okta (Deprecated)
This Integration is part of the Okta Pack.#
Deprecated
Use the Okta v2 integration instead.
Use the Okta integration to create, edit, and view user and group information on Okta.
This integration was integrated and tested with Okta v2018.12.
Use cases
- Unlock, activate, or deactivate users.
- Set passwords.
- Create and update users.
- Get information about users.
- Add, remove, or view user group members.
Prerequisites
Go to Okta documentation to create an API token to use on Cortex XSOAR.
Configure Okta on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for Okta.
-
Click
Add instance
to create and configure a new integration instance.
- Name : A textual name for the integration instance
- okta URL (https://<domain.okta.com>)
- API Token
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Unlock a user: okta-unlock-user
- Deactivate a user: okta-deactivate-user
- Activate a user: okta-activate-user
- Suspend a user: okta-suspend-user
- Reactivate a suspended user: okta-unsuspend-user
- Get enrolled factors for a user: okta-get-user-factors
- Create and verify a push factor for a user: okta-verify-push-factor
- Remove a factor from a user: okta-reset-factor
- Get all user groups associated with a specified user: okta-get-groups
- Create user without a recovery question: okta-set-password
- Search a specified term: okta-search
- Get a specified user: okta-get-user
- Create a new user: okta-create-user
- Update user details: okta-update-user
- Get failed logins: okta-get-failed-logins
- Get information about a user that has been added to a group: okta-get-group-assignments
- Get information about a user that was assigned to an application: okta-get-application-assignments
- Get information about a user who made an SSO attempt: okta-get-application-authentication
- Add a user to a group: okta-add-to-group
- Remove a user from a group: okta-remove-from-group
- Get logs: okta-get-logs
- Get a list of groups: okta-list-groups
- Get all members of a specified group: okta-get-group-members
1. Unlock a user
Unlocks a specified user.
Base Command
okta-unlock-user
Input
| Argument Name | Description | Required |
|---|---|---|
| username | Okta username to unlock. | Required |
Context Output
There is no context output for this command.
Command Example
!okta-unlock-user username=test@this.com
Human Readable Output
Okta user unlocked
2. Deactivate a user
Deactivate a specified user.
Base Command
okta-deactivate-user
Input
| Argument Name | Description | Required |
|---|---|---|
| username | Okta username to deactivate. | Required |
Context Output
There is no context output for this command.
Command Example
!okta-deactivate-user username=test@this.com
Human Readable Output
Okta user deactivated
War Room Output
3. Activate a user
Activate a specified user.
Base Command
okta-activate-user
Input
| Argument Name | Description | Required |
|---|---|---|
| username | Okta username to activate | Required |
Context Output
There is no context output for this command.
Command Example
!okta-activate-user username=test@this.com
War Room Output
4. Suspend a user
Suspends a user. This operation can only be performed on users with an ACTIVE status. The user's status changes to SUSPENDED when the process is complete.
Base Command
okta-suspend-user
Input
| Argument Name | Description | Required |
|---|---|---|
| username | Okta username of the user you want to change to SUSPEND status | Required |
Context Output
There is no context output for this command.
Command Example
!okta-suspend-user username="test@this.com"
Human Readable Output
5. Reactivate a suspended user
Returns a user to ACTIVE status. This operation can only be performed on users that have a SUSPENDED status.
Base Command
okta-unsuspend-user
Input
| Argument Name | Description | Required |
|---|---|---|
| username | Okta username of the user you want to change to ACTIVE status | True |
Context Output
There is no context output for this command.
Command Example
!okta-unsuspend-user username="test@this.com"
Human Readable Output
6. Get enrolled factors for a user
Returns all the enrolled factors for the specified user.
Base Command
okta-get-user-factors
Input
| Argument Name | Description | Required |
|---|---|---|
| userId | User ID of the user in which to get enrolled factors. | Optional |
| username | Username of the user in which to get enrolled factors. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Account.ID | string | Okta account ID. |
| Account.Factor.ID | string | Okta account factor ID. |
| Account.Factor.FactorType | string | Okta account factor type. |
| Account.Factor.Provider | string | Okta account factor provider. |
| Account.Factor.Status | string | Okta account factor status. |
| Account.Factor.Profile | string | Okta account factor profile. |
Command Example
!okta-get-user-factors userId=00ugo6k55kHeoJMYC0h7
Context Example
{
"Account": {
"Factor": [
{
"FactorType": "push",
"ID": "opfi25ztilatndHD80h7",
"Profile": {
"credentialId": "test@domain.com",
"deviceType": "SmartPhone_Android",
"keys": [
{
"kid": "default",
"kty": "XYZ",
"use": "xyz",
"x5c": [
"ABCDEFG"
]
}
],
"name": "SMARTPHONE",
"platform": "ANDROID",
"version": "20"
},
"Provider": "OKTA",
"Status": "ACTIVE"
}
],
"ID": "00ugo6k55kHeoJMYC0h7"
}
}
Human Readable Output
7. Enroll and verify a push factor for a user
Enrolls and verifies a push factor for a specified user.
Base Command
<
okta-verify-push-factor
Input
| Argument Name | Description | Required |
|---|---|---|
| userId | The user ID of the user to verify. | True |
| factorId | The push factor ID. | True |
Context Output
| Path | Type | Description |
|---|---|---|
| Account.ID | string | Okta user ID. |
| Account.VerifyPushResult | string | Okta user push factor result. |
Command Example
!okta-verify-push-factor factorId=opfi25ztilatndHD80h7 userId=00ugo6k55kHeoJMYC0h7
Context Example
{
"Account": {
"ID": "00ugo6k55kHeoJMYC0h7",
"VerifyPushResult": "SUCCESS"
}
}
Human Readable Output
8. Remove a factor from a user
Removes an existing factor for the specified user, allowing the user to enroll a new factor.
Base Command
okta-reset-factor
Input
| Argument Name | Description | Required |
|---|---|---|
| userId | The user ID. | Optional |
| username | The user name. | Optional |
| factorId | The ID of the factor to reset. | Required |
Context Output
There is no context output for this command.
Command Example
!okta-reset-factor factorId=osti2xdcf0FwcR9x80h7 userId=00ugo6k55kHeoJMYC0h7
Human Readable Output
9. Get user groups associated with a specified user
Returns all user groups associated with a specified user.
Base Command
okta-get-groups
Input
| Argument Name | Description | Required |
|---|---|---|
| username | Okta username in which to get groups. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Account.Group | unknown | Okta group in which the account is associated. |
| Account.ID | string | Okta account ID. |
| Account.Type | string | Type of account, such as Okta. |
| Account.Group.ID | string | Unique key for group. |
| Account.Group.Created | date | Timestamp when group was created. |
| Account.Group.ObjectClass | string | Determines the group profile. |
| Account.Group.LastUpdated | date | Timestamp when group profile was last updated. |
| Account.Group.LastMembershipUpdated | date | Timestamp when group memberships were last updated. |
| Account.Group.Type | string | Determines how a group profile and memberships are managed. |
| Account.Group.Name | string | Name of the group. |
| Account.Group.Description | string | Description of the group. |
Command Example
!okta-get-groups username=test@this.com
Context Example
{
"Account": {
"Group": [
{
"Created": "2016-04-12T15:01:50.000Z",
"Description": "All users in your organization",
"ID": "00g66lckcsAJpLcNc0h7",
"LastMembershipUpdated": "2018-07-30T19:56:59.000Z",
"LastUpdated": "2016-04-12T15:01:50.000Z",
"Name": "Everyone",
"ObjectClass": [
"okta:user_group"
],
"Type": "BUILT_IN"
},
{
"Created": "2016-10-25T14:52:38.000Z",
"Description": null,
"ID": "00g8mo0l5wuTxmoIC0h7",
"LastMembershipUpdated": "2018-07-31T09:30:33.000Z",
"LastUpdated": "2016-10-25T14:52:38.000Z",
"Name": "test1",
"ObjectClass": [
"okta:user_group"
],
"Type": "OKTA_GROUP"
}
],
"ID": "00ued6gq9jItNhAsN0h7",
"Type": "Okta"
}
}
War Room Output
10. Create a user without a recovery question
Creates a user without a recovery question-and-answer requirement.
Base Command
okta-set-password
Input
| Argument Name | Description | Required |
|---|---|---|
| username | Okta username in whcih to change the password. | Required |
| password | The new password to set for the user. | Required |
Context Output
There is no context output for this command.
Command Example
!okta-set-password username=test@this.com password=newpassword
Human Readable Output
Okta user password set
11. Search a specified term
Returns details of users that match the found term.
Base Command
okta-search
Input
| Argument Name | Description | Required |
|---|---|---|
| term | The term to search for. Can be first name, last name, or email. | Required |
| limit | Maximum number of results to return (default 200). | Optional |
| verbose | Whether to list all details of users that match search term. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Account.ID | string | Okta account IDs returned by search. |
| Account.Username | string | Okta account usernames returned by search. |
| Account.Email | string | Okta account emails returned by search. |
| Accout.DisplayName | string | Okta account display names returned by search. |
| Account.Type | string | Account type returned by search, such as Okta. |
Command Example
!okta-search term=test@this.com
Context Example
{
"Account": [
{
"DisplayName": "test this",
"Email": "test@this.com",
"ID": "00ued6gq9jItNhAsN0h7",
"Type": "Okta",
"Username": "test@this.com",
"id": "00ued6gq9jItNhAsN0h7"
}
]
}
War Room Output
12. Get a specified user
Fetches information for a specified user. You must enter one or more parameters for the command to run.
Base Command
okta-get-user
Input
| Argument Name | Description | Required |
|---|---|---|
| username | Username in which to return information. Usernames must not contain a forward slash ('/'). | Optional |
| userid | User ID of the requested user in which to return information. | Optional |
| verbose | Whether to return all details of the user. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Account.ID | string | Okta account ID. |
| Account.Email | string | Okta account email. |
| Account.Username | string | Okta account username. |
| Account.DisplayName | string | Okta account display name. |
| Account.Type | string | Type of account, such as Okta. |
Command Example
!okta-get-user username=test@this.com verbose=true
Context Example
{
"Account": [
{
"DisplayName": "test this",
"Email": "test@this.com",
"ID": "00ued6gq9jItNhAsN0h7",
"Type": "Okta",
"Username": "test@this.com",
"id": "00ued6gq9jItNhAsN0h7"
}
]
}
War Room Output
13. Create a new user
Creates a new user with the option to set a password, and recovery question and answer. This flow is common when developing a custom user registration experience.
Base Command
okta-create-user
Input
| Argument Name | Description | Required |
|---|---|---|
| firstName | First name of the user (givenName). | Required |
| lastName | Family name of the user (familyName). | Required |
| Primary email address of the user. | Required | |
| login | Unique identifier for the user (username). | Required |
| secondEmail | Secondary email address of the user. Usually for account recovery. | Optional |
| middleName | Middle name(s) of the user. | Optional |
| honorificPrefix | Honorific prefix(es) of the user, or title in most Western languages. | Optional |
| honorificSuffix | Honorific suffix(es) of the user. | Optional |
| title | User title. For example, Vice President. | Optional |
| displayName | Name of the user, suitable for display to end users. | Optional |
| nickName | Casual way to address the user. | Optional |
| profileUrl |
URL of user online profile. For example, a web page. |
Optional |
| primaryPhone |
Primary phone number of the user. |
Optional |
| mobilePhone | Mobile phone number of the user. | Optional |
| streetAddress | Full street address component of the user address. | Optional |
| city | City or locality component of the user address (locality). | Optional |
| state | State or region component of the user address (region). | Optional |
| zipCode | Zipcode or postal code component of the user address (postalCode). | Optional |
| countryCode | Country name component of the user address (country). | Optional |
| postalAddress | Mailing address component of the user address. | Optional |
| preferredLanguage | User preferred written or spoken language. | Optional |
| locale | User default location for localizing items such as currency, date time format, numerical representations, and so on. | Optional |
| timezone | User time zone. | Optional |
| userType | Identify the organization's relationship with the user such as Employee or Contractor. | Optional |
| employeeNumber | Organization or company assigned unique identifier for the user. | Optional |
| costCenter | Name of the cost center in which the user is assigned. | Optional |
| organization | The organization in which the user belongs. | Optional |
| division | The division in which the user belongs. | Optional |
| department | The Department in which the user belongs. | Optional |
| managerId | ID of the user’s manager. | Optional |
| manager | DisplayName of the user’s manager. | Optional |
| password | Password for the new user. | Optional |
| passwordQuestion | Password question for the new user. | Optional |
| passwordAnswer | Password answer for the specified question. | Optional |
| providerType |
Type of provider. Valid providerType s are:
|
Optional |
| providerName | Name of provider. | Optional |
| groupIds | IDs of groups that user is immediately added to at the time of creation (Do not include default group). | Optional |
| activate | Activates the lifecycle operation when creating the user. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Account.ID | string | Created Okta account ID. |
| Account.Email | string | Created Okta account email. |
| Account.Username | string | Created Okta account username. |
| Account.DisplayName | string | Created Okta account display name. |
| Account.Type | string | Type of account that was created, such as Okta. |
Command Example
!okta-create-user email=test@that.com firstName=test lastName=that login=test@that.com
Context Example
{
"Account": [
{
"DisplayName": "test that",
"Email": "test@that.com",
"ID": "00ufufhqits3y78Ju0h7",
"Type": "Okta",
"Username": "test@that.com",
"id": "00ufufhqits3y78Ju0h7"
}
]
}
War Room Output
14. Update user details
Updates account details for a specified user. The only required parameter is username.
Base Command
okta-update-user
Input
| Argument Name | Description | Required |
|---|---|---|
| username | Unique identifier for the user (login). | Required |
| firstName | First name of the user (givenName). | Optional |
| lastName | Family name of the user (familyName). | Optional |
| Primary email address of the user. | Optional | |
| secondEmail | Secondary email address of user typically used for account recovery. | Optional |
| middleName | Middle name of the user. Supports multiple middle names. | Optional |
| honorificPrefix | Honorific prefix of the user, or title in most Western languages. Supports multiple input. | Optional |
| honorificSuffix | Honorific suffix of the user. Supports multiple input. | Optional |
| title | The user’s title (for example, Vice President) | Optional |
| displayName | Name of the user, suitable for display to end users. | Optional |
| nickName | Casual way to address the user. | Optional |
| profileUrl | URL of user’s online profile (for example, a web page). | Optional |
| primaryPhone | Primary phone number of user. | Optional |
| mobilePhone | Mobile phone number of user. | Optional |
| streetAddress | Full street address component of user. | Optional |
| city | City or locality component of user’s address (locality). | Optional |
| state | State or region component of user’s address (region). | Optional |
| zipCode | Zipcode or postal code component of user’s address (postalCode). | Optional |
| countryCode | Country name component of user’s address (country). | Optional |
| postalAddress | Mailing address of the user. | Optional |
| preferredLanguage | User’s preferred written or spoken languages. | Optional |
| locale | User’s default location for purposes of localizing items such as currency, date time format, numerical representations, and so on. | Optional |
| timezone | User’s time zone. | Optional |
| userType | Used to identify the organization to user relationship such as E mployee or Contractor. | Optional |
| employeeNumber | Organization or company assigned unique identifier for the user. | Optional |
| costCenter | Name of a cost center assigned to the user. | Optional |
| organization | The organization the user belongs to. | Optional |
| division | The division the user belongs to. | Optional |
| department | The department that the user belongs to. | Optional |
| managerId | ID of a user’s manager. | Optional |
| manager | DisplayName of the user’s manager. | Optional |
| password | Password for the new user. | Optional |
| passwordQuestion | Password question for new user. | Optional |
| passwordAnswer | Password answer for the specified question. | Optional |
| providerType |
Valid providerType s are:
|
Optional |
| providerName | Name of provider. | Optional |
Context Output
There is no context output for this command.
Command Example
!okta-update-user username=test@that.com displayName=alsotest
War Room Output
15. Get failed logins
Returns event details of Okta issued sessions for user authentication for user failed logins.
Base Command
okta-get-failed-logins
Input
| Argument Name | Description | More Information | Required |
|---|---|---|---|
| since |
The start date of the search range in the Internet Date/Time. |
Format profile: ISO 8601 Example: 2017-05-03T16:22:18Z |
Optional |
| until | The end date of the search range in the Internet Date/Time. |
Format profile: ISO 8601 Example: 2017-05-03T16:22:18Z |
Optional |
| sortOrder | The order of the returned events. | default is ASCENDING | Optional |
| limit | Sets the number of results returned in the response. | Default is 100 | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Okta.Logs.Events.actor.alternateId | string | Alternative ID of the actor. |
| Okta.Logs.Events.actor.displayName | string | Display name of actor. |
| Okta.Logs.Events.actor.id | string | ID of the actor. |
| Okta.Logs.Events.client.userAgent.rawUserAgent | string | A raw string representation of the user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field. |
| Okta.Logs.Events.client.userAgent.os | string | The Operating System on which the client runs. For example, Microsoft Windows 10). |
| Okta.Logs.Events.client.userAgent.browser | string | Identifies the web browser type. For example, Chrome. |
| Okta.Logs.Events.client.device | string | Type of device that the client operated from (for example, Computer). |
| Okta.Logs.Events.client.id | string |
For OAuth requests:ID of the requesting OAuth client. For SSWS token requests: ID of the requesting agent. |
| Okta.Logs.Events.client.ipAddress | string | IP address in which the client made the request. |
| Okta.Logs.Events.client.geographicalContext.city | string | The city encompassing the area containing the geolocation coordinates, if available. For example, Seattle, San Francisco. |
| Okta.Logs.Events.geographicalContext.state | string | Full name of the state or province encompassing the area containing the geolocation coordinates. For example, Montana, Incheon. |
| Okta.Logs.Events.client.geographicalContext.country | string | Full name of the country encompassing the area containing the geolocation coordinates. For example, France, Uganda. |
| Okta.Logs.Events.displayMessage | string | The display message for an event. |
| Okta.Logs.Events.eventType | string | Type of event that was published. |
| Okta.Logs.Events.outcome.result | string |
Result of the action:
|
| Okta.Logs.Events.outcome.reason | string | Reason for the result. For example, INVALID_CREDENTIALS. |
| Okta.Logs.Events.published | string | Timestamp when event was published. |
| Okta.Logs.Events.severity | string |
Indicates how severe the event is:
|
| Okta.Logs.Events.securityContext.asNumber | number | Autonomous system number associated with the autonomous system that the event request was sourced to. |
| Okta.Logs.Events.securityContext.asOrg | string | Organization associated with the autonomous system that the event request was sourced to. |
| Okta.Logs.Events.securityContext.isp | string | Internet service provider used to sent the event request. |
| Okta.Logs.Events.securityContext.domain | string | The domain name associated with the IP address of the inbound event request. |
| Okta.Logs.Events.securityContext.isProxy | string | Specifies whether an event’s request is from a known proxy. |
| Okta.Logs.Events.request.ipChain.IP | string | IP address. |
| Okta.Logs.Events.request.ipChain.geographicalContext.city | string | The city encompassing the area containing the geolocation coordinates, if available (for example, Seattle, San Francisco). |
| Okta.Logs.Events.request.ipChain.geographicalContext.state | string | Full name of the state or province encompassing the area containing the geolocation coordinates (for example, Montana, Incheon). |
| Okta.Logs.Events.request.ipChain.geographicalContext.country | string | Full name of the country encompassing the area containing the geolocation coordinates (for examplem France, Uganda). |
| Okta.Logs.Events.request.ipChain.source | string | Details regarding the source. |
| Okta.Logs.Events.target.id | string | ID of a target. |
| Okta.Logs.Events.target.type | string | Type of a target. |
| Okta.Logs.Events.target.alternateId | string | Alternative ID of a target. |
| Okta.Logs.Events.target.displayName | string | Display name of a target. |
Command Example
!okta-get-failed-logins limit=1 since=2018-07-30T16:22:18Z
Context Example
{
"Okta": {
"Logs": {
"Events": {
"actor": {
"alternateId": "test@this.com",
"detailEntry": null,
"displayName": "test1",
"id": "00ued6gq9jItNhAsN0h7",
"type": "User"
},
"authenticationContext": {
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "unknown",
"interface": null,
"issuer": null
},
"client": {
"device": "Computer",
"geographicalContext": {
"city": "Tel Aviv",
"country": "Israel",
"geolocation": {
"lat": 32.0667,
"lon": 34.7667
},
"postalCode": null,
"state": "Tel Aviv"
},
"id": null,
"ipAddress": "1.2.3.4",
"userAgent": {
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36"
},
"zone": "null"
},
"debugContext": {
"debugData": {
"requestUri": "/api/v1/authn"
}
},
"displayMessage": "User login to Okta",
"eventType": "user.session.start",
"legacyEventType": "core.user_auth.login_failed",
"outcome": {
"reason": "GENERAL_NONSUCCESS",
"result": "FAILURE"
},
"published": "2018-07-31T12:55:59.231Z",
"request": {
"ipChain": [
{
"geographicalContext": {
"city": "Tel Aviv",
"country": "Israel",
"geolocation": {
"lat": 32.0667,
"lon": 34.7667
},
"postalCode": null,
"state": "Tel Aviv"
},
"ip": "1.2.3.4",
"source": null,
"version": "V4"
}
]
},
"securityContext": {
"asNumber": null,
"asOrg": null,
"domain": null,
"isProxy": null,
"isp": null
},
"severity": "WARN",
"target": null,
"transaction": {
"detail": {},
"id": "W2BcX2qHbXMeIQ9PwrRMgQAABKY",
"type": "WEB"
},
"uuid": "ff9cb6c1-e8a0-474f-8d0e-56e45bb0f9d6",
"version": "0"
}
}
}
}
War Room Output
16. Get information about a user that was added to a group
Returns event details for when a user is added to a group.
Base Command
okta-get-group-assignments
Input
| Argument Name | Description | More Information | Required |
|---|---|---|---|
| since |
The start date of the search range in the Internet Date/Time |
Format profile:ISO 8601. For example: 2017-05-03T16:22:18Z. |
Optional |
| until | The end date of the search range in the Internet Date/Time |
Format profile:ISO 8601. For example: 2017-05-03T16:22:18Z. |
Optional |
| sortOrder | The order of the returned events | Default is ASCENDING. | Optional |
| limit | Sets the number of results returned in the response | Default is 100. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Okta.Logs.Events.actor.alternateId | string | Alternative ID of the actor. |
| Okta.Logs.Events.actor.displayName | string | Display name of the actor. |
| Okta.Logs.Events.actor.id | string | ID of the actor. |
| Okta.Logs.Events.client.userAgent.rawUserAgent | string | A raw string representation of the user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field. |
| Okta.Logs.Events.client.userAgent.os | string | The Operating System the client runs on (for example, Windows 10). |
| Okta.Logs.Events.client.userAgent.browser | string | If the client is a web browser, this field identifies the type of web browser (for example, CHROME, FIREFOX). |
| Okta.Logs.Events.client.device | string | Type of device that the client operated from (for example, Computer). |
| Okta.Logs.Events.client.id | string |
For OAuth requests this is the ID of the requesting OAuth client. For SSWS token requests, this is the ID of the requesting agent. |
| Okta.Logs.Events.client.ipAddress | string | IP address that the client made the request from. |
| Okta.Logs.Events.client.geographicalContext.city | string | The city encompassing the area containing the geolocation coordinates, if available (for example, Seattle, San Francisco). |
| Okta.Logs.Events.geographicalContext.state | string | Full name of the state or province encompassing the area containing the geolocation coordinates (for example, Montana, Incheon). |
| Okta.Logs.Events.client.geographicalContext.country | string | Full name of the country encompassing the area containing the geolocation coordinates (for example, France, Uganda). |
| Okta.Logs.Events.displayMessage | string | The display message for an event. |
| Okta.Logs.Events.eventType | string | The type of event that was published. |
| Okta.Logs.Events.outcome.result | string |
Result of the action:
|
| Okta.Logs.Events.outcome.reason | string | Reason for the result (for example, INVALID_CREDENTIALS) |
| Okta.Logs.Events.published | string | Timestamp when event was published. |
| Okta.Logs.Events.severity | string |
Indicates how severe the event is:
|
| Okta.Logs.Events.securityContext.asNumber | number | Autonomous system number associated with the autonomous system that the event request was sourced to. |
| Okta.Logs.Events.securityContext.asOrg | string | Organization associated with the autonomous system that the event request was sourced to. |
| Okta.Logs.Events.securityContext.isp | string | Internet service provider used to sent the event’s request. |
| Okta.Logs.Events.securityContext.domain | string | The domain name associated with the IP address of the inbound event request. |
| Okta.Logs.Events.securityContext.isProxy | string | Specifies whether an event’s request is from a known proxy. |
| Okta.Logs.Events.request.ipChain.IP | string | IP address. |
| Okta.Logs.Events.request.ipChain.geographicalContext.city | string | The city encompassing the area containing the geolocation coordinates, if available (for example, Seattle, San Francisco). |
| Okta.Logs.Events.request.ipChain.geographicalContext.state | string | Full name of the state or province encompassing the area containing the geolocation coordinates (for example, Montana, Incheon). |
| Okta.Logs.Events.request.ipChain.geographicalContext.country | string | Full name of the country encompassing the area containing the geolocation coordinates (for example, France, Uganda). |
| Okta.Logs.Events.request.ipChain.source | string | Details regarding the source. |
| Okta.Logs.Events.target.id | string | Target ID. |
| Okta.Logs.Events.target.type | string | Target type. |
| Okta.Logs.Events.target.alternateId | string | Alternative ID of target. |
| Okta.Logs.Events.target.displayName | string | Display name of the target. |
Command Example
!okta-get-group-assignments limit=1 since=2018-07-30T16:22:18Z
Context Example
{
"Okta": {
"Logs": {
"Events": {
"actor": {
"alternateId": "actor@org.com",
"detailEntry": null,
"displayName": "the actor",
"id": "00u66lckd7lpjidYi0h7",
"type": "User"
},
"authenticationContext": {
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "trsd7PuSH7sSDS_UIfWdOsPPg",
"interface": null,
"issuer": null
},
"client": {
"device": "Unknown",
"geographicalContext": {
"city": "Boardman",
"country": "United States",
"geolocation": {
"lat": 45.8696,
"lon": -119.688
},
"postalCode": "97818",
"state": "Oregon"
},
"id": null,
"ipAddress": "54.190.157.130",
"userAgent": {
"browser": "UNKNOWN",
"os": "Unknown",
"rawUserAgent": "Go-http-client/1.1"
},
"zone": "null"
},
"debugContext": {
"debugData": {
"requestUri": "/api/v1/groups/00g8mo0l5wuTxmoIC0h7/users/00ued6gq9jItNhAsN0h7"
}
},
"displayMessage": "Add user to group membership",
"eventType": "group.user_membership.add",
"legacyEventType": "core.user_group_member.user_add",
"outcome": {
"reason": null,
"result": "SUCCESS"
},
"published": "2018-07-30T16:25:02.936Z",
"request": {
"ipChain": [
{
"geographicalContext": {
"city": "Boardman",
"country": "United States",
"geolocation": {
"lat": 45.8696,
"lon": -119.688
},
"postalCode": "97818",
"state": "Oregon"
},
"ip": "1.2.3.4",
"source": null,
"version": "V4"
}
]
},
"securityContext": {
"asNumber": null,
"asOrg": null,
"domain": null,
"isProxy": null,
"isp": null
},
"severity": "INFO",
"target": [
{
"alternateId": "test@this.com",
"detailEntry": null,
"displayName": "test this",
"id": "00ued6gq9jItNhAsN0h7",
"type": "User"
},
{
"alternateId": "unknown",
"detailEntry": null,
"displayName": "test1",
"id": "00g8mo0l5wuTxmoIC0h7",
"type": "UserGroup"
}
],
"transaction": {
"detail": {},
"id": "W1873sDkmmCcshePrev2GQAAAws",
"type": "WEB"
},
"uuid": "db8e9dda-62d2-458c-a311-9e18eec59c8e",
"version": "0"
}
}
}
}
War Room Output
17. Get information about a user that was assigned to an application
Returns event details for when a user is assigned to an application.
Base Command
okta-get-application-assignments
Input
| Argument Name | Description | More Information | Required |
|---|---|---|---|
| since |
The start date of the search range in the Internet Date/Time |
Format profile: ISO 8601 For example: 2017-05-03T16:22:18Z. |
Optional |
| until | The end date of the search range in the Internet Date/Time |
Format profile: ISO 8601 For example: 2017-05-03T16:22:18Z. |
Optional |
| sortOrder | The order of the returned event | Default is ASCENDING. | Optional |
| limit | Sets the number of results returned in the response | Default is 100. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Okta.Logs.Events.actor.alternateId | string | Alternative ID of actor. |
| Okta.Logs.Events.actor.displayName | string | Display name of actor. |
| Okta.Logs.Events.actor.id | string | ID of actor. |
| Okta.Logs.Events.client.userAgent.rawUserAgent | string | A raw string representation of the user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field. |
| Okta.Logs.Events.client.userAgent.os | string | The Operating System the client runs on (for example, Windows 10). |
| Okta.Logs.Events.client.userAgent.browser | string | If the client is a web browser, this field identifies the type of web browser (for example, CHROME, FIREFOX). |
| Okta.Logs.Events.client.device | string | The type of device that the client operated from (for example, Computer). |
| Okta.Logs.Events.client.id | string |
For OAuth requests this is the ID of the requesting OAuth client. For SSWS token requests, this is the ID of the requesting agent. |
| Okta.Logs.Events.client.ipAddress | string | IP address that the client made the request from. |
| Okta.Logs.Events.client.geographicalContext.city | string | The city encompassing the area containing the geolocation coordinates, if available (for example, Seattle, San Francisco) |
| Okta.Logs.Events.geographicalContext.state | string | Full name of the state or province encompassing the area containing the geolocation coordinates (for example, Montana, Incheon). |
| Okta.Logs.Events.client.geographicalContext.country | string | Full name of the country encompassing the area containing the geolocation coordinates (for example, France, Uganda). |
| Okta.Logs.Events.displayMessage | string | The display message for an event. |
| Okta.Logs.Events.eventType | string | The type of event that was published. |
| Okta.Logs.Events.outcome.result | string |
Result of the action:
|
| Okta.Logs.Events.outcome.reason | string | Reason for the result (for example, INVALID_CREDENTIALS). |
| Okta.Logs.Events.published | string | Timestamp when the event was published. |
| Okta.Logs.Events.severity | string |
Indicates how severe the event is:
|
| Okta.Logs.Events.securityContext.asNumber | number | Autonomous system number associated with the autonomous system that the event request was sourced to. |
| Okta.Logs.Events.securityContext.asOrg | string | Organization associated with the autonomous system that the event request was sourced to. |
| Okta.Logs.Events.securityContext.isp | string | Internet service provider used to sent the event’s request. |
| Okta.Logs.Events.securityContext.domain | string | The domain name associated with the IP address of the inbound event request. |
| Okta.Logs.Events.securityContext.isProxy | string | Specifies whether an event’s request is from a known proxy. |
| Okta.Logs.Events.request.ipChain.IP | string | IP address. |
| Okta.Logs.Events.request.ipChain.geographicalContext.city | string | The city encompassing the area containing the geolocation coordinates, if available (for example, Seattle, San Francisco). |
| Okta.Logs.Events.request.ipChain.geographicalContext.state | string | Full name of the state or province encompassing the area containing the geolocation coordinates (for example, Montana, Incheon). |
| Okta.Logs.Events.request.ipChain.geographicalContext.country | string | Full name of the country encompassing the area containing the geolocation coordinates (for example, France, Uganda). |
| Okta.Logs.Events.request.ipChain.source | string | Details regarding the source. |
| Okta.Logs.Events.target.id | string | Target ID. |
| Okta.Logs.Events.target.type | string | Target type. |
| Okta.Logs.Events.target.alternateId | string | Alternative target ID. |
| Okta.Logs.Events.target.displayName | string | Display name of the target. |
Command Example
!okta-get-application-assignments limit=1 since=2018-07-31T08:22:18Z
Context Example
{
"Okta": {
"Logs": {
"Events": {
"actor": {
"alternateId": "actor@org.com",
"detailEntry": null,
"displayName": "the actor",
"id": "00u66lckd7lpjidYi0h7",
"type": "User"
},
"authenticationContext": {
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "trsTLYkoNfDSRGgbq9SzBnY-Q",
"interface": null,
"issuer": null
},
"client": {
"device": "Unknown",
"geographicalContext": {
"city": "Tel Aviv",
"country": "Israel",
"geolocation": {
"lat": 32.0667,
"lon": 34.7667
},
"postalCode": null,
"state": "Tel Aviv"
},
"id": null,
"ipAddress": "1.2.3.4",
"userAgent": {
"browser": "UNKNOWN",
"os": "Unknown",
"rawUserAgent": "Go-http-client/1.1"
},
"zone": "null"
},
"debugContext": {
"debugData": {
"requestUri": "/api/v1/users/00ued6gq9jItNhAsN0h7/lifecycle/activate"
}
},
"displayMessage": "Add user to application membership",
"eventType": "application.user_membership.add",
"legacyEventType": "app.generic.provision.assign_user_to_app",
"outcome": {
"reason": null,
"result": "SUCCESS"
},
"published": "2018-07-31T12:02:31.078Z",
"request": {
"ipChain": [
{
"geographicalContext": {
"city": "Tel Aviv",
"country": "Israel",
"geolocation": {
"lat": 32.0667,
"lon": 34.7667
},
"postalCode": null,
"state": "Tel Aviv"
},
"ip": "1.2.3.4",
"source": null,
"version": "V4"
}
]
},
"securityContext": {
"asNumber": null,
"asOrg": null,
"domain": null,
"isProxy": null,
"isp": null
},
"severity": "INFO",
"target": [
{
"alternateId": "test@this.com",
"detailEntry": null,
"displayName": "test1",
"id": "0uafuf6i7ardNkj7X0h7",
"type": "AppUser"
},
{
"alternateId": "org",
"detailEntry": null,
"displayName": "org",
"id": "0oabfkvxe1npBRdow0h7",
"type": "AppInstance"
},
{
"alternateId": "test@this.com",
"detailEntry": null,
"displayName": "test1",
"id": "00ued6gq9jItNhAsN0h7",
"type": "User"
}
],
"transaction": {
"detail": {},
"id": "W2BP1iZAuMuRo8nEWoBn5QAABgw",
"type": "WEB"
},
"uuid": "eef74c84-4e91-45b8-be35-51d3953ad2ac",
"version": "0"
}
}
}
}
War Room Output
18. Get information about a user who made an SSO attempt
Returns event details for when a user attempts to sign on using SSO to an application managed in Okta.
Base Command
okta-get-application-authentication
Input
| Argument Name | Description | More Information | Required |
|---|---|---|---|
| since |
The start date of the search range in the Internet Date/Time |
Format profile: ISO 8601 For example: 2017-05-03T16:22:18Z. |
Optional |
| until | The end date of the search range in the Internet Date/Time |
Format profile: ISO 8601 For example: 2017-05-03T16:22:18Z. |
Optional |
| sortOrder | The order of the returned event | Default is ASCENDING. | Optional |
| limit | Sets the number of results returned in the response | Default is 100. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Okta.Logs.Events.actor.alternateId | string | Alternative ID of actor. |
| Okta.Logs.Events.actor.displayName | string | Display name of actor. |
| Okta.Logs.Events.actor.id | string | Actor ID. |
| Okta.Logs.Events.client.userAgent.rawUserAgent | string | A raw string representation of the user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field. |
| Okta.Logs.Events.client.userAgent.os | string | The Operating System the client runs on (for example, Windows 10). |
| Okta.Logs.Events.client.userAgent.browser | string | If the client is a web browser, this field identifies the type of web browser (for example, CHROME, FIREFOX). |
| Okta.Logs.Events.client.device | string | The type of device that the client operated from (for example, Computer). |
| Okta.Logs.Events.client.id | string |
For OAuth requests this is the ID of the requesting OAuth client. For SSWS token requests, this is the ID of the requesting agent. |
| Okta.Logs.Events.client.ipAddress | string | IP address that the client made the request from. |
| Okta.Logs.Events.client.geographicalContext.city | string | The city encompassing the area containing the geolocation coordinates, if available (for example, Seattle, San Francisco). |
| Okta.Logs.Events.geographicalContext.state | string | Full name of the state or province encompassing the area containing the geolocation coordinates (for example, Montana, Incheon). |
| Okta.Logs.Events.client.geographicalContext.country | string | Full name of the country encompassing the area containing the geolocation coordinates (for example, France, Uganda). |
| Okta.Logs.Events.displayMessage | string | The display message for an event. |
| Okta.Logs.Events.eventType | string | The type of event that was published. |
| Okta.Logs.Events.outcome.result | string |
Result of the action:
|
| Okta.Logs.Events.outcome.reason | string | Reason for the result (for example, INVALID_CREDENTIALS). |
| Okta.Logs.Events.published | string | Timestamp when event was published. |
| Okta.Logs.Events.severity | string |
Indicates how severe the event is:
|
| Okta.Logs.Events.securityContext.asNumber | number | Autonomous system number associated with the autonomous system that the event request was sourced to. |
| Okta.Logs.Events.securityContext.asOrg | string | Organization associated with the autonomous system that the event request was sourced to. |
| Okta.Logs.Events.securityContext.isp | string | Internet service provider used to sent the event’s request. |
| Okta.Logs.Events.securityContext.domain | string | The domain name associated with the IP address of the inbound event request. |
| Okta.Logs.Events.securityContext.isProxy | string | Specifies whether an event’s request is from a known proxy |
| Okta.Logs.Events.request.ipChain.IP | string | IP address. |
| Okta.Logs.Events.request.ipChain.geographicalContext.city | string | The city encompassing the area containing the geolocation coordinates, if available (for example, Seattle, San Francisco). |
| Okta.Logs.Events.request.ipChain.geographicalContext.state | string | Full name of the state or province encompassing the area containing the geolocation coordinates (for example, Montana, Incheon). |
| Okta.Logs.Events.request.ipChain.geographicalContext.country | string | Full name of the country encompassing the area containing the geolocation coordinates (for example, France, Uganda). |
| Okta.Logs.Events.request.ipChain.source | string | Details regarding the source. |
| Okta.Logs.Events.target.id | string | Target ID. |
| Okta.Logs.Events.target.type | string | Target type. |
| Okta.Logs.Events.target.alternateId | string | Alternative target ID. |
| Okta.Logs.Events.target.displayName | string | Display name of the target. |
Command Example
!okta-get-application-authentication limit=1
Context Example
{
"Okta": {
"Logs": {
"Events": {
"actor": {
"alternateId": "actor@org.com",
"detailEntry": null,
"displayName": "the actor",
"id": "00u66lckd7lpjidYi0h7",
"type": "User"
},
"authenticationContext": {
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "102Mir-8MMcRSyiM0JUWgA3Xg",
"interface": null,
"issuer": null
},
"client": {
"device": "Computer",
"geographicalContext": {
"city": "Cupertino",
"country": "United States",
"geolocation": {
"lat": 37.3042,
"lon": -122.0946
},
"postalCode": "95014",
"state": "California"
},
"id": null,
"ipAddress": "1.2.3.4",
"userAgent": {
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36"
},
"zone": "null"
},
"debugContext": {
"debugData": {
"initiationType": "IDP_INITIATED",
"requestUri": "/app/demistodev725178_examplesamlapplication_1/exk66lba7vkLRUBQj0h7/sso/saml",
"signOnMode": "SAML 2.0"
}
},
"displayMessage": "User single sign on to app",
"eventType": "user.authentication.sso",
"legacyEventType": "app.auth.sso",
"outcome": {
"reason": null,
"result": "SUCCESS"
},
"published": "2018-07-24T20:16:30.670Z",
"request": {
"ipChain": [
{
"geographicalContext": {
"city": "Cupertino",
"country": "United States",
"geolocation": {
"lat": 37.3042,
"lon": -122.0946
},
"postalCode": "95014",
"state": "California"
},
"ip": "1.2.3.4",
"source": null,
"version": "V4"
}
]
},
"securityContext": {
"asNumber": null,
"asOrg": null,
"domain": null,
"isProxy": null,
"isp": null
},
"severity": "INFO",
"target": [
{
"alternateId": "Application",
"detailEntry": {
"signOnModeType": "SAML_2_0"
},
"displayName": "Application",
"id": "0oa66lba7w3Ns1ril0h7",
"type": "AppInstance"
},
{
"alternateId": "target@org.com",
"detailEntry": null,
"displayName": "the target",
"id": "0ua66lsm6uLy0L8aZ0h7",
"type": "AppUser"
}
],
"transaction": {
"detail": {},
"id": "W1eJHiPpdkHoLVc0yU04WwAAB20",
"type": "WEB"
},
"uuid": "0ef202af-0bc5-4fa9-a972-4aeedcb68428",
"version": "0"
}
}
}
}
War Room Output
19. Add a user to a group
Adds a user to a group with the OKTA_GROUP type.
Base Command
okta-add-to-group
Input
| Argument Name | Description | Required |
|---|---|---|
| userId | ID of the user to add | Optional |
| groupId | ID of the group to add the user to | Optional |
| username | Name of the user to add | Optional |
| groupName | Name of the group to add the user to | Optional |
Context Output
There is no context output for this command.
Command Example
!okta-add-to-group username=test@this.com groupName=test1
War Room Output
20 Remove a user from a group
Removes a user from a group with the OKTA_GROUP type.
Base Command
okta-remove-from-group
Input
| Argument Name | Description | Required |
|---|---|---|
| userId | ID of the user to remove | Optional |
| groupId | ID of the group to remove the user from | Optional |
| username | Name of the user to add | Optional |
| groupName | Name of the group to add the user to | Optional |
Context Output
There is no context output for this command.
Command Example
!okta-remove-from-group username=test@this.com groupName=test1
War Room Output
21. Get logs
Returns logs using specified filters.
Base Command
okta-get-logs
Input
| Argument Name | Description | More Information | Required |
|---|---|---|---|
| filter |
Useful for performing structured queries where constraints on LogEvent attribute values can be explicitly targeted. For more information about filtering, visit Okta Support on Filtering |
These Okta parameters are supported on Cortex XSOAR:
|
Optional |
| query |
Can be used to perform keyword matching against a LogEvents object’s attribute values. In order to satisfy the constraint, all supplied keywords must be matched exactly. Matching is case-insensitive. |
Examples of common keyword filtering:
|
Optional |
| since | The start date of the search range in the Internet Date/Time |
Format profile: ISO 8601 For example: 2017-05-03T16:22:18Z |
Optional |
| until | The end date of the search range in the Internet Date/Time |
Format profile: ISO 8601 For example: 2017-05-03T16:22:18Z |
Optional |
| sortOrder | The order of the returned events | Default is ASCENDING | Optional |
| limit | Sets the number of results returned in the response | Default is 100 | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Okta.Logs.Events.actor.alternateId | string | Alternative actor ID. |
| Okta.Logs.Events.actor.displayName | string | Display name of actor. |
| Okta.Logs.Events.actor.id | string | Actor ID. |
| Okta.Logs.Events.client.userAgent.rawUserAgent | string | A raw string representation of the user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field. |
| Okta.Logs.Events.client.userAgent.os | string | The Operating System the client runs on (for example, Windows 10). |
| Okta.Logs.Events.client.userAgent.browser | string | If the client is a web browser, this field identifies the type of web browser (for example, CHROME, FIREFOX). |
| Okta.Logs.Events.client.device | string | The type of device that the client operated from (for example, Computer). |
| Okta.Logs.Events.client.id | string |
For OAuth requests this is the ID of the requesting OAuth client. For SSWS token requests, this is the ID of the requesting agent. |
| Okta.Logs.Events.client.ipAddress | string | IP address that the client made the request from. |
| Okta.Logs.Events.client.geographicalContext.city | string | The city encompassing the area containing the geolocation coordinates, if available (for example, Seattle, San Francisco). |
| Okta.Logs.Events.geographicalContext.state | string | Full name of the state or province encompassing the area containing the geolocation coordinates (for example, Montana, Incheon). |
| Okta.Logs.Events.client.geographicalContext.country | string | Full name of the country encompassing the area containing the geolocation coordinates (for example, France, Uganda). |
| Okta.Logs.Events.displayMessage | string | The display message for an event. |
| Okta.Logs.Events.eventType | string | Type of event that was published. |
| Okta.Logs.Events.outcome.result | string |
Result of the action:
|
| Okta.Logs.Events.outcome.reason | string | Reason for the result (for example, INVALID_CREDENTIALS). |
| Okta.Logs.Events.published | string | Timestamp when event was published. |
| Okta.Logs.Events.severity | string |
Indicates how severe the event is:
|
| Okta.Logs.Events.securityContext.asNumber | number | Autonomous system number associated with the autonomous system that the event request was sourced to. |
| Okta.Logs.Events.securityContext.asOrg | string | Organization associated with the autonomous system that the event request was sourced to. |
| Okta.Logs.Events.securityContext.isp | string | Internet service provider used to sent the event’s request. |
| Okta.Logs.Events.securityContext.domain | string | The domain name associated with the IP address of the inbound event request. |
| Okta.Logs.Events.securityContext.isProxy | string | Specifies whether an event’s request is from a known proxy. |
| Okta.Logs.Events.request.ipChain.IP | string | IP address. |
| Okta.Logs.Events.request.ipChain.geographicalContext.city | string | The city encompassing the area containing the geolocation coordinates, if available (for example, Seattle, San Francisco). |
| Okta.Logs.Events.request.ipChain.geographicalContext.state | string | Full name of the state or province encompassing the area containing the geolocation coordinates (for example, Montana, Incheon). |
| Okta.Logs.Events.request.ipChain.geographicalContext.country | string | Full name of the country encompassing the area containing the geolocation coordinates (for example, France, Uganda). |
| Okta.Logs.Events.request.ipChain.source | string | Details regarding the source. |
| Okta.Logs.Events.target.id | string | Target ID. |
| Okta.Logs.Events.target.type | string | Type of Target. |
| Okta.Logs.Events.target.alternateId | string | Alternative target ID. |
| Okta.Logs.Events.target.displayName | string | Display name of the target. |
Command Example
!okta-get-logs filter="eventType eq \"user.session.start\"" until=2018-07-30T16:22:18Z
Context Example
{
"Okta": {
"Logs": {
"Events": {
"actor": {
"alternateId": "test@this.com",
"detailEntry": null,
"displayName": "test1",
"id": "00ued6gq9jItNhAsN0h7",
"type": "User"
},
"authenticationContext": {
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "unknown",
"interface": null,
"issuer": null
},
"client": {
"device": "Computer",
"geographicalContext": {
"city": "Tel Aviv",
"country": "Israel",
"geolocation": {
"lat": 32.0667,
"lon": 34.7667
},
"postalCode": null,
"state": "Tel Aviv"
},
"id": null,
"ipAddress": "1.2.3.4",
"userAgent": {
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36"
},
"zone": "null"
},
"debugContext": {
"debugData": {
"requestUri": "/api/v1/authn"
}
},
"displayMessage": "User login to Okta",
"eventType": "user.session.start",
"legacyEventType": "core.user_auth.login_failed",
"outcome": {
"reason": "GENERAL_NONSUCCESS",
"result": "FAILURE"
},
"published": "2018-07-31T12:55:59.231Z",
"request": {
"ipChain": [
{
"geographicalContext": {
"city": "Tel Aviv",
"country": "Israel",
"geolocation": {
"lat": 32.0667,
"lon": 34.7667
},
"postalCode": null,
"state": "Tel Aviv"
},
"ip": "1.2.3.4",
"source": null,
"version": "V4"
}
]
},
"securityContext": {
"asNumber": null,
"asOrg": null,
"domain": null,
"isProxy": null,
"isp": null
},
"severity": "WARN",
"target": null,
"transaction": {
"detail": {},
"id": "W2BcX2qHbXMeIQ9PwrRMgQAABKY",
"type": "WEB"
},
"uuid": "ff9cb6c1-e8a0-474f-8d0e-56e45bb0f9d6",
"version": "0"
}
}
}
}
War Room Output
22. Get a list of groups
Enumerates groups in your organization. A subset of groups can be returned that match a supported filter expression or query.
Base Command
okta-list-groups
Input
| Argument Name | Description | Required |
|---|---|---|
| query | Searches the name property of groups for matching value. | Optional |
| filter |
Useful for performing structured queries where constraints on group attribute values are explicitly targeted. These are some examples of Okta parameters that are supported on Cortex XSOAR for groups with the filter query parameter:
For more information about filtering, visit Okta Support on Filtering |
Optional |
| limit | Sets the number of results returned in the response. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Okta.Group.ID | string | Unique key for the group |
| Okta.Group.Created | date | Timestamp for when the group was created |
| Okta.Group.ObjectClass | unknown | The group profile |
| Okta.Group.LastUpdated | date | Timestamp for when the group profile was last updated |
| Okta.Group.LastMembershipUpdated | date | Timestamp for when the group’s memberships were last updated |
| Okta.Group.Type | string |
Determines how a group’s profile and memberships are managed
|
| Okta.Group.Name | string | Name of the group |
| Okta.Group.Description | string | Description of the group |
Command Example
!okta-list-groups query=test1
Context Example
{
"Okta": {
"Group": {
"Created": "2016-10-25T14:52:38.000Z",
"Description": null,
"ID": "00g8mo0l5wuTxmoIC0h7",
"LastMembershipUpdated": "2018-07-31T13:58:28.000Z",
"LastUpdated": "2016-10-25T14:52:38.000Z",
"Name": "test1",
"ObjectClass": [
"okta:user_group"
],
"Type": "OKTA_GROUP"
}
}
}
War Room Output
23. Get members of a specified group
Returns members of a specified group.
Base Command
okta-get-group-members
Input
| Argument Name | Description | Required |
|---|---|---|
| groupId | Id of the group | Optional |
| limit | Limits the number of user results | Optional |
| verbose | Print all details | Optional |
| groupName | Name of the group | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Account.ID | string | Okta account ID |
| Account.Email | string | Okta account email |
| Account.Username | string | Okta account username |
| Account.DisplayName | string | Okta account display name |
| Account.Type | string | Account type - Okta |
Command Example
!okta-get-group-members groupName=test1
Context Example
{
"Account": [
{
"DisplayName": "User1 Fam1",
"Email": "user1@demisto.com",
"Group": [
{
"Created": "2016-10-25T14:52:38.000Z",
"Description": null,
"ID": "00g8mo0l5wuTxmoIC0h7",
"LastMembershipUpdated": "2018-07-31T13:59:57.000Z",
"LastUpdated": "2016-10-25T14:52:38.000Z",
"Name": "test1",
"ObjectClass": [
"okta:user_group"
],
"Type": "OKTA_GROUP"
}
],
"ID": "00u8mnv647IGaq5Wr0h7",
"Type": "Okta",
"Username": "user1@demisto.com",
"id": "00u8mnv647IGaq5Wr0h7"
},
{
"DisplayName": "user2 test2",
"Email": "user2@demisto.com",
"Group": [
{
"Created": "2016-10-25T14:52:38.000Z",
"Description": null,
"ID": "00g8mo0l5wuTxmoIC0h7",
"LastMembershipUpdated": "2018-07-31T13:59:57.000Z",
"LastUpdated": "2016-10-25T14:52:38.000Z",
"Name": "test1",
"ObjectClass": [
"okta:user_group"
],
"Type": "OKTA_GROUP"
}
],
"ID": "00u8mo28qn8pmbLBJ0h7",
"Type": "Okta",
"Username": "user2@demisto.com",
"id": "00u8mo28qn8pmbLBJ0h7"
},
{
"DisplayName": "John Doe",
"Email": "jondoe@test.org",
"Group": [
{
"Created": "2016-10-25T14:52:38.000Z",
"Description": null,
"ID": "00g8mo0l5wuTxmoIC0h7",
"LastMembershipUpdated": "2018-07-31T13:59:57.000Z",
"LastUpdated": "2016-10-25T14:52:38.000Z",
"Name": "test1",
"ObjectClass": [
"okta:user_group"
],
"Type": "OKTA_GROUP"
}
],
"ID": "00u8od2zcd5cFBMBU0h7",
"Type": "Okta",
"Username": "johndoe@test.org",
"id": "00u8od2zcd5cFBMBU0h7"
},
{
"DisplayName": "test this",
"Email": "test@this.com",
"Group": [
{
"Created": "2016-10-25T14:52:38.000Z",
"Description": null,
"ID": "00g8mo0l5wuTxmoIC0h7",
"LastMembershipUpdated": "2018-07-31T13:59:57.000Z",
"LastUpdated": "2016-10-25T14:52:38.000Z",
"Name": "test1",
"ObjectClass": [
"okta:user_group"
],
"Type": "OKTA_GROUP"
}
],
"ID": "00ued6gq9jItNhAsN0h7",
"Type": "Okta",
"Username": "test@this.com",
"id": "00ued6gq9jItNhAsN0h7"
}
]
}
War Room Output
Troubleshooting
This is a list of probable reasons for possible errors.
| Error | Possible Causes |
| 401 Unauthorized |
Wrong API URL or wrong API token |
| 404 not found | The user or the search term does not exsist |
| 400 Bad request | Request arguments are not provided correctly (for example, the date might be in the wrong format) |