Skip to main content

Okta IAM

This Integration is part of the Okta Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Note: This integration should be used along with our ILM premium pack. For further details, visit our ILM pack documentation.

Integrate with Okta's Identity Access Management service to execute CRUD operations to employee lifecycle processes. This integration was integrated and tested with version v1 of the Okta integration. For more information, refer to the Identity Lifecycle Management article.

Configure Okta IAM in Cortex#

ParameterDescriptionRequired
urlOkta URL (https://<domain>.okta.com)True
apitokenAPI Token (see Detailed Instructions)True
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
create-user-enabledAllow creating usersFalse
update-user-enabledAllow updating usersFalse
enable-user-enabledAllow enabling usersFalse
disable-user-enabledAllow disabling usersFalse
create-if-not-existsAutomatically create user if not found in update commandFalse
mapper-inIncoming MapperTrue
mapper-outOutgoing MapperTrue
max_fetchFetch Limit (recommended less than 200)False
isFetchFetch incidentsFalse
incidentFetchIntervalIncidents Fetch IntervalFalse
incidentTypeIncident typeFalse
auto_generate_query_filterQuery only application events configured in the IAM ConfigurationFalse
fetch_query_filterFetch Query Filter (Okta system log events)True
first_fetchFirst fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
  • To allow the integration to access the mapper from within the code, as required by the ILM pack, both mappers have to be configured in their proper respective fields and not in the "Mapper (outgoing)" dropdown list selector.

Fetch incidents using an "IAM - Configuration" incident#

When the "Query only application events configured in IAM Configuration" checkbox is selected, add or remove event types for the applications you configured in the IAM Configuration incident are retrieved. You must have at least one application configured in XSOAR to fetch incidents from Okta.

Fetch incidents using a manual query filter expression#

Note: Cortex XSOAR recommends you use the Query only application events configured in IAM Configuration option to generate the fetch-incidents query filter. The following following method should be used primarily for debugging purposes. Clear the "Query only application events configured in IAM Configuration" checkbox to use a custom fetch query filter expression. The expression must be in SCIM syntax, and include the add and remove event types, as well as the application ID. For example: (eventType eq "application.user_membership.add" or eventType eq "application.user_membership.remove") and target.id eq "0oar418fvkm67MWGd0h7" You may also use the advanced search in Okta's System Logs to generate the filter expression. For more details, visit Okta API reference.

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

iam-create-user#


Creates a user.

Base Command#

iam-create-user

Input#

Argument NameDescriptionRequired
user-profileUser Profile indicator details.Required
allow-enableWhen set to true, after the command execution the status of the user in the 3rd-party integration will be active.Optional

Context Output#

PathTypeDescription
IAM.Vendor.activeBooleanWhen true, indicates that the employee's status is active in the 3rd-party integration.
IAM.Vendor.brandStringName of the integration.
IAM.Vendor.detailsstringProvides the raw data from the 3rd-party integration.
IAM.Vendor.emailStringThe employee's email address.
IAM.Vendor.errorCodeNumberHTTP error response code.
IAM.Vendor.errorMessageStringReason why the API failed.
IAM.Vendor.idStringThe employee's user ID in the app.
IAM.Vendor.instanceNamestringName of the integration instance.
IAM.Vendor.successBooleanWhen true, indicates that the command was executed successfully.
IAM.Vendor.usernameStringThe employee's username in the app.

Command Example#

!iam-create-user user-profile={\"email\":\"testdemisto2@paloaltonetworks.com\", \"surname\":\"Test\",\"givenname\":\"Demisto\"}

Human Readable Output#

Create User Results (Okta IAM)#
brandinstanceNamesuccessactiveidusernameemaildetails
Okta IAMOkta IAM_instance_1truetrue00uujxnbh3uJw4tWA0h7testdemisto2@paloaltonetworks.comtestdemisto2@paloaltonetworks.comid: 00uujxnbh3uJw4tWA0h7
status: PROVISIONED
created: 2020-10-18T17:54:30.000Z
activated: 2020-10-18T17:54:30.000Z
statusChanged: 2020-10-18T17:54:30.000Z
lastLogin: null
lastUpdated: 2020-10-18T17:54:30.000Z
passwordChanged: null
type: {"id": "oty8zfz6plq7b0r830h7"}
profile: {"firstName": "Demisto", "lastName": "Test", "mobilePhone": null, "secondEmail": null, "login": "testdemisto2@paloaltonetworks.com", "email": "testdemisto44@paloaltonetworks.com"}
credentials: {"provider": {"type": "OKTA", "name": "OKTA"}}
_links: {"suspend": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/suspend", "method": "POST"}, "schema": {"href": "https://panw-test.oktapreview.com/api/v1/meta/schemas/user/osc8zfz6plq7b0r830h7"}, "resetPassword": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/reset_password", "method": "POST"}, "reactivate": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/reactivate", "method": "POST"}, "self": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7"}, "type": {"href": "https://panw-test.oktapreview.com/api/v1/meta/types/user/oty8zfz6plq7b0r830h7"}, "deactivate": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/deactivate", "method": "POST"}}

iam-update-user#


Updates an existing user with the data passed in the user-profile argument.

Base Command#

iam-update-user

Input#

Argument NameDescriptionRequired
user-profileA User Profile indicator.Required
allow-enableWhen set to true, after the command execution the status of the user in the 3rd-party integration will be active.Optional

Context Output#

PathTypeDescription
IAM.Vendor.activeBooleanWhen true, indicates that the employee's status is active in the 3rd-party integration.
IAM.Vendor.brandStringName of the integration.
IAM.Vendor.detailsstringProvides the raw data from the 3rd-party integration.
IAM.Vendor.emailStringThe employee's email address.
IAM.Vendor.errorCodeNumberHTTP error response code.
IAM.Vendor.errorMessageStringReason why the API failed.
IAM.Vendor.idStringThe employee's user ID in the app.
IAM.Vendor.instanceNamestringName of the integration instance.
IAM.Vendor.successBooleanWhen true, indicates that the command was executed successfully.
IAM.Vendor.usernameStringThe employee's username in the app.

Command Example#

!iam-update-user user-profile={\"email\":\"testdemisto2@paloaltonetworks.com\", \"givenname\":\"Demisto-Test\"}

Human Readable Output#

Update User Results (Okta IAM)#
brandinstanceNamesuccessactiveidusernameemaildetails
Okta IAMOkta IAM_instance_1truetrue00uujxnbh3uJw4tWA0h7testdemisto2@paloaltonetworks.comtestdemisto2@paloaltonetworks.comid: 00uujxnbh3uJw4tWA0h7
status: PROVISIONED
created: 2020-10-18T17:54:30.000Z
activated: 2020-10-18T17:54:30.000Z
statusChanged: 2020-10-18T17:54:30.000Z
lastLogin: null
lastUpdated: 2020-10-18T17:56:53.000Z
passwordChanged: null
type: {"id": "oty8zfz6plq7b0r830h7"}
profile: {"firstName": "Demisto-Test", "lastName": "Test", "mobilePhone": null, "secondEmail": null, "login": "testdemisto2@paloaltonetworks.com", "email": "testdemisto2@paloaltonetworks.com"}
credentials: {"provider": {"type": "OKTA", "name": "OKTA"}}
_links: {"suspend": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/suspend", "method": "POST"}, "schema": {"href": "https://panw-test.oktapreview.com/api/v1/meta/schemas/user/osc8zfz6plq7b0r830h7"}, "resetPassword": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/reset_password", "method": "POST"}, "reactivate": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/reactivate", "method": "POST"}, "self": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7"}, "type": {"href": "https://panw-test.oktapreview.com/api/v1/meta/types/user/oty8zfz6plq7b0r830h7"}, "deactivate": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/deactivate", "method": "POST"}}

iam-get-user#


Retrieves a single user resource.

Base Command#

iam-get-user

Input#

Argument NameDescriptionRequired
user-profileA User Profile indicator.Required

Context Output#

PathTypeDescription
IAM.Vendor.activeBooleanWhen true, indicates that the employee's status is active in the 3rd-party integration.
IAM.Vendor.brandStringName of the integration.
IAM.Vendor.detailsstringProvides the raw data from the 3rd-party integration.
IAM.Vendor.emailStringThe employee's email address.
IAM.Vendor.errorCodeNumberHTTP error response code.
IAM.Vendor.errorMessageStringReason why the API failed.
IAM.Vendor.idStringThe employee's user ID in the app.
IAM.Vendor.instanceNamestringName of the integration instance.
IAM.Vendor.successBooleanWhen true, indicates that the command was executed successfully.
IAM.Vendor.usernameStringThe employee's username in the app.

Command Example#

!iam-get-user user-profile={\"email\":\"testdemisto2@paloaltonetworks.com\"}

Human Readable Output#

Get User Results (Okta IAM)#
brandinstanceNamesuccessactiveidusernameemaildetails
Okta IAMOkta IAM_instance_1truetrue00uujxnbh3uJw4tWA0h7testdemisto2@paloaltonetworks.comtestdemisto2@paloaltonetworks.comid: 00uujxnbh3uJw4tWA0h7
status: PROVISIONED
created: 2020-10-18T17:54:30.000Z
activated: 2020-10-18T17:54:30.000Z
statusChanged: 2020-10-18T17:54:30.000Z
lastLogin: null
lastUpdated: 2020-10-18T17:56:53.000Z
passwordChanged: null
type: {"id": "oty8zfz6plq7b0r830h7"}
profile: {"firstName": "Demisto-Test", "lastName": "Test", "mobilePhone": null, "secondEmail": null, "login": "testdemisto2@paloaltonetworks.com", "email": "testdemisto2@paloaltonetworks.com"}
credentials: {"provider": {"type": "OKTA", "name": "OKTA"}}
_links: {"suspend": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/suspend", "method": "POST"}, "schema": {"href": "https://panw-test.oktapreview.com/api/v1/meta/schemas/user/osc8zfz6plq7b0r830h7"}, "resetPassword": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/reset_password", "method": "POST"}, "reactivate": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/reactivate", "method": "POST"}, "self": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7"}, "type": {"href": "https://panw-test.oktapreview.com/api/v1/meta/types/user/oty8zfz6plq7b0r830h7"}, "deactivate": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/deactivate", "method": "POST"}}

iam-disable-user#


Disable an active user.

Base Command#

iam-disable-user

Input#

Argument NameDescriptionRequired
user-profileA User Profile indicator.Required

Context Output#

PathTypeDescription
IAM.Vendor.activeBooleanWhen true, indicates that the employee's status is active in the 3rd-party integration.
IAM.Vendor.brandStringName of the integration.
IAM.Vendor.detailsstringProvides the raw data from the 3rd-party integration.
IAM.Vendor.emailStringThe employee's email address.
IAM.Vendor.errorCodeNumberHTTP error response code.
IAM.Vendor.errorMessageStringReason why the API failed.
IAM.Vendor.idStringThe employee's user ID in the app.
IAM.Vendor.instanceNamestringName of the integration instance.
IAM.Vendor.successBooleanWhen true, indicates that the command was executed successfully.
IAM.Vendor.usernameStringThe employee's username in the app.

Command Example#

!iam-disable-user user-profile={\"email\":\"testdemisto2@paloaltonetworks.com\"}

Human Readable Output#

Disable User Results (Okta IAM)#
brandinstanceNamesuccessactiveidusernameemaildetails
Okta IAMOkta IAM_instance_1truefalse00uujxnbh3uJw4tWA0h7testdemisto2@paloaltonetworks.comtestdemisto2@paloaltonetworks.comid: 00uujxnbh3uJw4tWA0h7
status: PROVISIONED
created: 2020-10-18T17:54:30.000Z
activated: 2020-10-18T17:54:30.000Z
statusChanged: 2020-10-18T17:54:30.000Z
lastLogin: null
lastUpdated: 2020-10-18T17:56:53.000Z
passwordChanged: null
type: {"id": "oty8zfz6plq7b0r830h7"}
profile: {"firstName": "Demisto-Test", "lastName": "Test", "mobilePhone": null, "secondEmail": null, "login": "testdemisto2@paloaltonetworks.com", "email": "testdemisto2@paloaltonetworks.com"}
credentials: {"provider": {"type": "OKTA", "name": "OKTA"}}
_links: {"self": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7"}}

okta-get-assigned-user-for-app#


Gets a specific user assignment for an application by id.

Base Command#

okta-get-app-user-assignment

Input#

Argument NameDescriptionRequired
user_idID of the user for which to get information.Required
application_idID of the application for which to get information.Required

Context Output#

PathTypeDescription
Okta.AppUserAssignment.UserIDstringID of the user.
Okta.AppUserAssignment.AppIDstringID of the application.
Okta.AppUserAssignment.IsAssignedbooleanWhen True, indicates that the user is assigned to the application.
Okta.AppUserAssignment.ProfileInAppunknownThe user profile data in the application.

Command Example#

!okta-get-app-user-assignment user_id=00uuv6y8t1iy8YXm94h7 application_id=0oae3ioe51sQ64Aui2h7

Human Readable Output#

App User Assignment#
App IDIs AssignedUser ID
0oae3ioe51sQ64Aui2h7true00uuv6y8t1iy8YXm94h7

okta-list-applications#


Returns a list of Okta applications data.

Base Command#

okta-iam-list-applications

Input#

Argument NameDescriptionRequired
querySearch for applications by their names.Optional
pagePage number (0-based). Default is 0.Optional
limitMaximum number of apps to retrieve (maximal value is 200). Default is 50.Optional

Context Output#

PathTypeDescription
Okta.Application.IDstringID of the application.
Okta.Application.NamestringName of the application.
Okta.Application.LabelstringLabel of the application.
Okta.Application.LogostringLogo of the application.

Command Example#

!okta-iam-list-applications limit=5 query="Workday"

Human Readable Output#

Okta Applications (1 - 3)#
IDNameLabelLogo
0ob8zlypk6GVPRr2T0h7workdayWorkday - Preview
0oabz0ozy5dDpEKyA0h7workdayWorkday - Prod - DryRun
0oae3ioe51sQ64Aui2h7workdayWorkday - Impl1

okta-list-user-applications#


Returns a list of Okta applications data.

Base Command#

okta-iam-list-user-applications

Input#

Argument NameDescriptionRequired
user_idID of the user for which to get the information.Required

Context Output#

PathTypeDescription
Okta.Application.IDstringID of the application.
Okta.Application.NamestringName of the application.
Okta.Application.LabelstringLabel of the application.
Okta.Application.StatusstringStatus of the application.

Command Example#

!okta-iam-list-user-applications user_id=00ux9v19bvTfQIjur0h7"

Human Readable Output#

Okta User Applications#
IDNameLabelStatus
0ob8zlypk6GVPRr2T0h7active_directorypantest.localACTIVE
0oabz0ozy5dDpEKyA0h7test_appmartsheet Test AppACTIVE

okta-iam-get-configuration#


Gets the IAM configuration data from the integration context.

Base Command#

okta-iam-get-configuration

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Okta.IAMConfiguration.ApplicationIDStringAn Okta application ID.
Okta.IAMConfiguration.NameStringName of the Okta application.
Okta.IAMConfiguration.LabelStringLabel of the Okta application.
Okta.IAMConfiguration.LogoStringLogo of the application.
Okta.IAMConfiguration.InstanceStringAn XSOAR IAM integration instance name.

Command Example#

!okta-iam-get-configuration using="Okta IAM_instance_1_copy"

Human Readable Output#

Okta IAM Configuration#
ApplicationIDInstanceLabelLogoName
0oc8zlypk6GVPRr2G0h7ServiceNow IAM_instance_1ServiceNowservicenow

okta-iam-set-configuration#


Updates IAM configuration data in the integration context.

Base Command#

okta-iam-set-configuration

Input#

Argument NameDescriptionRequired
configurationIAM configuration data.Required

Context Output#

There is no context output for this command.

iam-get-group#


Retrieves the group information, including its members.

Base Command#

iam-get-group

Input#

Argument NameDescriptionRequired
scimGroup SCIM Data.Required
includeMembersField to indicate if members need to be included in the response. . Possible values are: true, false. Default is true.Required

Context Output#

PathTypeDescription
GetGroup.idStringID of the group.
GetGroup.displayNameStringThe display name of the group.
GetGroup.members.displayStringThe display name of the group member.
GetGroup.members.valueStringID of the group member.
GetGroup.successBooleanIndicates whether the command succeeded.
GetGroup.errorCodeNumberHTTP error response code.
GetGroup.errorMessageStringReason why the API failed.

okta-get-logs#


Gets logs by providing optional filters.

Base Command#

okta-get-logs

Input#

Argument NameDescriptionRequired
filterUseful for performing structured queries where constraints on LogEvent attribute values can be explicitly targeted. The following expressions are supported for events with the filter query parameter: eventType eq " :eventType" -Events that have a specific action; eventType target.id eq ":id" - Events published with a specific target id; actor.id eq ":id"- Events published with a specific actor ID. For more information about filtering, visit https://developer.okta.com/docs/api/getting_started/design_principles#filtering.Optional
sinceFilters the lower time bound of the log events in the Internet Date/Time Format profile of ISO 8601. For example: 2017-05-03T16:22:18Z.Optional
untilFilters the upper time bound of the log events in the Internet Date/Time Format profile of ISO 8601. For example: 2017-05-03T16:22:18Z.Optional
sortOrderThe order of the returned events. Can be "ASCENDING" or "DESCENDING". The default is "ASCENDING". Possible values are: ASCENDING, DESCENDING. Default is ASCENDING.Optional
limitThe maximum number of results to return. The default and maximum is 100.Optional

Context Output#

PathTypeDescription
Okta.Logs.Events.actor.alternateIdStringAlternative ID of the actor.
Okta.Logs.Events.actor.displayNameStringDisplay name of the actor.
Okta.Logs.Events.actor.idStringID of the actor.
Okta.Logs.Events.client.userAgent.rawUserAgentStringA raw string representation of user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field.
Okta.Logs.Events.client.userAgent.osStringThe operating system on which the client runs. For example, Microsoft Windows 10.
Okta.Logs.Events.client.userAgent.browserStringIdentifies the type of web browser, if relevant. For example, Chrome.
Okta.Logs.Events.client.deviceStringType of device from which the client operated. For example, Computer.
Okta.Logs.Events.client.idStringFor OAuth requests, the ID of the OAuth client making the request. For SSWS token requests, the ID of the agent making the request.
Okta.Logs.Events.client.ipAddressStringIP address from which the client made its request.
Okta.Logs.Events.client.geographicalContext.cityStringThe city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco.
Okta.Logs.Events.client.geographicalContext.stateStringFull name of the state or province encompassing the area containing the geo-location coordinates. For example, Montana, Incheon.
Okta.Logs.Events.client.geographicalContext.countryStringFull name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda.
Okta.Logs.Events.displayMessageStringThe display message for an event.
Okta.Logs.Events.eventTypeStringType of event that was published.
Okta.Logs.Events.outcome.resultStringResult of the action. Can be "SUCCESS", "FAILURE", "SKIPPED", or "UNKNOWN".
Okta.Logs.Events.outcome.reasonStringReason for the result. For example, INVALID_CREDENTIALS.
Okta.Logs.Events.publishedStringTimestamp when the event was published.
Okta.Logs.Events.severityStringThe event severity. Can be "DEBUG", "INFO", "WARN", or "ERROR".
Okta.Logs.Events.securityContext.asNumberNumberAutonomous system number associated with the autonomous system that the event request was sourced to.
Okta.Logs.Events.securityContext.asOrgStringOrganization associated with the autonomous system that the event request was sourced to.
Okta.Logs.Events.securityContext.ispStringInternet service provider used to send the event's request.
Okta.Logs.Events.securityContext.domainStringSpecifies whether an event's request is from a known proxy.
Okta.Logs.Events.request.ipChain.IPStringIP address.
Okta.Logs.Events.request.ipChain.geographicalContext.cityStringThe city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco.
Okta.Logs.Events.request.ipChain.geographicalContext.stateStringFull name of the state or province encompassing the area containing the geo-location coordinates. For example, Montana, Incheon.
Okta.Logs.Events.request.ipChain.geographicalContext.countryStringFull name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda.
Okta.Logs.Events.request.ipChain.sourceStringDetails regarding the source.
Okta.Logs.Events.target.idStringID of a target.
Okta.Logs.Events.target.typeStringType of a target.
Okta.Logs.Events.target.alternateIdStringAlternative ID of a target.
Okta.Logs.Events.target.displayNameStringDisplay name of a target.