\")\n ,\n HttpUserAgent=column_ifexists('client_userAgent_rawUserAgent_s', \"\")\n // Filtering on 'eventresult' and 'eventtype_in'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n | project-away *_s, *_d, *_b, *_g, *_t;\n OktaV1\n};\nOktaSignin (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", + "query": "let parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let OutcomeReasonLookup = datatable(outcome_reason_s: string, EventResultDetails: string)\n [\n \"LOCKED_OUT\", \"User locked\",\n \"INVALID_CREDENTIALS\", \"Incorrect password\",\n \"UNKNOWN_USER\", \"No such user\",\n \"VERIFICATION_ERROR\", \"Incorrect key\",\n \"SSO_AUTHENTICATION_FAILURE\", \"Logon violates policy\",\n \"PASSWORD_EXPIRED\", \"Password expired\",\n \"USER_ACCOUNT_EXPIRED\", \"Account expired\",\n \"DEL_AUTH_TIMEOUT\", \"Session expired\",\n \"PASSWORD_BASED_LOGIN_DISALLOWED\", \"Logon violates policy\"\n ];\n let SrcDeviceTypeLookup = datatable(client_device_s: string, SrcDeviceType: string)\n [\n \"Computer\", \"Computer\",\n \"Mobile\", \"Mobile Device\",\n \"Tablet\", \"Mobile Device\"\n ];\n let ActorUserTypeLookup = datatable(ActorOriginalUserType: string, ActorUserType: string)\n [\n \"User\", \"Regular\",\n \"SystemPrincipal\", \"System\"\n ];\n let emptyOktaTable = datatable(\n TimeGenerated: datetime,\n outcome_result_s: string,\n eventType_s: string,\n legacyEventType_s: string,\n client_geographicalContext_geolocation_lat_d: double,\n client_geographicalContext_geolocation_lon_d: double,\n displayMessage_s: string,\n outcome_reason_s: string,\n uuid_g: string,\n actor_id_s: string,\n actor_alternateId_s: string,\n authenticationContext_externalSessionId_s: string,\n actor_type_s: string,\n client_userAgent_os_s: string,\n securityContext_isp_s: string,\n client_geographicalContext_city_s: string,\n client_geographicalContext_country_s: string,\n client_ipAddress_s: string,\n client_userAgent_browser_s: string,\n authenticationContext_credentialType_s: string,\n client_userAgent_rawUserAgent_s: string,\n client_geographicalContext_state_s: string,\n client_device_s: string\n )[];\n let OktaTable = union isfuzzy=true emptyOktaTable, Okta_CL;\n OktaTable\n | where not(disabled)\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or actor_alternateId_s has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(client_ipAddress_s, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n | extend EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial')\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | extend EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n | lookup OutcomeReasonLookup on outcome_reason_s\n | extend EventResultDetails = iif(outcome_result_s in (OktaFailedOutcome), coalesce(EventResultDetails, \"Other\"), \"\")\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | extend\n Type = \"Okta_CL\",\n EventProduct='Okta',\n EventVendor='Okta',\n EventSchema = 'Authentication',\n EventCount=int(1),\n EventSchemaVersion='0.1.3',\n EventStartTime=TimeGenerated,\n EventEndTime=TimeGenerated,\n TargetUserIdType = \"OktaId\",\n ActingAppType = \"Browser\"\n | project-rename\n EventOriginalSubType=legacyEventType_s,\n EventMessage=displayMessage_s,\n EventOriginalResultDetails=outcome_reason_s,\n EventOriginalUid=uuid_g,\n TargetUserId = actor_id_s,\n TargetUsername = actor_alternateId_s,\n TargetSessionId = authenticationContext_externalSessionId_s,\n ActorOriginalUserType = actor_type_s,\n SrcGeoLatitude = client_geographicalContext_geolocation_lat_d,\n SrcGeoLongitude = client_geographicalContext_geolocation_lon_d,\n SrcDvcOs = client_userAgent_os_s,\n SrcIsp = securityContext_isp_s,\n SrcGeoCity = client_geographicalContext_city_s,\n SrcGeoCountry = client_geographicalContext_country_s,\n SrcIpAddr = client_ipAddress_s,\n ActingAppName = client_userAgent_browser_s,\n LogonMethod = authenticationContext_credentialType_s,\n HttpUserAgent = client_userAgent_rawUserAgent_s,\n SrcGeoRegion = client_geographicalContext_state_s\n | extend\n ActorUserId = TargetUserId,\n ActorUsername = TargetUsername,\n ActorUserIdType = TargetUserIdType\n | lookup ActorUserTypeLookup on ActorOriginalUserType\n | extend\n TargetUserType = ActorUserType,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | lookup SrcDeviceTypeLookup on client_device_s\n | extend SrcDeviceType = coalesce(SrcDeviceType, \"Other\")\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend \n User=TargetUsername,\n Dvc=EventVendor,\n IpAddr=SrcIpAddr\n | project\n TimeGenerated,\n Type,\n EventResultDetails,\n EventProduct,\n EventVendor,\n EventSchema,\n EventCount,\n EventSchemaVersion,\n EventResult,\n EventStartTime,\n EventEndTime,\n EventType,\n EventOriginalSubType,\n EventMessage,\n EventOriginalResultDetails,\n EventOriginalUid,\n TargetUserIdType,\n TargetUserId,\n TargetUsername,\n TargetSessionId,\n ActorOriginalUserType,\n SrcGeoLatitude,\n SrcGeoLongitude,\n SrcDvcOs,\n SrcIsp,\n SrcGeoCity,\n SrcGeoCountry,\n SrcIpAddr,\n ActingAppType,\n LogonMethod,\n HttpUserAgent,\n ActorUserId,\n ActorUsername,\n ActorUserIdType,\n ActorUserType,\n TargetUserType,\n TargetUsernameType,\n ActorUsernameType,\n SrcDeviceType,\n ASimMatchingUsername,\n User,\n Dvc,\n IpAddr\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaV2/vimAuthenticationOktaV2.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaV2/vimAuthenticationOktaV2.json index 687ec291254..56197f18f72 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaV2/vimAuthenticationOktaV2.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaV2/vimAuthenticationOktaV2.json @@ -27,7 +27,7 @@ "displayName": "Authentication ASIM filtering parser for Okta", "category": "ASIM", "FunctionAlias": "vimAuthenticationOktaV2", - "query": "let OktaSignin = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let emptyOctaV2Table = datatable(\n TimeGenerated: datetime,\n ActorDetailEntry: dynamic,\n ActorDisplayName: string,\n AuthenticationContext: string,\n AuthenticationProvider: string,\n AuthenticationStep: string,\n AuthenticationContextAuthenticationProvider: string,\n AuthenticationContextAuthenticationStep: int,\n AuthenticationContextCredentialProvider: string,\n AuthenticationContextInterface: string,\n AuthenticationContextIssuerId: string,\n AuthenticationContextIssuerType: string,\n DebugData: dynamic,\n DvcAction: string,\n EventResult:string,\n OriginalActorAlternateId: string,\n OriginalClientDevice: string,\n OriginalOutcomeResult: string,\n OriginalSeverity: string,\n OriginalTarget: dynamic,\n OriginalUserId: string,\n OriginalUserType: string,\n Request: dynamic,\n SecurityContextAsNumber: int,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SecurityContextIsProxy: bool,\n TransactionDetail: dynamic,\n TransactionId: string,\n TransactionType: string\n)[];\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n let OktaV2 = union isfuzzy=true emptyOctaV2Table, OktaV2_CL\n | where not(disabled) \n | extend\n EventOriginalType=column_ifexists('EventOriginalType', \"\") \n ,\n OriginalActorAlternateId = column_ifexists('OriginalActorAlternateId', \"\")\n ,\n ActorUsername=column_ifexists('ActorUsername', \"\")\n ,\n SrcIpAddr = column_ifexists('SrcIpAddr', \"\")\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or ActorUsername has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | where EventOriginalType in (OktaSigninEvents)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | extend \n EventProduct='Okta'\n ,\n EventSchema = 'Authentication'\n ,\n EventVendor='Okta'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff') \n ,\n TargetSessionId=column_ifexists('ActorSessionId', \"\")\n ,\n TargetUserId= column_ifexists('ActorUserId', \"\")\n ,\n TargetUsername=ActorUsername\n ,\n TargetUserType=column_ifexists('ActorUserType', \"\")\n ,\n TargetUserIdType=column_ifexists('ActorUserIdType', \"\")\n ,\n TargetUsernameType=column_ifexists('ActorUsernameType', \"\")\n //** extend non-normalized fields to be projected-away \n ,\n //\n ActorDetailEntry,\n ActorDisplayName\n ,\n AuthenticationContextAuthenticationProvider\n ,\n AuthenticationContextAuthenticationStep,\n AuthenticationContextCredentialProvider\n ,\n AuthenticationContextInterface\n ,\n AuthenticationContextIssuerId\n ,\n AuthenticationContextIssuerType\n ,\n DebugData,\n DvcAction\n ,\n OriginalActorAlternateId\n ,\n OriginalClientDevice\n ,\n OriginalOutcomeResult\n ,\n OriginalSeverity\n ,\n OriginalTarget,\n OriginalUserId\n ,\n OriginalUserType\n ,\n Request,\n SecurityContextAsNumber,\n SecurityContextAsOrg\n ,\n SecurityContextDomain\n ,\n SecurityContextIsProxy\n ,\n TransactionDetail,\n TransactionId\n ,\n TransactionType\n // Filtering on 'eventresult' and 'eventtype_in'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n | project-away\n ActorDetailEntry,\n ActorDisplayName\n ,\n AuthenticationContextAuthenticationProvider\n ,\n AuthenticationContextAuthenticationStep,\n AuthenticationContextCredentialProvider\n ,\n AuthenticationContextInterface\n ,\n AuthenticationContextIssuerId\n ,\n AuthenticationContextIssuerType\n ,\n DebugData,\n DvcAction\n ,\n OriginalActorAlternateId\n ,\n OriginalClientDevice\n ,\n OriginalOutcomeResult\n ,\n OriginalSeverity\n ,\n OriginalTarget,\n OriginalUserId\n ,\n OriginalUserType\n ,\n Request,\n SecurityContextAsNumber,\n SecurityContextAsOrg\n ,\n SecurityContextDomain\n ,\n SecurityContextIsProxy\n ,\n TransactionDetail,\n TransactionId\n ,\n TransactionType;\n OktaV2\n};\nOktaSignin (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", + "query": "let parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let SrcDeviceTypeLookup = datatable(OriginalClientDevice: string, SrcDeviceType: string)\n [\n \"Computer\", \"Computer\",\n \"Mobile\", \"Mobile Device\",\n \"Tablet\", \"Mobile Device\"\n ];\n let OutcomeReasonLookup = datatable(EventOriginalResultDetails: string, EventResultDetails: string)\n [\n \"LOCKED_OUT\", \"User locked\",\n \"INVALID_CREDENTIALS\", \"Incorrect password\",\n \"UNKNOWN_USER\", \"No such user\",\n \"VERIFICATION_ERROR\", \"Incorrect key\",\n \"SSO_AUTHENTICATION_FAILURE\", \"Logon violates policy\",\n \"PASSWORD_EXPIRED\", \"Password expired\",\n \"USER_ACCOUNT_EXPIRED\", \"Account expired\",\n \"DEL_AUTH_TIMEOUT\", \"Session expired\",\n \"PASSWORD_BASED_LOGIN_DISALLOWED\", \"Logon violates policy\"\n ];\n OktaV2_CL\n | where not(disabled)\n | where EventOriginalType in (OktaSigninEvents)\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or ActorUsername has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // Filtering on 'eventresult' and 'eventtype_in'\n | extend \n EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff')\n | where (eventresult == \"*\" or (EventResult == eventresult))\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=ActorUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend \n ASimMatchingUsername = case(\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | lookup OutcomeReasonLookup on EventOriginalResultDetails\n | extend EventResultDetails = iif(OriginalOutcomeResult in (OktaFailedOutcome), coalesce(EventResultDetails, \"Other\"), \"\")\n // Filtering on eventresultdetails_in\n | where (array_length(eventresultdetails_in) == 0) or EventResultDetails in~ (eventresultdetails_in)\n | lookup SrcDeviceTypeLookup on OriginalClientDevice\n | extend SrcDeviceType = coalesce(SrcDeviceType, \"Other\")\n | extend\n Type = \"OktaV2_CL\",\n EventProduct = \"Okta\",\n EventSchema = \"Authentication\",\n EventVendor = \"Okta\",\n EventCount = int(1),\n EventSchemaVersion='0.1.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff'),\n SrcIpAddr,\n ActorSessionId,\n ActorUserId,\n ActorUsername = coalesce(ActorUsername, OriginalActorAlternateId),\n ActorUserIdType = \"OktaId\",\n EventResult = coalesce(EventResult,\n case (\n OriginalOutcomeResult in (OktaSuccessfulOutcome), 'Success',\n OriginalOutcomeResult in (OktaFailedOutcome), 'Failure',\n 'Partial')),\n SrcGeoRegion,\n SrcGeoCity,\n SrcGeoCountry,\n SrcDvcOs,\n SrcDvcId,\n SrcDvcIdType,\n DvcAction,\n EventOriginalUid,\n TargetSessionId = ActorSessionId,\n TargetUserId = ActorUserId,\n TargetUsername = ActorUsername,\n TargetUserType = ActorUserType,\n TargetUserIdType = ActorUserIdType\n | extend TargetUserType = case(\n TargetUserType == \"System Principal\", \"System\",\n TargetUserType\n )\n | extend\n ActorUserType = TargetUserType,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n // ** Aliases\n | extend \n User=TargetUsername,\n Dvc=EventVendor,\n IpAddr=SrcIpAddr\n | project\n TimeGenerated,\n EventOriginalType,\n EventOriginalResultDetails,\n EventOriginalUid,\n EventResultDetails,\n SrcDeviceType,\n Type,\n EventProduct,\n EventSchema,\n EventVendor,\n EventCount = int(1),\n EventSchemaVersion='0.1.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType,\n TargetSessionId,\n TargetUserId,\n TargetUsername,\n TargetUserType,\n TargetUserIdType,\n SrcIpAddr,\n ActorSessionId,\n ActorUserId,\n ActorUsername,\n ActorUserType,\n ActorUserIdType,\n EventResult,\n SrcGeoRegion,\n SrcGeoCity,\n SrcGeoCountry,\n SrcDvcOs,\n SrcDvcId,\n SrcDvcIdType,\n DvcAction,\n TargetUsernameType,\n ActorUsernameType,\n User,\n Dvc,\n IpAddr\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationOktaOSS.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationOktaOSS.yaml index 3ae9bef7405..190701eacac 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationOktaOSS.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationOktaOSS.yaml @@ -1,7 +1,7 @@ Parser: Title: Authentication ASIM parser for Okta - Version: '0.3.0' - LastUpdated: May 20, 2024 + Version: '0.4.0' + LastUpdated: Jan 08, 2026 Product: Name: Okta Normalization: @@ -25,89 +25,149 @@ ParserQuery: | let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']); let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']); let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']); - let emptyOctV1Table = datatable(TimeGenerated:datetime)[]; - // https://developer.okta.com/docs/reference/api/event-types/#catalog - let OktaV1 = union isfuzzy=true emptyOctV1Table, Okta_CL - | where not(disabled) - | extend - outcome_result_s=column_ifexists('outcome_result_s', "") - , - eventType_s=column_ifexists('eventType_s', "") - , - legacyEventType_s=column_ifexists('legacyEventType_s', "") - , - client_geographicalContext_geolocation_lat_d=column_ifexists('client_geographicalContext_geolocation_lat_d', "") - , - client_geographicalContext_geolocation_lon_d=column_ifexists('client_geographicalContext_geolocation_lon_d', "") - | where eventType_s in (OktaSigninEvents) - | extend - EventProduct='Okta' - , - EventVendor='Okta' - , - EventSchema = 'Authentication' - , - EventCount=int(1) - , - EventSchemaVersion='0.1.0' - , - EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial') - , - EventStartTime=TimeGenerated - , - EventEndTime=TimeGenerated - , - EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff') - , - EventSubType=legacyEventType_s - , - EventMessage=column_ifexists('displayMessage_s', "") - , - EventOriginalResultDetails=column_ifexists('outcome_reason_s', "") - , - EventOriginalUid = column_ifexists('uuid_g', "") - , - TargetUserIdType='OktaId' - , - TargetUsernameType='UPN' - , - TargetSessionId=column_ifexists('authenticationContext_externalSessionId_s', "") - , - TargetUserId=column_ifexists('actor_id_s', "") - , - TargetUsername=column_ifexists('actor_alternateId_s', "") - , - TargetUserType=column_ifexists('actor_type_s', "") - , - SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d) - , - SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d) - , - SrcDvcOs=column_ifexists('client_userAgent_os_s', "") - , - SrcIsp=column_ifexists('securityContext_isp_s', "") - , - SrcGeoCity=column_ifexists('client_geographicalContext_city_s', "") - , - SrcGeoCountry=column_ifexists('client_geographicalContext_country_s', "") - , - SrcIpAddr = column_ifexists('client_ipAddress_s', "") - , - ActingAppName=column_ifexists('client_userAgent_browser_s', "") - , - ActingAppType="Browser" - , - LogonMethod=column_ifexists('authenticationContext_credentialType_s', "") - , - HttpUserAgent=column_ifexists('client_userAgent_rawUserAgent_s', "") - // ** Aliases - | extend - User=TargetUsername - , - Dvc=EventVendor - , - IpAddr=SrcIpAddr - | project-away *_s, *_d, *_b, *_g, *_t; - OktaV1 + let OutcomeReasonLookup = datatable(outcome_reason_s: string, EventResultDetails: string) + [ + "LOCKED_OUT", "User locked", + "INVALID_CREDENTIALS", "Incorrect password", + "UNKNOWN_USER", "No such user", + "VERIFICATION_ERROR", "Incorrect key", + "SSO_AUTHENTICATION_FAILURE", "Logon violates policy", + "PASSWORD_EXPIRED", "Password expired", + "USER_ACCOUNT_EXPIRED", "Account expired", + "DEL_AUTH_TIMEOUT", "Session expired", + "PASSWORD_BASED_LOGIN_DISALLOWED", "Logon violates policy" + ]; + let SrcDeviceTypeLookup = datatable(client_device_s: string, SrcDeviceType: string) + [ + "Computer", "Computer", + "Mobile", "Mobile Device", + "Tablet", "Mobile Device" + ]; + let ActorUserTypeLookup = datatable(ActorOriginalUserType: string, ActorUserType: string) + [ + "User", "Regular", + "SystemPrincipal", "System" + ]; + let emptyOktaTable = datatable( + TimeGenerated: datetime, + outcome_result_s: string, + eventType_s: string, + legacyEventType_s: string, + client_geographicalContext_geolocation_lat_d: double, + client_geographicalContext_geolocation_lon_d: double, + displayMessage_s: string, + outcome_reason_s: string, + uuid_g: string, + actor_id_s: string, + actor_alternateId_s: string, + authenticationContext_externalSessionId_s: string, + actor_type_s: string, + client_userAgent_os_s: string, + securityContext_isp_s: string, + client_geographicalContext_city_s: string, + client_geographicalContext_country_s: string, + client_ipAddress_s: string, + client_userAgent_browser_s: string, + authenticationContext_credentialType_s: string, + client_userAgent_rawUserAgent_s: string, + client_geographicalContext_state_s: string, + client_device_s: string + )[]; + let OktaTable = union isfuzzy=true emptyOktaTable, Okta_CL; + OktaTable + | where not(disabled) + | lookup OutcomeReasonLookup on outcome_reason_s + | extend EventResultDetails = iif(outcome_result_s in (OktaFailedOutcome), coalesce(EventResultDetails, "Other"), "") + | extend + Type = "Okta_CL", + EventProduct='Okta', + EventVendor='Okta', + EventSchema = 'Authentication', + EventCount=int(1), + EventSchemaVersion='0.1.3', + EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial'), + EventStartTime=TimeGenerated, + EventEndTime=TimeGenerated, + EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff'), + TargetUserIdType = "OktaId", + ActingAppType = "Browser" + | project-rename + EventOriginalSubType=legacyEventType_s, + EventMessage=displayMessage_s, + EventOriginalResultDetails=outcome_reason_s, + EventOriginalUid=uuid_g, + TargetUserId = actor_id_s, + TargetUsername = actor_alternateId_s, + TargetSessionId = authenticationContext_externalSessionId_s, + ActorOriginalUserType = actor_type_s, + SrcGeoLatitude = client_geographicalContext_geolocation_lat_d, + SrcGeoLongitude = client_geographicalContext_geolocation_lon_d, + SrcDvcOs = client_userAgent_os_s, + SrcIsp = securityContext_isp_s, + SrcGeoCity = client_geographicalContext_city_s, + SrcGeoCountry = client_geographicalContext_country_s, + SrcIpAddr = client_ipAddress_s, + ActingAppName = client_userAgent_browser_s, + LogonMethod = authenticationContext_credentialType_s, + HttpUserAgent = client_userAgent_rawUserAgent_s, + SrcGeoRegion = client_geographicalContext_state_s + | extend + ActorUserId = TargetUserId, + ActorUsername = TargetUsername, + ActorUserIdType = TargetUserIdType + | lookup ActorUserTypeLookup on ActorOriginalUserType + | extend + TargetUserType = ActorUserType, + TargetUsernameType = _ASIM_GetUsernameType(TargetUsername), + ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) + | lookup SrcDeviceTypeLookup on client_device_s + | extend SrcDeviceType = coalesce(SrcDeviceType, "Other") + | extend + User=TargetUsername, + Dvc=EventVendor, + IpAddr=SrcIpAddr + | project + TimeGenerated, + Type, + EventResultDetails, + EventProduct, + EventVendor, + EventSchema, + EventCount, + EventSchemaVersion, + EventResult, + EventStartTime, + EventEndTime, + EventType, + EventOriginalSubType, + EventMessage, + EventOriginalResultDetails, + EventOriginalUid, + TargetUserIdType, + TargetUserId, + TargetUsername, + TargetSessionId, + ActorOriginalUserType, + SrcGeoLatitude, + SrcGeoLongitude, + SrcDvcOs, + SrcIsp, + SrcGeoCity, + SrcGeoCountry, + SrcIpAddr, + ActingAppType, + LogonMethod, + HttpUserAgent, + ActorUserId, + ActorUsername, + ActorUserIdType, + ActorUserType, + TargetUserType, + TargetUsernameType, + ActorUsernameType, + SrcDeviceType, + User, + Dvc, + IpAddr }; parser(disabled = disabled) \ No newline at end of file diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationOktaV2.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationOktaV2.yaml index cea017747c8..fe4e8e9312b 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationOktaV2.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationOktaV2.yaml @@ -1,7 +1,7 @@ Parser: Title: Authentication ASIM parser for OktaV2 - Version: '0.3.1' - LastUpdated: May 20, 2024 + Version: '0.4.0' + LastUpdated: Jan 08, 2026 Product: Name: Okta Normalization: @@ -25,141 +25,116 @@ ParserQuery: | let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']); let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']); let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']); - let emptyOctaV2Table = datatable( - TimeGenerated: datetime, - ActorDetailEntry: dynamic, - ActorDisplayName: string, - AuthenticationContext: string, - AuthenticationProvider: string, - AuthenticationStep: string, - AuthenticationContextAuthenticationProvider: string, - AuthenticationContextAuthenticationStep: int, - AuthenticationContextCredentialProvider: string, - AuthenticationContextInterface: string, - AuthenticationContextIssuerId: string, - AuthenticationContextIssuerType: string, - DebugData: dynamic, - DvcAction: string, - EventResult:string, - OriginalActorAlternateId: string, - OriginalClientDevice: string, - OriginalOutcomeResult: string, - OriginalSeverity: string, - OriginalTarget: dynamic, - OriginalUserId: string, - OriginalUserType: string, - Request: dynamic, - SecurityContextAsNumber: int, - SecurityContextAsOrg: string, - SecurityContextDomain: string, - SecurityContextIsProxy: bool, - TransactionDetail: dynamic, - TransactionId: string, - TransactionType: string - )[]; - let OktaV2 = union isfuzzy=true emptyOctaV2Table, OktaV2_CL - | where not(disabled) - | extend - EventOriginalType=column_ifexists('EventOriginalType', "") - , - OriginalActorAlternateId = column_ifexists('OriginalActorAlternateId', "") - , - ActorUsername=column_ifexists('ActorUsername', "") - , - SrcIpAddr = column_ifexists('SrcIpAddr', "") - | where EventOriginalType in (OktaSigninEvents) - | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) - | extend - EventProduct='Okta' - , - EventSchema = 'Authentication' - , - EventVendor='Okta' - , - EventCount=int(1) - , - EventSchemaVersion='0.1.0' - , - EventStartTime=TimeGenerated - , - EventEndTime=TimeGenerated - , - EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff') - , - TargetSessionId=column_ifexists('ActorSessionId', "") - , - TargetUserId= column_ifexists('ActorUserId', "") - , - TargetUsername=column_ifexists('ActorUsername', "") - , - TargetUserType=column_ifexists('ActorUserType', "") - , - TargetUserIdType=column_ifexists('ActorUserIdType', "") - , - TargetUsernameType=column_ifexists('ActorUsernameType', "") - , - SrcIpAddr = column_ifexists('SrcIpAddr', "") - //** extend non-normalized fields to be projected-away - , - ActorDetailEntry, - ActorDisplayName, - AuthenticationContextAuthenticationProvider, - AuthenticationContextAuthenticationStep, - AuthenticationContextCredentialProvider, - AuthenticationContextInterface, - AuthenticationContextIssuerId, - AuthenticationContextIssuerType - , - DebugData, - DvcAction, - OriginalActorAlternateId, - OriginalClientDevice, - OriginalOutcomeResult, - OriginalSeverity, - OriginalTarget, - OriginalUserId, - OriginalUserType, - Request, - SecurityContextAsNumber, - SecurityContextAsOrg, - SecurityContextDomain, - SecurityContextIsProxy - , - TransactionDetail, - TransactionId, - TransactionType - // ** Aliases - | extend - User=TargetUsername - , - Dvc=EventVendor - , - IpAddr=SrcIpAddr - | project-away - ActorDetailEntry, - ActorDisplayName, - AuthenticationContextAuthenticationProvider, - AuthenticationContextAuthenticationStep, - AuthenticationContextCredentialProvider, - AuthenticationContextInterface, - AuthenticationContextIssuerId, - AuthenticationContextIssuerType, - DebugData, - DvcAction, - OriginalActorAlternateId, - OriginalClientDevice, - OriginalOutcomeResult, - OriginalSeverity, - OriginalTarget, - OriginalUserId, - OriginalUserType, - Request, - SecurityContextAsNumber, - SecurityContextAsOrg, - SecurityContextDomain, - SecurityContextIsProxy, - TransactionId, - TransactionType; - OktaV2 + let SrcDeviceTypeLookup = datatable(OriginalClientDevice: string, SrcDeviceType: string) + [ + "Computer", "Computer", + "Mobile", "Mobile Device", + "Tablet", "Mobile Device" + ]; + let OutcomeReasonLookup = datatable(EventOriginalResultDetails: string, EventResultDetails: string) + [ + "LOCKED_OUT", "User locked", + "INVALID_CREDENTIALS", "Incorrect password", + "UNKNOWN_USER", "No such user", + "VERIFICATION_ERROR", "Incorrect key", + "SSO_AUTHENTICATION_FAILURE", "Logon violates policy", + "PASSWORD_EXPIRED", "Password expired", + "USER_ACCOUNT_EXPIRED", "Account expired", + "DEL_AUTH_TIMEOUT", "Session expired", + "PASSWORD_BASED_LOGIN_DISALLOWED", "Logon violates policy" + ]; + OktaV2_CL + | where not(disabled) + | where EventOriginalType in (OktaSigninEvents) + | lookup OutcomeReasonLookup on EventOriginalResultDetails + | extend EventResultDetails = iif(OriginalOutcomeResult in (OktaFailedOutcome), coalesce(EventResultDetails, "Other"), "") + | lookup SrcDeviceTypeLookup on OriginalClientDevice + | extend SrcDeviceType = coalesce(SrcDeviceType, "Other") + | extend + Type = "OktaV2_CL", + EventProduct = "Okta", + EventSchema = "Authentication", + EventVendor = "Okta", + EventCount = int(1), + EventSchemaVersion='0.1.3', + EventStartTime = TimeGenerated, + EventEndTime = TimeGenerated, + EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff'), + ActorUsername = coalesce(ActorUsername, OriginalActorAlternateId), + ActorUserIdType = "OktaId", + EventResult = coalesce(EventResult, + case ( + OriginalOutcomeResult in (OktaSuccessfulOutcome), 'Success', + OriginalOutcomeResult in (OktaFailedOutcome), 'Failure', + 'Partial')), + SrcIpAddr, + ActorSessionId, + ActorUserId, + SrcGeoRegion, + SrcGeoCity, + SrcGeoCountry, + SrcDvcOs, + SrcDvcId, + SrcDvcIdType, + DvcAction, + EventOriginalUid, + TargetSessionId = ActorSessionId, + TargetUserId = ActorUserId, + TargetUsername = ActorUsername, + TargetUserType = ActorUserType, + TargetUserIdType = ActorUserIdType + | extend TargetUserType = case( + TargetUserType == "System Principal", "System", + TargetUserType + ) + | extend + ActorUserType = TargetUserType, + TargetUsernameType = _ASIM_GetUsernameType(TargetUsername), + ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) + // ** Aliases + | extend + User=TargetUsername, + Dvc=EventVendor, + IpAddr=SrcIpAddr + | project + TimeGenerated, + EventOriginalType, + EventOriginalResultDetails, + EventOriginalUid, + EventResultDetails, + SrcDeviceType, + Type, + EventProduct, + EventSchema, + EventVendor, + EventCount, + EventSchemaVersion, + EventStartTime, + EventEndTime, + EventType, + TargetSessionId, + TargetUserId, + TargetUsername, + TargetUserType, + TargetUserIdType, + SrcIpAddr, + ActorSessionId, + ActorUserId, + ActorUsername, + ActorUserType, + ActorUserIdType, + EventResult, + SrcGeoRegion, + SrcGeoCity, + SrcGeoCountry, + SrcDvcOs, + SrcDvcId, + SrcDvcIdType, + DvcAction, + TargetUsernameType, + ActorUsernameType, + User, + Dvc, + IpAddr }; parser(disabled = disabled) \ No newline at end of file diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationOktaOSS.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationOktaOSS.yaml index ffa7591bc94..2f8dcc44028 100644 --- a/Parsers/ASimAuthentication/Parsers/vimAuthenticationOktaOSS.yaml +++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationOktaOSS.yaml @@ -1,7 +1,7 @@ Parser: Title: Authentication ASIM filtering parser for Okta - Version: '0.3.0' - LastUpdated: May 20, 2024 + Version: '0.4.0' + LastUpdated: Jan 08, 2026 Product: Name: Okta Normalization: @@ -48,7 +48,7 @@ ParserParams: Type: bool Default: false ParserQuery: | - let OktaSignin = ( + let parser=( starttime: datetime=datetime(null), endtime: datetime=datetime(null), username_has_any: dynamic = dynamic([]), @@ -58,124 +58,179 @@ ParserQuery: | eventtype_in: dynamic = dynamic([]), eventresultdetails_in: dynamic = dynamic([]), eventresult: string = '*', - disabled: bool=false) { + disabled: bool=false + ) { let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']); let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']); let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']); - let emptyOctV1Table = datatable(TimeGenerated: datetime)[]; - // https://developer.okta.com/docs/reference/api/event-types/#catalog - let OktaV1 = union isfuzzy=true emptyOctV1Table, Okta_CL - | where not(disabled) - // ************************************************************************* - // - // ************************************************************************* - | extend - outcome_result_s=column_ifexists('outcome_result_s', ""), - eventType_s=column_ifexists('eventType_s', ""), - legacyEventType_s=column_ifexists('legacyEventType_s', ""), - client_geographicalContext_geolocation_lat_d = column_ifexists('client_geographicalContext_geolocation_lat_d', ""), - client_geographicalContext_geolocation_lon_d = column_ifexists('client_geographicalContext_geolocation_lon_d', ""), - actor_alternateId_s = column_ifexists('actor_alternateId_s', ""), - client_ipAddress_s = column_ifexists('client_ipAddress_s', "") - | where - (isnull(starttime) or TimeGenerated >= starttime) - and (isnull(endtime) or TimeGenerated <= endtime) - and ((array_length(username_has_any) == 0) or actor_alternateId_s has_any (username_has_any)) - and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source - and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(client_ipAddress_s, srcipaddr_has_any_prefix))) - and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source - // eventtype_in filtering done later in the parser - and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source - // eventresult filtering done later in the parser - // ************************************************************************* - // - // ************************************************************************* - | where eventType_s in (OktaSigninEvents) - | extend - EventProduct='Okta' - , - EventVendor='Okta' - , - EventSchema = 'Authentication' - , - EventCount=int(1) - , - EventSchemaVersion='0.1.0' - , - EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial') - , - EventStartTime=TimeGenerated - , - EventEndTime=TimeGenerated - , - EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff') - , - EventSubType=legacyEventType_s - , - EventMessage=column_ifexists('displayMessage_s', "") - , - EventOriginalResultDetails=column_ifexists('outcome_reason_s', "") - , - EventOriginalUid = column_ifexists('uuid_g', "") - , - TargetUserIdType='OktaId' - , - TargetUsernameType='UPN' - , - TargetSessionId=column_ifexists('authenticationContext_externalSessionId_s', "") - , - TargetUserId=column_ifexists('actor_id_s', "") - , - TargetUsername=column_ifexists('actor_alternateId_s', "") - , - TargetUserType=column_ifexists('actor_type_s', "") - , - SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d) - , - SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d) - , - SrcDvcOs=column_ifexists('client_userAgent_os_s', "") - , - SrcIsp=column_ifexists('securityContext_isp_s', "") - , - SrcGeoCity=column_ifexists('client_geographicalContext_city_s', "") - , - SrcGeoCountry=column_ifexists('client_geographicalContext_country_s', "") - , - SrcIpAddr = column_ifexists('client_ipAddress_s', "") - , - ActingAppName=column_ifexists('client_userAgent_browser_s', "") - , - ActingAppType="Browser" - , - LogonMethod=column_ifexists('authenticationContext_credentialType_s', "") - , - HttpUserAgent=column_ifexists('client_userAgent_rawUserAgent_s', "") - // Filtering on 'eventresult' and 'eventtype_in' - | where (eventresult == "*" or (EventResult == eventresult)) - and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in)) - // mapping ASimMatchingUsername - | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any) - // ActorUsername not coming from source. Hence, not mapped. - | extend ASimMatchingUsername = case - ( - array_length(username_has_any) == 0, - "-", - temp_isMatchTargetUsername, - "TargetUsername", - "No match" - ) - // ** Aliases - | extend - User=TargetUsername - , - Dvc=EventVendor - , - IpAddr=SrcIpAddr - | project-away *_s, *_d, *_b, *_g, *_t; - OktaV1 + let OutcomeReasonLookup = datatable(outcome_reason_s: string, EventResultDetails: string) + [ + "LOCKED_OUT", "User locked", + "INVALID_CREDENTIALS", "Incorrect password", + "UNKNOWN_USER", "No such user", + "VERIFICATION_ERROR", "Incorrect key", + "SSO_AUTHENTICATION_FAILURE", "Logon violates policy", + "PASSWORD_EXPIRED", "Password expired", + "USER_ACCOUNT_EXPIRED", "Account expired", + "DEL_AUTH_TIMEOUT", "Session expired", + "PASSWORD_BASED_LOGIN_DISALLOWED", "Logon violates policy" + ]; + let SrcDeviceTypeLookup = datatable(client_device_s: string, SrcDeviceType: string) + [ + "Computer", "Computer", + "Mobile", "Mobile Device", + "Tablet", "Mobile Device" + ]; + let ActorUserTypeLookup = datatable(ActorOriginalUserType: string, ActorUserType: string) + [ + "User", "Regular", + "SystemPrincipal", "System" + ]; + let emptyOktaTable = datatable( + TimeGenerated: datetime, + outcome_result_s: string, + eventType_s: string, + legacyEventType_s: string, + client_geographicalContext_geolocation_lat_d: double, + client_geographicalContext_geolocation_lon_d: double, + displayMessage_s: string, + outcome_reason_s: string, + uuid_g: string, + actor_id_s: string, + actor_alternateId_s: string, + authenticationContext_externalSessionId_s: string, + actor_type_s: string, + client_userAgent_os_s: string, + securityContext_isp_s: string, + client_geographicalContext_city_s: string, + client_geographicalContext_country_s: string, + client_ipAddress_s: string, + client_userAgent_browser_s: string, + authenticationContext_credentialType_s: string, + client_userAgent_rawUserAgent_s: string, + client_geographicalContext_state_s: string, + client_device_s: string + )[]; + let OktaTable = union isfuzzy=true emptyOktaTable, Okta_CL; + OktaTable + | where not(disabled) + | where + (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + and ((array_length(username_has_any) == 0) or actor_alternateId_s has_any (username_has_any)) + and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source + and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(client_ipAddress_s, srcipaddr_has_any_prefix))) + and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source + | extend EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial') + | where (eventresult == "*" or (EventResult == eventresult)) + | extend EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff') + | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in)) + | lookup OutcomeReasonLookup on outcome_reason_s + | extend EventResultDetails = iif(outcome_result_s in (OktaFailedOutcome), coalesce(EventResultDetails, "Other"), "") + | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in)) + | extend + Type = "Okta_CL", + EventProduct='Okta', + EventVendor='Okta', + EventSchema = 'Authentication', + EventCount=int(1), + EventSchemaVersion='0.1.3', + EventStartTime=TimeGenerated, + EventEndTime=TimeGenerated, + TargetUserIdType = "OktaId", + ActingAppType = "Browser" + | project-rename + EventOriginalSubType=legacyEventType_s, + EventMessage=displayMessage_s, + EventOriginalResultDetails=outcome_reason_s, + EventOriginalUid=uuid_g, + TargetUserId = actor_id_s, + TargetUsername = actor_alternateId_s, + TargetSessionId = authenticationContext_externalSessionId_s, + ActorOriginalUserType = actor_type_s, + SrcGeoLatitude = client_geographicalContext_geolocation_lat_d, + SrcGeoLongitude = client_geographicalContext_geolocation_lon_d, + SrcDvcOs = client_userAgent_os_s, + SrcIsp = securityContext_isp_s, + SrcGeoCity = client_geographicalContext_city_s, + SrcGeoCountry = client_geographicalContext_country_s, + SrcIpAddr = client_ipAddress_s, + ActingAppName = client_userAgent_browser_s, + LogonMethod = authenticationContext_credentialType_s, + HttpUserAgent = client_userAgent_rawUserAgent_s, + SrcGeoRegion = client_geographicalContext_state_s + | extend + ActorUserId = TargetUserId, + ActorUsername = TargetUsername, + ActorUserIdType = TargetUserIdType + | lookup ActorUserTypeLookup on ActorOriginalUserType + | extend + TargetUserType = ActorUserType, + TargetUsernameType = _ASIM_GetUsernameType(TargetUsername), + ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) + | lookup SrcDeviceTypeLookup on client_device_s + | extend SrcDeviceType = coalesce(SrcDeviceType, "Other") + // mapping ASimMatchingUsername + | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any) + // ActorUsername not coming from source. Hence, not mapped. + | extend ASimMatchingUsername = case + ( + array_length(username_has_any) == 0, + "-", + temp_isMatchTargetUsername, + "TargetUsername", + "No match" + ) + | extend + User=TargetUsername, + Dvc=EventVendor, + IpAddr=SrcIpAddr + | project + TimeGenerated, + Type, + EventResultDetails, + EventProduct, + EventVendor, + EventSchema, + EventCount, + EventSchemaVersion, + EventResult, + EventStartTime, + EventEndTime, + EventType, + EventOriginalSubType, + EventMessage, + EventOriginalResultDetails, + EventOriginalUid, + TargetUserIdType, + TargetUserId, + TargetUsername, + TargetSessionId, + ActorOriginalUserType, + SrcGeoLatitude, + SrcGeoLongitude, + SrcDvcOs, + SrcIsp, + SrcGeoCity, + SrcGeoCountry, + SrcIpAddr, + ActingAppType, + LogonMethod, + HttpUserAgent, + ActorUserId, + ActorUsername, + ActorUserIdType, + ActorUserType, + TargetUserType, + TargetUsernameType, + ActorUsernameType, + SrcDeviceType, + ASimMatchingUsername, + User, + Dvc, + IpAddr }; - OktaSignin ( + parser ( starttime=starttime, endtime=endtime, username_has_any=username_has_any, diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationOktaV2.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationOktaV2.yaml index d0c5099b3e0..5bd11d54788 100644 --- a/Parsers/ASimAuthentication/Parsers/vimAuthenticationOktaV2.yaml +++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationOktaV2.yaml @@ -1,7 +1,7 @@ Parser: Title: Authentication ASIM filtering parser for Okta - Version: '0.3.1' - LastUpdated: May 20, 2024 + Version: '0.4.0' + LastUpdated: Jan 08, 2026 Product: Name: Okta Normalization: @@ -48,7 +48,7 @@ ParserParams: Type: bool Default: false ParserQuery: | - let OktaSignin = ( + let parser=( starttime: datetime=datetime(null), endtime: datetime=datetime(null), username_has_any: dynamic = dynamic([]), @@ -58,214 +58,155 @@ ParserQuery: | eventtype_in: dynamic = dynamic([]), eventresultdetails_in: dynamic = dynamic([]), eventresult: string = '*', - disabled: bool=false) { + disabled: bool=false + ) { let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']); let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']); let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']); - let emptyOctaV2Table = datatable( - TimeGenerated: datetime, - ActorDetailEntry: dynamic, - ActorDisplayName: string, - AuthenticationContext: string, - AuthenticationProvider: string, - AuthenticationStep: string, - AuthenticationContextAuthenticationProvider: string, - AuthenticationContextAuthenticationStep: int, - AuthenticationContextCredentialProvider: string, - AuthenticationContextInterface: string, - AuthenticationContextIssuerId: string, - AuthenticationContextIssuerType: string, - DebugData: dynamic, - DvcAction: string, - EventResult:string, - OriginalActorAlternateId: string, - OriginalClientDevice: string, - OriginalOutcomeResult: string, - OriginalSeverity: string, - OriginalTarget: dynamic, - OriginalUserId: string, - OriginalUserType: string, - Request: dynamic, - SecurityContextAsNumber: int, - SecurityContextAsOrg: string, - SecurityContextDomain: string, - SecurityContextIsProxy: bool, - TransactionDetail: dynamic, - TransactionId: string, - TransactionType: string - )[]; - // https://developer.okta.com/docs/reference/api/event-types/#catalog - let OktaV2 = union isfuzzy=true emptyOctaV2Table, OktaV2_CL - | where not(disabled) - | extend - EventOriginalType=column_ifexists('EventOriginalType', "") - , - OriginalActorAlternateId = column_ifexists('OriginalActorAlternateId', "") - , - ActorUsername=column_ifexists('ActorUsername', "") - , - SrcIpAddr = column_ifexists('SrcIpAddr', "") - | where - (isnull(starttime) or TimeGenerated >= starttime) - and (isnull(endtime) or TimeGenerated <= endtime) - and ((array_length(username_has_any) == 0) or ActorUsername has_any (username_has_any)) - and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source - and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))) - and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source - // eventtype_in filtering done later in the parser - and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source - // eventresult filtering done later in the parser - // ************************************************************************* - // - // ************************************************************************* - | where EventOriginalType in (OktaSigninEvents) - | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) - | extend - EventProduct='Okta' - , - EventSchema = 'Authentication' - , - EventVendor='Okta' - , - EventCount=int(1) - , - EventSchemaVersion='0.1.0' - , - EventStartTime=TimeGenerated - , - EventEndTime=TimeGenerated - , - EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff') - , - TargetSessionId=column_ifexists('ActorSessionId', "") - , - TargetUserId= column_ifexists('ActorUserId', "") - , - TargetUsername=ActorUsername - , - TargetUserType=column_ifexists('ActorUserType', "") - , - TargetUserIdType=column_ifexists('ActorUserIdType', "") - , - TargetUsernameType=column_ifexists('ActorUsernameType', "") - //** extend non-normalized fields to be projected-away - , - // - ActorDetailEntry, - ActorDisplayName - , - AuthenticationContextAuthenticationProvider - , - AuthenticationContextAuthenticationStep, - AuthenticationContextCredentialProvider - , - AuthenticationContextInterface - , - AuthenticationContextIssuerId - , - AuthenticationContextIssuerType - , - DebugData, - DvcAction - , - OriginalActorAlternateId - , - OriginalClientDevice - , - OriginalOutcomeResult - , - OriginalSeverity - , - OriginalTarget, - OriginalUserId - , - OriginalUserType - , - Request, - SecurityContextAsNumber, - SecurityContextAsOrg - , - SecurityContextDomain - , - SecurityContextIsProxy - , - TransactionDetail, - TransactionId - , - TransactionType - // Filtering on 'eventresult' and 'eventtype_in' - | where (eventresult == "*" or (EventResult == eventresult)) - and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in)) - // mapping ASimMatchingUsername - | extend - temp_isMatchTargetUsername=TargetUsername has_any(username_has_any) - , - temp_isMatchActorUsername=ActorUsername has_any(username_has_any) - | extend ASimMatchingUsername = case - ( - array_length(username_has_any) == 0, - "-", - temp_isMatchTargetUsername and temp_isMatchActorUsername, - "Both", - temp_isMatchTargetUsername, - "TargetUsername", - temp_isMatchActorUsername, - "ActorUsername", - "No match" - ) - // ** Aliases - | extend - User=TargetUsername - , - Dvc=EventVendor - , - IpAddr=SrcIpAddr - | project-away - ActorDetailEntry, - ActorDisplayName - , - AuthenticationContextAuthenticationProvider - , - AuthenticationContextAuthenticationStep, - AuthenticationContextCredentialProvider - , - AuthenticationContextInterface - , - AuthenticationContextIssuerId - , - AuthenticationContextIssuerType - , - DebugData, - DvcAction - , - OriginalActorAlternateId - , - OriginalClientDevice - , - OriginalOutcomeResult - , - OriginalSeverity - , - OriginalTarget, - OriginalUserId - , - OriginalUserType - , - Request, - SecurityContextAsNumber, - SecurityContextAsOrg - , - SecurityContextDomain - , - SecurityContextIsProxy - , - TransactionDetail, - TransactionId - , - TransactionType; - OktaV2 + let SrcDeviceTypeLookup = datatable(OriginalClientDevice: string, SrcDeviceType: string) + [ + "Computer", "Computer", + "Mobile", "Mobile Device", + "Tablet", "Mobile Device" + ]; + let OutcomeReasonLookup = datatable(EventOriginalResultDetails: string, EventResultDetails: string) + [ + "LOCKED_OUT", "User locked", + "INVALID_CREDENTIALS", "Incorrect password", + "UNKNOWN_USER", "No such user", + "VERIFICATION_ERROR", "Incorrect key", + "SSO_AUTHENTICATION_FAILURE", "Logon violates policy", + "PASSWORD_EXPIRED", "Password expired", + "USER_ACCOUNT_EXPIRED", "Account expired", + "DEL_AUTH_TIMEOUT", "Session expired", + "PASSWORD_BASED_LOGIN_DISALLOWED", "Logon violates policy" + ]; + OktaV2_CL + | where not(disabled) + | where EventOriginalType in (OktaSigninEvents) + | where + (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + and ((array_length(username_has_any) == 0) or ActorUsername has_any (username_has_any)) + and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source + and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))) + and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source + // Filtering on 'eventresult' and 'eventtype_in' + | extend + EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff') + | where (eventresult == "*" or (EventResult == eventresult)) + and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in)) + // mapping ASimMatchingUsername + | extend + temp_isMatchTargetUsername=ActorUsername has_any(username_has_any) + , + temp_isMatchActorUsername=ActorUsername has_any(username_has_any) + | extend + ASimMatchingUsername = case( + array_length(username_has_any) == 0, + "-", + temp_isMatchTargetUsername and temp_isMatchActorUsername, + "Both", + temp_isMatchTargetUsername, + "TargetUsername", + temp_isMatchActorUsername, + "ActorUsername", + "No match" + ) + | lookup OutcomeReasonLookup on EventOriginalResultDetails + | extend EventResultDetails = iif(OriginalOutcomeResult in (OktaFailedOutcome), coalesce(EventResultDetails, "Other"), "") + // Filtering on eventresultdetails_in + | where (array_length(eventresultdetails_in) == 0) or EventResultDetails in~ (eventresultdetails_in) + | lookup SrcDeviceTypeLookup on OriginalClientDevice + | extend SrcDeviceType = coalesce(SrcDeviceType, "Other") + | extend + Type = "OktaV2_CL", + EventProduct = "Okta", + EventSchema = "Authentication", + EventVendor = "Okta", + EventCount = int(1), + EventSchemaVersion='0.1.3', + EventStartTime = TimeGenerated, + EventEndTime = TimeGenerated, + EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff'), + SrcIpAddr, + ActorSessionId, + ActorUserId, + ActorUsername = coalesce(ActorUsername, OriginalActorAlternateId), + ActorUserIdType = "OktaId", + EventResult = coalesce(EventResult, + case ( + OriginalOutcomeResult in (OktaSuccessfulOutcome), 'Success', + OriginalOutcomeResult in (OktaFailedOutcome), 'Failure', + 'Partial')), + SrcGeoRegion, + SrcGeoCity, + SrcGeoCountry, + SrcDvcOs, + SrcDvcId, + SrcDvcIdType, + DvcAction, + EventOriginalUid, + TargetSessionId = ActorSessionId, + TargetUserId = ActorUserId, + TargetUsername = ActorUsername, + TargetUserType = ActorUserType, + TargetUserIdType = ActorUserIdType + | extend TargetUserType = case( + TargetUserType == "System Principal", "System", + TargetUserType + ) + | extend + ActorUserType = TargetUserType, + TargetUsernameType = _ASIM_GetUsernameType(TargetUsername), + ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) + // ** Aliases + | extend + User=TargetUsername, + Dvc=EventVendor, + IpAddr=SrcIpAddr + | project + TimeGenerated, + EventOriginalType, + EventOriginalResultDetails, + EventOriginalUid, + EventResultDetails, + SrcDeviceType, + Type, + EventProduct, + EventSchema, + EventVendor, + EventCount = int(1), + EventSchemaVersion='0.1.3', + EventStartTime = TimeGenerated, + EventEndTime = TimeGenerated, + EventType, + TargetSessionId, + TargetUserId, + TargetUsername, + TargetUserType, + TargetUserIdType, + SrcIpAddr, + ActorSessionId, + ActorUserId, + ActorUsername, + ActorUserType, + ActorUserIdType, + EventResult, + SrcGeoRegion, + SrcGeoCity, + SrcGeoCountry, + SrcDvcOs, + SrcDvcId, + SrcDvcIdType, + DvcAction, + TargetUsernameType, + ActorUsernameType, + User, + Dvc, + IpAddr }; - OktaSignin ( + parser ( starttime=starttime, endtime=endtime, username_has_any=username_has_any,