Okta v2
Okta Pack.#
This Integration is part of theIntegration with Okta's cloud-based identity management service.
#
Configure Okta v2 in Cortex#
API Token Authentication Prerequisites- Sign in to your Okta organization as a user with administrator privileges.
- On the Admin Console, select Security > API from the menu, and then select the Tokens tab.
- Click Create Token.
- Name your token and click Create Token.
#
Notes- API tokens have the same permissions as the user who creates them, and if the permissions of a user change, so do the permissions of the API token.
- If more than one certificate is assigned to the application, the Key ID parameter is required to specify which certificate to use for signing the JWT token.
For more information, see the 'Create an API token' official documentation article.
#
OAuth 2.0 Authentication Prerequisites#
Required ScopesThe following scopes are required for the Okta v2 integration to work properly:
- okta.apps.manage
- okta.apps.read
- okta.groups.manage
- okta.groups.read
- okta.logs.read
- okta.networkZones.manage
- okta.networkZones.read
- okta.sessions.manage
- okta.sessions.read
- okta.users.manage
- okta.users.read
- Sign in to Okta Admin Console.
- In the Admin Console, go to Applications > Applications.
- Click Create App Integration.
- Select API Services as the sign-in method, and click Next.
- Enter the desired name for the created app (e.g., "Cortex XSOAR"), and click Save.
- In the app configuration page, under the General tab and the Client Credentials section, select Public key / Private key for the Client authentication option.
- Under the newly added PUBLIC KEYS section, click Add Key.
- In the Add Public Key dialog box, click Generate new key. Make sure to copy the generated private key (in PEM format) to somewhere safe, and click Save.
- Under the General Settings section:
- Next to the Proof of possession label, uncheck the Require Demonstrating Proof of Possession (DPoP) header in token requests option if it's selected.
- Next to the Grant type label, make sure the Client Credentials option is selected, and that the Token Exchange option is not selected.
- Click Save.
- Under the Okta API Scopes tab, grant the required scopes mentioned above for the app.
- Under the Admin roles tab:
- Click Edit assignments.
- In the dropdown list under "Role", select Super Administrator.
- Click Save changes at the top.
For more information, see the 'Implement OAuth for Okta' official documentation article.
#
Instance ConfigurationParameter | Description | Required |
---|---|---|
Okta URL (https://<domain>.okta.com) | True | |
API Token | False | |
Use OAuth 2.0 Authentication | See detailed instructions on the 'Help' tab. | False |
Client ID | Required and used if OAuth 2.0 is used for authentication. See detailed instructions on the 'Help' tab. | False |
Private Key | In PEM format. Required and used if OAuth 2.0 is used for authentication. See detailed instructions on the 'Help' tab. | False |
JWT Signing Algorithm | Algorithm to sign generated JWT tokens with. Doesn't affect integration's functionality. Required and used if OAuth 2.0 is used for authentication. See detailed instructions on the 'Help' tab. | False |
Key ID | Required and used if more than one key is used for signing JWT tokens. | False |
Trust any certificate (not secure) | False | |
Use system proxy settings | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
okta-unlock-userUnlocks a single user.
#
Base Commandokta-unlock-user
#
InputArgument Name | Description | Required |
---|---|---|
username | Username to unlock. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!okta-unlock-user username=testForDocs@test.com
#
Human Readable OutputUser testForDocs@test.com unlocked
#
okta-deactivate-userDeactivates a single user.
#
Base Commandokta-deactivate-user
#
InputArgument Name | Description | Required |
---|---|---|
username | Username to deactivate. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!okta-deactivate-user username=testForDocs@test.com
#
Human Readable OutputUser testForDocs@test.com deactivated
#
okta-activate-userActivates a single user.
#
Base Commandokta-activate-user
#
InputArgument Name | Description | Required |
---|---|---|
username | Username to activate. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!okta-activate-user username=testForDocs@test.com
#
Human Readable OutputtestForDocs@test.com is active now#
#
okta-suspend-userSuspends a single user. This operation can only be performed on users with an ACTIVE status. After the porcess is completed, the user's status is SUSPENDED.
#
Base Commandokta-suspend-user
#
InputArgument Name | Description | Required |
---|---|---|
username | Username to suspend. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!okta-suspend-user username=testForDocs@test.com
#
Human Readable OutputtestForDocs@test.com status is Suspended#
#
okta-unsuspend-userReturns a single user to ACTIVE status. This operation can only be performed on users that have a SUSPENDED status.
#
Base Commandokta-unsuspend-user
#
InputArgument Name | Description | Required |
---|---|---|
username | Username to change the status to ACTIVE. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!okta-unsuspend-user username=testForDocs@test.com
#
Human Readable OutputtestForDocs@test.com is no longer SUSPENDED#
#
okta-get-user-factorsReturns all the enrolled factors for the specified user.
#
Base Commandokta-get-user-factors
#
InputArgument Name | Description | Required |
---|---|---|
username | Username for which to return all enrolled factors. | Optional |
userId | User ID of the user for which to get all enrolled factors. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Account.ID | String | Okta account ID. |
Account.Factor.ID | String | Okta account factor ID. |
Account.Factor.Provider | String | Okta account factor provider. |
Account.Factor.Profile | String | Okta account factor profile. |
Account.Factor.FactorType | String | Okta account factor type. |
Account.Factor.Status | Unknown | Okta account factor status. |
#
Command Example!okta-get-user-factors username=factor@test.com
#
Context Example#
Human Readable OutputFactors for user: 00upt1w8tgFQM2v0h7
#
Factors
FactorType ID Profile Provider Status sms mbgt21nffaaN5F060h7 phoneNumber: +12025550191 OKTA PENDING_ACTIVATION token:software:totp uftptgdrDJ7fDOq0h7 credentialId: factor@test.com PENDING_ACTIVATION push opfg1joeaArlg27g0h7 OKTA PENDING_ACTIVATION
#
okta-reset-factorUn-enrolls an existing factor for the specified user. This enables the user to enroll a new factor.
#
Base Commandokta-reset-factor
#
InputArgument Name | Description | Required |
---|---|---|
userId | The user ID. | Optional |
username | Username for which to un-enroll an existing factor. | Optional |
factorId | The ID of the factor to reset. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!okta-reset-factor factorId=ufsq7cvptfbjQa72c0h7 userId=00upt1w8t40wFQM2v6t4
#
Human Readable OutputFactor: ufsq7cvptfbjQa72c0h7 deleted
#
okta-set-passwordSets passwords without validating existing user credentials.
#
Base Commandokta-set-password
#
InputArgument Name | Description | Required |
---|---|---|
username | Okta username for which to set the password. | Required |
password | The new password to set for the user. | Required |
temporary_password | When true, you'll need to change the password in the next login. Possible values are: true, false. Default is false. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!okta-set-password username=testForDocs@test.com password=N3wPa55word!
#
Human Readable OutputtestForDocs@test.com password was last changed on 2020-03-26T13:57:13.000Z
#
okta-add-to-groupAdds a user to a group with OKTA_GROUP type.
#
Base Commandokta-add-to-group
#
InputArgument Name | Description | Required |
---|---|---|
userId | ID of the user to add to the group. | Optional |
username | Name of the user to add to the group. | Optional |
groupId | ID of the group to add the user to. | Optional |
groupName | Name of the group to add the user to. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!okta-add-to-group groupName=Demisto username=testForDocs@test.com
#
Human Readable OutputUser: 00uqk1qesl3k0SRbH0h7 added to group: Demisto successfully
#
okta-remove-from-groupRemoves a user from a group with OKTA_GROUP type.
#
Base Commandokta-remove-from-group
#
InputArgument Name | Description | Required |
---|---|---|
userId | ID of the user to remove from the group. | Optional |
username | Name of the user to remove from the group. | Optional |
groupId | ID of the group to remove the user from. | Optional |
groupName | Name of the group to remove the user from. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!okta-remove-from-group groupName=demisto username=testForDocs@test.com
#
Human Readable OutputUser: 00uqk1qesl3k0SRbH0h7 was removed from group: demisto successfully
#
okta-get-groupsReturns all user groups associated with a specified user.
#
Base Commandokta-get-groups
#
InputArgument Name | Description | Required |
---|---|---|
username | Username in Okta for which to get the associated groups. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Account.Group | Unknown | Okta groups with which the account is associated. |
Account.ID | String | Okta account ID. |
Account.Type | String | Okta account type. |
Account.Group.ID | String | Unique key for the group. |
Account.Group.Created | Date | Timestamp when the group was created. |
Account.Group.ObjectClass | String | The object class, which determines the group's profile. |
Account.Group.LastUpdated | Date | Timestamp when the group's profile was last updated. |
Account.Group.LastMembershipUpdated | Date | Timestamp when the group's memberships were last updated. |
Account.Group.Type | String | Group type, which determines how a group's profile and memberships are managed. |
Account.Group.Description | String | Description of the group. |
Account.Group.Name | String | Name of the group. |
#
Command Example!okta-get-groups username=testForDocs@test.com
#
Context Example#
Human Readable OutputOkta groups for user: testForDocs@test.com
#
Groups
Created Description ID LastMembershipUpdated LastUpdated Name ObjectClass Type 2016-04-12T15:01:50.000Z All users in your organization 00g66lckgAJpLcNc0h7 2020-03-26T13:56:49.000Z 2016-04-12T15:01:50.000Z Everyone okta:user_group BUILT_IN 2018-01-19T02:02:06.000Z 00gdougcgzEaf7c50h7 2020-03-26T13:49:47.000Z 2018-01-19T02:02:06.000Z Demisto okta:user_group OKTA_GROUP
#
okta-verify-push-factorEnrolls and verifies a push factor for the specified user.
#
Base Commandokta-verify-push-factor
#
InputArgument Name | Description | Required |
---|---|---|
userId | The ID of the user to enroll and verify. | Required |
factorId | The push factor ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Account.ID | String | Okta user ID. |
Account.VerifyPushResult | String | Okta user push factor result. |
#
Command Example!okta-verify-push-factor factorId=opfpt1joeaArlg27g0h7 userId=00upt1w8t40wFQM2v0h7
#
Human Readable OutputVerify push factor result for user 00upt1w8t40wgQM2v0h7: WAITING
#
Context Example#
okta-searchSearches for Okta users.
#
Base Commandokta-search
#
InputArgument Name | Description | Required |
---|---|---|
term | Term by which to search. Can be a first name, last name, or email address. The argument term or advanced_search is required. | Optional |
advanced_search | Searches for users with a supported filtering expression for most properties, including custom-defined properties. The argument term or advanced_search is required. | Optional |
limit | The maximum number of results to return. The default and maximum is 200. | Optional |
verbose | Whether to return details of users that match the found term. Can be "true" or "false". The default is "false". Possible values are: true, false. Default is false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Account.ID | String | Okta account IDs returned by the search. |
Account.Username | String | Okta account usernames returned by the search. |
Account.Email | String | Okta account emails returned by the search. |
Account.DisplayName | String | Okta account display names returned by the search. |
Account.Type | String | Okta account type returned by the search. |
Account.Status | String | Okta account current status. |
Account.Created | Date | Timestamp for when the user was created. |
Account.Activated | Date | Timestamp for when the user was activated. |
Account.StatusChanged | Date | Timestamp for when the user's status was last changed. |
Account.PasswordChanged | Date | Timestamp for when the user's password was last changed. |
#
Command Example!okta-search term=test verbose=true
#
Context Example#
Human Readable OutputOkta users found: User:bartest@test.com
#
Profile
First Name Last Name Login Mobile Phone Second Email bartest@test.com bar test bartest@test.com
#
Additional DataActivated | Created | Credentials | ID | Last Login | Last Updated | Password Changed | Status | Status Changed | Type | _links |
---|---|---|---|---|---|---|---|---|---|---|
2020-02-12T14:03:51.000Z | 2020-02-12T14:03:50.000Z | provider: {"type": "OKTA", "name": "OKTA"} | 00uppjeleqJQ2kkN80h7 | 2020-02-12T14:03:51.000Z | PROVISIONED | id: oty66lckcvDyVcGzS0h7 | self: {"href": "https://yourdomain.okta.com/api/v1/users/00uppjeleqJQ2kkN80h7"} |
test@that.com#
User:#
ProfileFirst Name | Last Name | Login | Mobile Phone | Second Email | |
---|---|---|---|---|---|
test@that.com | test | that | test@that.com | test@that.com |
#
Additional DataActivated | Created | Credentials | ID | Last Login | Last Updated | Password Changed | Status | Status Changed | Type | _links |
---|---|---|---|---|---|---|---|---|---|---|
2020-02-19T12:33:20.000Z | 2018-07-31T12:48:33.000Z | provider: {"type": "OKTA", "name": "OKTA"} | 00ufufhqits3y78Ju0h7 | 2020-02-19T12:33:20.000Z | 2020-02-06T13:32:56.000Z | PROVISIONED | id: oty66lckcvDyVcGzS0h7 | self: {"href": "https://yourdomain.okta.com/api/v1/users/00ufufhqits3y78Ju0h7"} |
testForDocs@test.com#
User:#
ProfileFirst Name | Last Name | Login | Mobile Phone | Second Email | |
---|---|---|---|---|---|
testForDocs@test.com | test | that | testForDocs@test.com |
#
Additional DataActivated | Created | Credentials | ID | Last Login | Last Updated | Password Changed | Status | Status Changed | Type | _links |
---|---|---|---|---|---|---|---|---|---|---|
2020-03-26T13:56:52.000Z | 2020-03-26T13:56:49.000Z | password: {}recovery_question: {"question": "whats is your favourite integration"}provider: {"type": "OKTA", "name": "OKTA"} | 00uqk1qesl3k0SRbH0h7 | 2020-03-26T13:56:52.000Z | 2020-03-26T13:56:50.000Z | ACTIVE | id: oty66lckcvDyVcGzS0h7 | self: {"href": "https://yourdomain.okta.com/api/v1/users/00uqk1qesl3k0SRbH0h7"} |
#
okta-get-userFetches information for a single user. You must enter one or more parameters for the command to run.
#
Base Commandokta-get-user
#
InputArgument Name | Description | Required |
---|---|---|
username | Okta username for which to get information. | Optional |
userId | User ID of the user for which to get information. | Optional |
verbose | Whether to return extended user information. Can be "true" or "false". The default is "false". Possible values are: true, false. Default is false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Account.ID | String | Okta account ID. |
Account.Email | String | Okta account email. |
Account.Username | String | Okta account username. |
Account.DisplayName | String | Okta account display name. |
Account.Status | String | Okta account status. |
Account.Created | Date | Timestamp for when the user was created. |
Account.Activated | Date | Timestamp for when the user was activated. |
Account.StatusChanged | Date | Timestamp for when the user's status was last changed. |
Account.PasswordChanged | Date | Timestamp for when the user's password was last changed. |
Account.Manager | String | The manager. |
Account.ManagerEmail | String | The manager email. |
#
Command Example!okta-get-user username=testForDocs@test.com verbose=true
#
Context Example#
Human Readable OutputtestForDocs@test.com#
User:#
Profile
First Name Last Name Login Manager Manager Email Mobile Phone Second Email testForDocs@test.com test that testForDocs@test.com manager@test.com
#
Additional DataActivated | Created | Credentials | ID | Last Login | Last Updated | Password Changed | Status | Status Changed | Type | _links |
---|---|---|---|---|---|---|---|---|---|---|
2020-03-26T13:56:52.000Z | 2020-03-26T13:56:49.000Z | password: {}recovery_question: {"question": "whats is your favourite integration"} provider: {"type": "OKTA", "name": "OKTA"} | 00uqk1qesl3k0SRbH0h7 | 2020-03-26T13:56:52.000Z | 2020-03-26T13:56:50.000Z | ACTIVE | id: oty66lckcvDyVcGzS0h7 | links |
#
okta-list-usersLists users in your organization.
#
Base Commandokta-list-users
#
InputArgument Name | Description | Required |
---|---|---|
after | The cursor in which to retrive the results from and on. if the query didn't reach the end of results, the tag can be obtained from the bottom of the grid in the readable output, or in the context path Okta.User.tag. | Optional |
limit | The maximum number of results to return. Default is 200. | Optional |
verbose | Whether to return extended user information. Possible values are: true, false. Default is false. | Optional |
query | Searches the name property of groups for matching values. | Optional |
filter | Useful for performing structured queries where constraints on group attribute values can be explicitly targeted. The following expressions are supported(among others) for groups with the filter query parameter: type eq "OKTA_GROUP" - Groups that have a type of OKTA_GROUP; lastUpdated lt "yyyy-MM-dd''T''HH:mm:ss.SSSZ" - Groups with profile last updated before a specific timestamp; lastMembershipUpdated eq "yyyy-MM-dd''T''HH:mm:ss.SSSZ" - Groups with memberships last updated at a specific timestamp; id eq "00g1emaKYZTWRYYRRTSK" - Group with a specified ID. For more information about filtering, visit https://developer.okta.com/docs/api/getting_started/design_principles#filtering. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Account.ID | String | Okta account ID. |
Account.Email | String | Okta account email. |
Account.Username | String | Okta account username. |
Account.DisplayName | String | Okta account display name. |
Account.Status | String | Okta account status. |
Account.Created | Date | Timestamp for when the user was created. |
Account.Activated | Date | Timestamp for when the user was activated. |
Account.StatusChanged | Date | Timestamp for when the user's status was last changed. |
Account.PasswordChanged | Date | Timestamp for when the user's password was last changed. |
Okta.User.tag | String | The location of the next item, used with after param. |
#
okta-create-userCreates a new user with an option of setting a password, recovery question, and answer. The new user will immediately be able to log in after activation with the assigned password. This flow is common when developing a custom user registration experience.
#
Base Commandokta-create-user
#
InputArgument Name | Description | Required |
---|---|---|
firstName | First name of the user (givenName). | Required |
lastName | Family name of the user (familyName). | Required |
Primary email address of the user. | Required | |
login | Unique identifier for the user (username). | Required |
secondEmail | Secondary email address of user. Usually used for account recovery. | Optional |
middleName | Middle name(s) of the user. | Optional |
honorificPrefix | A comma-separated list of honorific prefix(es) of the user, or title in most Western languages. | Optional |
honorificSuffix | A comma-separated list of honorific suffix(es) of the user. | Optional |
title | User's title. for example, Vice President. | Optional |
displayName | Display name of the user. | Optional |
nickName | Casual way to address the user (nick name). | Optional |
profileUrl | URL of the user online profile. For example, a web page. | Optional |
primaryPhone | Primary phone number of the user. | Optional |
mobilePhone | Mobile phone number of the user. | Optional |
streetAddress | Full street address component of the user's address. | Optional |
city | City or locality component of the user's address (locality). | Optional |
state | State or region component of the user's address (region). | Optional |
zipCode | Zip code or postal code component of the user's address (postalCode). | Optional |
countryCode | Country name component of the user's address (country). | Optional |
postalAddress | Mailing address component of the user's address. | Optional |
preferredLanguage | User's preferred written or spoken languages. | Optional |
locale | User's default location, for purposes of localizing items such as currency, date-time format, numerical representations, etc. | Optional |
timezone | User's time zone. | Optional |
userType | The user type, which is used to identify the organization-to-user relationship such as "Employee" or "Contractor". | Optional |
employeeNumber | Organization or company assigned unique identifier for the user. | Optional |
costCenter | Name of a cost center the user is assigned to. | Optional |
organization | Name of the user's organization. | Optional |
division | Name of the user's division. | Optional |
department | Name of the user's department. | Optional |
managerId | ID of the user's manager. | Optional |
manager | Display name of the user's manager. | Optional |
password | Password for the new user. | Optional |
passwordQuestion | Password question for the new user. | Optional |
passwordAnswer | Password answer for question. | Optional |
providerType | The provider type. Can be "OKTA", "ACTIVE_DIRECTORY", "LDAP", "FEDERATION", or "SOCIAL". Possible values are: OKTA, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL. | Optional |
providerName | Name of the provider. | Optional |
groupIds | IDs of groups that the user will be immediately added to at time of creation (does Not include default group). | Optional |
activate | Whether to activate the lifecycle operation when creating the user. Can be "true" or "false". Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Account.ID | String | Created Okta account ID. |
Account.Email | String | Created Okta account email address. |
Account.Username | String | Created okta account username. |
Account.DisplayName | String | Created Okta account display name. |
Account.Type | String | Type of created account - Okta. |
Account.Status | String | Okta account current status. |
Account.Created | Date | Timestamp for when the user was created. |
Account.Activated | Date | Timestamp for when the user was activated. |
Account.StatusChanged | Date | Timestamp for when the user's status was last changed. |
Account.PasswordChanged | Date | Timestamp for when the user's password was last changed. |
#
Command Example!okta-create-user email=testForDocs@test.com firstName=test lastName=that login=testForDocs@test.com password=Pa55word! passwordQuestion="whats is your favourite integration" passwordAnswer="Okta of course"
#
Context Example#
Human Readable OutputtestForDocs@test.com:#
Okta User Created:
First Name ID Last Login Last Name Login Mobile Phone Status test 00uqk1qesl3k0SRbH0h7 that testForDocs@test.com STAGED
#
okta-update-userUpdates a user with a given login. All fields are optional. Fields which are not set, will not be overwritten.
#
Base Commandokta-update-user
#
InputArgument Name | Description | Required |
---|---|---|
firstName | First name of the user (given name). | Optional |
lastName | Family name of the user. | Optional |
Primary email address of the user. | Optional | |
username | Unique identifier for the user (login). | Required |
secondEmail | Secondary email address of the user (typically used for account recovery. | Optional |
middleName | Middle name(s) of the user. | Optional |
honorificPrefix | Honorific prefix(es) of the user, or title in most Western languages. | Optional |
honorificSuffix | Honorific suffix(es) of the user. | Optional |
title | User's title. For example, Vice President. | Optional |
displayName | Display name of the user. | Optional |
nickName | Casual way to address the user in real life (nick name). | Optional |
profileUrl | URL of the user's online profile. For example, a web page. | Optional |
primaryPhone | Primary phone number of the user. | Optional |
mobilePhone | Mobile phone number of the user. | Optional |
streetAddress | Full street address component of the user's address. | Optional |
city | City or locality component of the user's address (locality). | Optional |
state | State or region component of the user's address (region). | Optional |
zipCode | Zip code or postal code component of the user's address (postalCode). | Optional |
countryCode | Country name component of the user's address (country). | Optional |
postalAddress | Mailing address component of the user's address. | Optional |
preferredLanguage | User's preferred written or spoken languages. | Optional |
locale | User's default location for purposes of localizing items such as currency, date-time format, numerical representations, etc. | Optional |
timezone | User time zone. | Optional |
userType | The user type, which is used to identify the organization-to-user relationship such as "Employee" or "Contractor". | Optional |
employeeNumber | Organization or company assigned unique identifier for the user. | Optional |
costCenter | Name of a cost center the user is assigned to. | Optional |
organization | Name of the user's organization. | Optional |
division | Name of the user's division. | Optional |
department | Name of the user's department. | Optional |
managerId | ID of the user's manager. | Optional |
manager | Display name of the user's manager. | Optional |
password | New password for the specified user. | Optional |
passwordQuestion | Password question for the specified user. | Optional |
passwordAnswer | Password answer for the question. | Optional |
providerType | The provider type. Can be "OKTA", "ACTIVE_DIRECTORY", "LDAP", "FEDERATION", or "SOCIAL". Possible values are: OKTA, ACTIVE_DIRECTORY, FEDERATION, SOCIAL. | Optional |
providerName | Name of the provider. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!okta-update-user username=testForDocs@test.com firstName="First Name Updated"
#
Human Readable OutputtestForDocs@test.com Updated:#
Okta user:
firstName lastName login mobilePhone secondEmail testForDocs@test.com First Name Updated that testForDocs@test.com
#
okta-get-group-membersEnumerates all users that are members of a group.
#
Base Commandokta-get-group-members
#
InputArgument Name | Description | Required |
---|---|---|
groupId | ID of the group. | Optional |
limit | The maximum number of results to return. | Optional |
verbose | Whether to print extended user details. Can be "true" or "false". The default is "false". Possible values are: true, false. Default is false. | Optional |
groupName | Name of the group. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Account.ID | String | Okta account ID. |
Account.Email | String | Okta account email address. |
Account.Username | String | Okta account username. |
Account.DisplayName | String | Okta account display name. |
Account.Type | String | Account type - Okta. |
Account.Status | String | Okta account current status. |
Account.Created | Date | Timestamp for when the user was created. |
Account.Activated | Date | Timestamp for when the user was activated. |
Account.StatusChanged | Date | Timestamp for when the user's status was last changed. |
Account.PasswordChanged | Date | Timestamp for when the user's password was last changed. |
#
Command Example!okta-get-group-members groupName=Demisto limit=1 verbose=true
#
Context Example#
Human Readable Output#
Users for group: Demisto:Test@demisto.com#
User:#
Profile
First Name Last Name Login Mobile Phone Second Email XSOAR@demisto.com Test Demisto XSOAR@demisto.com
#
Additional DataActivated | Created | Credentials | ID | Last Login | Last Updated | Password Changed | Status | Status Changed | Type | _links |
---|---|---|---|---|---|---|---|---|---|---|
2016-04-12T15:01:52.000Z | password: {} recovery_question: {"question": "born city"} provider: {"type": "OKTA", "name": "OKTA"} | 00u66lckd7lpjidYi0h7 | 2020-03-12T09:54:36.000Z | 2020-02-24T11:42:22.000Z | 2020-02-24T11:40:08.000Z | ACTIVE | id: oty66lckcyVcGzS0h7 | self: {"href": "https://yourdomain.okta.com/api/v1/users/00uclpjidYi0h7"} |
#
okta-list-groupsLists groups in your organization. A subset of groups can be returned that match a supported filter expression or query.
#
Base Commandokta-list-groups
#
InputArgument Name | Description | Required |
---|---|---|
query | Searches the name property of groups for matching values. | Optional |
filter | Useful for performing structured queries where constraints on group attribute values can be explicitly targeted. The following expressions are supported(among others) for groups with the filter query parameter: type eq "OKTA_GROUP" - Groups that have a type of OKTA_GROUP; lastUpdated lt "yyyy-MM-dd''T''HH:mm:ss.SSSZ" - Groups with profile last updated before a specific timestamp; lastMembershipUpdated eq "yyyy-MM-dd''T''HH:mm:ss.SSSZ" - Groups with memberships last updated at a specific timestamp; id eq "00g1emaKYZTWRYYRRTSK" - Group with a specified ID. For more information about filtering, visit https://developer.okta.com/docs/api/getting_started/design_principles#filtering. | Optional |
limit | The maximum number of results to return. The default is 200. Default is 200. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Okta.Group.ID | String | Unique key for the group. |
Okta.Group.Created | Date | Timestamp for when the group was created. |
Okta.Group.ObjectClass | Unknown | The group's profile. |
Okta.Group.LastUpdated | Date | Timestamp for when the group's profile was last updated. |
Okta.Group.LastMembershipUpdated | Date | Timestamp for when the group's membership was last updated. |
Okta.Group.Type | String | The group type, which determines how a group's profile and membership are managed. Can be "OKTA_GROUP", "APP_GROUP", or "BUILT_IN". |
Okta.Group.Name | String | Name of the group. |
Okta.Group.Description | String | Description of the group. |
#
Command Example!okta-list-groups filter=`type eq "OKTA_GROUP" and lastUpdated lt "2019-04-30T00:00:00.000Z" and lastMembershipUpdated gt "2019-04-30T00:00:00.000Z"` query=demisto
#
Context Example#
Human Readable Output#
Groups
Created Description ID LastMembershipUpdated LastUpdated Name ObjectClass Type 2018-01-19T02:02:06.000Z 00gdougctEaf7c50h7 2020-03-26T13:56:56.000Z 2018-01-19T02:02:06.000Z Demisto okta:user_group OKTA_GROUP
#
okta-get-failed-loginsReturns failed login events.
#
Base Commandokta-get-failed-logins
#
InputArgument Name | Description | Required |
---|---|---|
since | Filters the lower time bound of the log events in the Internet Date/Time Format profile of ISO 8601. An example: 2017-05-03T16:22:18Z. | Optional |
until | Filters the upper time bound of the log events in the Internet Date/Time Format profile of ISO 8601. An example: 2017-05-03T16:22:18Z. | Optional |
sortOrder | The order of the returned events. Can be "ASCENDING" or "DESCENDING". The default is "ASCENDING". Possible values are: ASCENDING, DESCENDING. Default is ASCENDING. | Optional |
limit | The maximum number of results to return. The default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Okta.Logs.Events.actor.alternateId | String | Alternative ID of the actor. |
Okta.Logs.Events.actor.displayName | String | Display name of the actor. |
Okta.Logs.Events.actor.id | String | ID of the actor. |
Okta.Logs.Events.client.userAgent.rawUserAgent | String | A raw string representation of the user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field. |
Okta.Logs.Events.client.userAgent.os | String | The operating system on which the client runs. For example, Microsoft Windows 10. |
Okta.Logs.Events.client.userAgent.browser | String | Identifies the browser type, if relevant. For example, Chrome. |
Okta.Logs.Events.client.device | String | Type of device that client operated from. For example, Computer. |
Okta.Logs.Events.client.id | String | For OAuth requests, the ID of the OAuth client making the request. For SSWS token requests, the ID of the agent making the request. |
Okta.Logs.Events.client.ipAddress | String | IP address from which the client made its request. |
Okta.Logs.Events.client.geographicalContext.city | String | The city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco. |
Okta.Logs.Events.client.geographicalContext.state | String | Full name of the state or province encompassing the area containing the geo-location coordinates. For example Montana, Incheon. |
Okta.Logs.Events.client.geographicalContext.country | String | Full name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda. |
Okta.Logs.Events.displayMessage | String | The display message for an event. |
Okta.Logs.Events.eventType | String | Type of event that was published. |
Okta.Logs.Events.outcome.result | String | Result of the action. Can be "SUCCESS", "FAILURE", "SKIPPED", "UNKNOWN". |
Okta.Logs.Events.outcome.reason | String | Reason for the result. For example, INVALID_CREDENTIALS. |
Okta.Logs.Events.published | String | Timestamp when the event was published. |
Okta.Logs.Events.severity | String | The event severity. Can be "DEBUG", "INFO", "WARN", or "ERROR". |
Okta.Logs.Events.securityContext.asNumber | Number | Autonomous system number associated with the autonomous system that the event request was sourced to. |
Okta.Logs.Events.securityContext.asOrg | String | Organization associated with the autonomous system that the event request was sourced to. |
Okta.Logs.Events.securityContext.isp | String | Internet service provider used to send the event's request. |
Okta.Logs.Events.securityContext.domain | String | The domain name associated with the IP address of the inbound event request. |
Okta.Logs.Events.securityContext.isProxy | String | Specifies whether an event's request is from a known proxy. |
Okta.Logs.Events.request.ipChain.IP | String | IP address. |
Okta.Logs.Events.request.ipChain.geographicalContext.city | String | The city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco. |
Okta.Logs.Events.request.ipChain.geographicalContext.state | String | Full name of the state or province encompassing the area containing the geo-location coordinates. For example, Montana, Incheon. |
Okta.Logs.Events.request.ipChain.geographicalContext.country | String | Full name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda. |
Okta.Logs.Events.request.ipChain.source | String | Details regarding the source. |
Okta.Logs.Events.target.id | String | ID of a target. |
Okta.Logs.Events.target.type | String | Type of a target. |
Okta.Logs.Events.target.alternateId | String | Alternative ID of a target. |
Okta.Logs.Events.target.displayName | String | Display name of a target. |
#
Command Example!okta-get-failed-logins since="2019-04-30T00:00:00.000Z" limit=1
#
Context Example#
Human Readable Output#
Failed Login Events
Actor ActorAlternaneId ChainIP Client EventInfo EventOutcome EventSeverity RequestIP Targets Time unknown (User) admin 127.0.0.1 CHROME on Windows 10 Computer User login to Okta FAILURE: VERIFICATION_ERROR INFO 127.0.0.1 - 09/30/2019, 18:42:38
#
okta-get-logsGets logs by providing optional filters.
#
Base Commandokta-get-logs
#
InputArgument Name | Description | Required |
---|---|---|
filter | Useful for performing structured queries where constraints on LogEvent attribute values can be explicitly targeted. The following expressions are supported for events with the filter query parameter: eventType eq " :eventType" -Events that have a specific action; eventType target.id eq ":id" - Events published with a specific target id; actor.id eq ":id" - Events published with a specific actor ID. For more information about filtering, visit https://developer.okta.com/docs/api/getting_started/design_principles#filtering. | Optional |
query | The query parameter can be used to perform keyword matching against a LogEvents object’s attribute values. To satisfy the constraint, all supplied keywords must be matched exactly. Note that matching is case-insensitive. The following are some examples of common keyword filtering: Events that mention a specific city: query=San Francisco; Events that mention a specific url: query=interestingURI.com; Events that mention a specific person: query=firstName lastName. | Optional |
since | Filters the lower time bound of the log events in the Internet Date/Time Format profile of ISO 8601. For example: 2017-05-03T16:22:18Z. | Optional |
until | Filters the upper time bound of the log events in the Internet Date/Time Format profile of ISO 8601. For example: 2017-05-03T16:22:18Z. | Optional |
sortOrder | The order of the returned events. Can be "ASCENDING" or "DESCENDING". The default is "ASCENDING". Possible values are: ASCENDING, DESCENDING. Default is ASCENDING. | Optional |
limit | The maximum number of results to return. The default is 100. Default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Okta.Logs.Events.actor.alternateId | String | Alternative ID of the actor. |
Okta.Logs.Events.actor.displayName | String | Display name of the actor. |
Okta.Logs.Events.actor.id | String | ID of the actor. |
Okta.Logs.Events.client.userAgent.rawUserAgent | String | A raw string representation of user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field. |
Okta.Logs.Events.client.userAgent.os | String | The operating system on which the client runs. For example, Microsoft Windows 10. |
Okta.Logs.Events.client.userAgent.browser | String | Identifies the type of web browser, if relevant. For example, Chrome. |
Okta.Logs.Events.client.device | String | Type of device from which the client operated. For example, Computer. |
Okta.Logs.Events.client.id | String | For OAuth requests, the ID of the OAuth client making the request. For SSWS token requests, the ID of the agent making the request. |
Okta.Logs.Events.client.ipAddress | String | IP address from which the client made its request. |
Okta.Logs.Events.client.geographicalContext.city | String | The city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco. |
Okta.Logs.Events.client.geographicalContext.state | String | Full name of the state or province encompassing the area containing the geo-location coordinates. For example, Montana, Incheon. |
Okta.Logs.Events.client.geographicalContext.country | String | Full name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda. |
Okta.Logs.Events.displayMessage | String | The display message for an event. |
Okta.Logs.Events.eventType | String | Type of event that was published. |
Okta.Logs.Events.outcome.result | String | Result of the action. Can be "SUCCESS", "FAILURE", "SKIPPED", or "UNKNOWN". |
Okta.Logs.Events.outcome.reason | String | Reason for the result. For example, INVALID_CREDENTIALS. |
Okta.Logs.Events.published | String | Timestamp when the event was published. |
Okta.Logs.Events.severity | String | The event severity. Can be "DEBUG", "INFO", "WARN", or "ERROR". |
Okta.Logs.Events.securityContext.asNumber | Number | Autonomous system number associated with the autonomous system that the event request was sourced to. |
Okta.Logs.Events.securityContext.asOrg | String | Organization associated with the autonomous system that the event request was sourced to. |
Okta.Logs.Events.securityContext.isp | String | Internet service provider used to send the event's request. |
Okta.Logs.Events.securityContext.domain | String | The domain name associated with the IP address of the inbound event request. |
Okta.Logs.Events.securityContext.isProxy | String | Specifies whether an event's request is from a known proxy. |
Okta.Logs.Events.request.ipChain.IP | String | IP address. |
Okta.Logs.Events.request.ipChain.geographicalContext.city | String | The city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco. |
Okta.Logs.Events.request.ipChain.geographicalContext.state | String | Full name of the state or province encompassing the area containing the geo-location coordinates. For example, Montana, Incheon. |
Okta.Logs.Events.request.ipChain.geographicalContext.country | String | Full name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda. |
Okta.Logs.Events.request.ipChain.source | String | Details regarding the source. |
Okta.Logs.Events.target.id | String | ID of a target. |
Okta.Logs.Events.target.type | String | Type of a target. |
Okta.Logs.Events.target.alternateId | String | Alternative ID of a target. |
Okta.Logs.Events.target.displayName | String | Display name of a target. |
#
Command Example!okta-get-logs filter=`actor.id eq "00u66lckvpjidYi0h7"` query=Boardman since="2020-03-03T20:23:17.573Z" limit=1
#
Context Example#
Human Readable Output#
Okta Events
Actor ActorAlternaneId ChainIP Client EventInfo EventOutcome EventSeverity RequestIP Targets Time Test Demisto (User) Test@demisto.com 127.0.0.1 Unknown browser on Unknown OS Unknown device Remove user from group membership SUCCESS INFO 127.0.0.1 test this (User) test1 (UserGroup) 03/03/2020, 20:23:17
#
okta-get-group-assignmentsGets events for when a user was added to a group.
#
Base Commandokta-get-group-assignments
#
InputArgument Name | Description | Required |
---|---|---|
since | Filters the lower time bound of the log event in the Internet Date\Time format profile of ISO 8601. For example, 2020-02-14T16:00:18Z. | Optional |
until | Filters the upper time bound of the log event in the Internet Date\Time format profile of ISO 8601. For example, 2020-02-14T16:00:18Z. | Optional |
sortOrder | The order of the returned events. Can be "ASCENDING" or "DESCENDING". The default is "ASCENDING". Possible values are: ASCENDING, DESCENDING. Default is ASCENDING. | Optional |
limit | The maximum number of results to return. The default is 100. Default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Okta.Logs.Events.actor.alternateId | String | Alternative ID of the actor. |
Okta.Logs.Events.actor.displayName | String | Display name of the actor. |
Okta.Logs.Event.actor.id | String | ID of the actor. |
Okta.Logs.Events.client.userAgent.rawUserAgent | String | A raw string representation of user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field. |
Okta.Logs.Events.client.userAgent.os | String | The operating system on which the client runs. For example, Microsoft Windows 10. |
Okta.Logs.Events.client.userAgent.browser | String | Identifies the type of web browser, if relevant. For example, Chrome. |
Okta.Logs.Events.client.device | String | Type of device from which the client operated. For example, Computer. |
Okta.Logs.Events.client.id | String | For OAuth requests, the ID of the OAuth client making the request. For SSWS token requests, the ID of the agent making the request. |
Okta.Logs.Events.client.ipAddress | String | IP address from which the client made its request. |
Okta.Logs.Events.client.geographicalContext.city | String | The city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco. |
Okta.Logs.Events.client.geographicalContext.state | String | Full name of the state or province encompassing in the area containing the geo-location coordinates. For example, Montana, Incheon. |
Okta.Logs.Events.client.geographicalContext.country | String | Full name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda. |
Okta.Logs.Events.displayMessage | String | The display message for an event. |
Okta.Logs.Events.eventType | String | Type of event that was published. |
Okta.Logs.Events.outcome.result | String | Result of the action. Can be "SUCCESS", "FAILURE", "SKIPPED", or "UNKNOWN". |
Okta.Logs.Events.outcome.reason | Unknown | Reason for the result. For example INVALID_CREDENTIALS. |
Okta.Logs.Events.published | String | Timestamp when the event was published. |
Okta.Logs.Events.severity | String | The event severity. Can be "DEBUG", "INFO", "WARN", or "ERROR". |
Okta.Logs.Events.securityContext.asNumber | Number | Autonomous system number associated with the autonomous system that the event request was sourced to. |
Okta.Logs.Events.securityContext.asOrg | String | Organization associated with the autonomous system that the event request was sourced to. |
Okta.Logs.Events.securityContext.isp | String | Internet service provider used to send the event's request. |
Okta.Logs.Events.securityContext.domain | String | The domain name associated with the IP address of the inbound event request. |
Okta.Logs.Events.securityContext.isProxy | String | Specifies whether an event's request is from a known proxy. |
Okta.Logs.Events.request.ipChain.IP | String | IP address. |
Okta.Logs.Events.request.ipChain.geographicalContext.city | String | The city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco. |
Okta.Logs.Events.request.ipChain.geographicalContext.state | String | Full name of the state or province encompassing the area containing the geo-location coordinates. For example, Montana, Incheon. |
Okta.Logs.Events.request.ipChain.geographicalContext.country | String | Full name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda. |
Okta.Logs.Events.request.ipChain.source | String | Details regarding the source. |
Okta.Logs.Events.target.id | String | ID of a target. |
Okta.Logs.Events.target.type | String | Target type. |
Okta.Logs.Events.target.alternateId | String | Alternative ID of a target. |
Okta.Logs.Events.target.displayName | String | Display name of a target. |
#
Command Example!okta-get-group-assignments since="2019-04-30T00:00:00.000Z" limit=1
#
Context Example#
Human Readable Output#
Group Assignment Events
Actor ActorAlternaneId ChainIP Client EventInfo EventOutcome EventSeverity RequestIP Targets Time Test Demisto (User) Test@demisto.com 127.0.0.1 Unknown browser on Unknown OS Unknown device Add user to group membership SUCCESS INFO 127.0.0.1 test this (User) test1 (UserGroup) 09/29/2019, 03:47:46
#
okta-get-application-assignmentsReturns events for when a user was assigned to an application.
#
Base Commandokta-get-application-assignments
#
InputArgument Name | Description | Required |
---|---|---|
since | Filters the lower time bound of the log event in the Internet Date\Time format profile of ISO 8601. For example, 2020-02-14T16:00:18Z. | Optional |
until | Filters the upper time bound of the log event in the Internet Date\Time format profile of ISO 8601. For example, 2020-02-14T16:00:18Z. | Optional |
sortOrder | The order of the returned events. Can be "ASCENDING" or "DESCENDING". The default is "ASCENDING". Possible values are: ASCENDING, DESCENDING. Default is ASCENDING. | Optional |
limit | The maximum number of results to return. The default is 100. Default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Okta.Logs.Events.actor.alternateId | String | Alternative ID of the actor. |
Okta.Logs.Events.actor.displayName | String | Display name of the actor. |
Okta.Logs.Event.actor.id | String | ID of the actor. |
Okta.Logs.Events.client.userAgent.rawUserAgent | String | A raw string representation of the user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field. |
Okta.Logs.Events.client.userAgent.os | String | The OS on which the client runs. For example, Microsoft Windows 10. |
Okta.Logs.Events.client.userAgent.browser | String | Identifies the type of web browser, if relevant. For example, Chrome. |
Okta.Logs.Events.client.device | String | Type of device from which the client operated. For example, Computer. |
Okta.Logs.Events.client.id | String | For OAuth requests, the ID of the OAuth client making the request. For SSWS token requests, the ID of the agent making the request. |
Okta.Logs.Events.client.ipAddress | String | IP address from which the client made its request. |
Okta.Logs.Events.client.geographicalContext.city | String | The city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco. |
Okta.Logs.Events.client.geographicalContext.state | String | Full name of the state or province encompassing the area containing the geo-location coordinates. For example, Montana, Incheon. |
Okta.Logs.Events.client.geographicalContext.country | String | Full name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda. |
Okta.Logs.Events.displayMessage | String | The display message for an event. |
Okta.Logs.Events.eventType | String | Type of event that was published. |
Okta.Logs.Events.outcome.result | String | Result of the action. For example, "SUCCESS", "FAILURE", "SKIPPED", or "UNKNOWN". |
Okta.Logs.Events.outcome.reason | String | Reason for the result. For example INVALID_CREDENTIALS. |
Okta.Logs.Events.published | String | Timestamp when the event was published. |
Okta.Logs.Events.severity | String | The event severity. Can be "DEBUG", "INFO", "WARN", or "ERROR". |
Okta.Logs.Events.securityContext.asNumber | Number | Autonomous system number associated with the autonomous system that the event request was sourced to. |
Okta.Logs.Events.securityContext.asOrg | String | Organization associated with the autonomous system that the event request was sourced to. |
Okta.Logs.Events.securityContext.isp | String | Internet service provider used to send the event's request. |
Okta.Logs.Events.securityContext.domain | String | The domain name associated with the IP address of the inbound event request. |
Okta.Logs.Events.securityContext.isProxy | String | Specifies whether an event's request is from a known proxy. |
Okta.Logs.Events.request.ipChain.IP | String | IP address. |
Okta.Logs.Events.request.ipChain.geographicalContext.city | String | The city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco. |
Okta.Logs.Events.request.ipChain.geographicalContext.state | String | Full name of the state or province encompassing the area containing the geo-location coordinates. For example, Montana, Incheon. |
Okta.Logs.Events.request.ipChain.geographicalContext.country | String | Full name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda. |
Okta.Logs.Events.request.ipChain.source | String | Details regarding the source. |
Okta.Logs.Events.target.id | String | ID of a target. |
Okta.Logs.Events.target.type | String | Type of a target. |
Okta.Logs.Events.target.alternateId | String | Alternative ID of a target. |
Okta.Logs.Events.target.displayName | String | Display name of a target. |
#
Command Example!okta-get-application-assignments since="2019-04-30T00:00:00.000Z" until="2020-02-30T00:00:00.000Z" sortOrder=DESCENDING limit=1
#
Context Example#
Human Readable Output#
Application Assignment Events
Actor ActorAlternaneId ChainIP Client EventInfo EventOutcome EventSeverity RequestIP Targets Time Test Demisto (User) Test@demisto.com 127.0.0.1 Unknown browser on Unknown OS Unknown device Add user to application membership SUCCESS INFO 127.0.0.1 Test 1 that (AppUser) ShrikSAML (AppInstance) Test 1 that (User) 02/27/2020, 17:55:12
#
okta-get-application-authenticationReturns logs using specified filters.
#
Base Commandokta-get-application-authentication
#
InputArgument Name | Description | Required |
---|---|---|
since | Filters the lower time bound of the log event in the Internet Date\Time format profile of ISO 8601. For example, 2020-02-14T16:00:18Z. | Optional |
until | Filters the upper time bound of the log event in the Internet Date\Time format profile of ISO 8601. For example, 2020-02-14T16:00:18Z. | Optional |
sortOrder | The order of the returned events. Can be "ASCENDING" or "DESCENDING". The default is "ASCENDING". Possible values are: ASCENDING, DESCENDING. Default is ASCENDING. | Optional |
limit | The maximum number of results to return. The default is 100. Default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Okta.Logs.Events.actor.alternateId | String | Alternative ID of the actor. |
Okta.Logs.Events.actor.displayName | String | Display name of the actor. |
Okta.Logs.Events.actor.id | String | ID of the actor. |
Okta.Logs.Events.client.userAgent.rawUserAgent | String | A raw string representation of user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field. |
Okta.Logs.Events.client.userAgent.os | String | The operating system on which the client runs. For example, Microsoft Windows 10. |
Okta.Logs.Events.client.userAgent.browser | String | Identifies the type of web browser, if relevant. For example, Chrome. |
Okta.Logs.Events.client.device | String | Type of device from which the client operated. For example, Computer. |
Okta.Logs.Events.client.id | String | For OAuth requests, the ID of the OAuth client making the request. For SSWS token requests, the ID of the agent making the request. |
Okta.Logs.Events.client.ipAddress | String | IP address from which the client made its request. |
Okta.Logs.Events.client.geographicalContext.city | String | The city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco. |
Okta.Logs.Events.client.geographicalContext.state | String | Full name of the state or province encompassing the area containing the geo-location coordinates. For example, Montana, Incheon. |
Okta.Logs.Events.client.geographicalContext.country | String | Full name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda. |
Okta.Logs.Events.displayMessage | String | The display message for an event. |
Okta.Logs.Events.eventType | String | Type of event that was published. |
Okta.Logs.Events.outcome.result | String | Result of the action. Can be "SUCCESS", "FAILURE", "SKIPPED", or "UNKNOWN". |
Okta.Logs.Events.outcome.reason | String | Reason for the result. For example INVALID_CREDENTIALS. |
Okta.Logs.Events.published | String | Timestamp when the event was published. |
Okta.Logs.Events.severity | String | The event severity. Can be "DEBUG", "INFO", "WARN", or "ERROR". |
Okta.Logs.Events.securityContext.asNumber | Number | Autonomous system number associated with the autonomous system that the event request was sourced to. |
Okta.Logs.Events.securityContext.asOrg | String | Organization associated with the autonomous system that the event request was sourced to. |
Okta.Logs.Events.securityContext.isp | String | Internet service provider used to send the event's request. |
Okta.Logs.Events.securityContext.domain | String | The domain name associated with the IP address of the inbound event request. |
Okta.Logs.Events.securityContext.isProxy | String | Specifies whether an event's request is from a known proxy. |
Okta.Logs.Events.request.ipChain.IP | String | IP address. |
Okta.Logs.Events.request.ipChain.geographicalContext.city | String | The city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco. |
Okta.Logs.Events.request.ipChain.geographicalContext.state | String | Full name of the state or province encompassing the area containing the geo-location coordinates. For example, Montana, Incheon. |
Okta.Logs.Events.request.ipChain.geographicalContext.country | String | Full name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda. |
Okta.Logs.Events.request.ipChain.source | String | Details regarding the source. |
Okta.Logs.Events.target.id | String | ID of a target. |
Okta.Logs.Events.target.type | String | Type of a target. |
Okta.Logs.Events.target.alternateId | String | Alternative ID of a target. |
Okta.Logs.Events.target.displayName | String | Display name of a target. |
#
Command Example!okta-get-application-authentication since="2019-04-30T00:00:00.000Z" until="2020-02-30T00:00:00.000Z" limit=1
#
Context Example#
Human Readable Output#
Application Authentication Events
Actor ActorAlternaneId ChainIP Client EventInfo EventOutcome EventSeverity RequestIP Targets Time Test Demisto (User) Test@demisto.com 127.0.0.1 CHROME on Mac OS X Computer User single sign on to app SUCCESS INFO 127.0.0.1 BenziPermanent (AppInstance) Test Demisto (AppUser) 10/14/2019, 12:16:53
#
okta-delete-userDeletes the specified user.
#
Base Commandokta-delete-user
#
InputArgument Name | Description | Required |
---|---|---|
userId | Okta User ID. | Optional |
username | Username of the user. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!okta-delete-user username=testForDocs@test.com
#
Human Readable OutputUser: testForDocs@test.com was Deleted successfully
#
okta-clear-user-sessionsRemoves all active identity provider sessions. This forces the user to authenticate upon the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user. For more information and examples: https://developer.okta.com/docs/reference/api/users/#user-sessions
#
Base Commandokta-clear-user-sessions
#
InputArgument Name | Description | Required |
---|---|---|
userId | Okta User ID. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!okta-clear-user-sessions userId=00ui5brmwtJpMdoZZ0h7
#
Human Readable Output#
User session was cleared for: 00ui5brmwtJpMdoZZ0h7
#
okta-list-zonesGet an Okta Zone object.
#
Base Commandokta-list-zones
#
InputArgument Name | Description | Required |
---|---|---|
limit | The maximum number of results to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Okta.Zone.created | Date | Zone creation timestamp, in the format 2020-04-06T22:23:12.000Z. |
Okta.Zone.gateways.type | String | Gateways IP entry type, e.g., CIDR. |
Okta.Zone.gateways.value | String | Gateways IP entry value, e.g., 34.103.1.108/32. |
Okta.Zone.id | String | Zone ID, e.g., nzoqsmcx1qWYJ6wYF0h7. |
Okta.Zone.lastUpdated | Date | Zone last update timestamp, e.g., 2020-04-06T22:23:12.000Z. |
Okta.Zone.name | String | Zone name. |
Okta.Zone.proxies.type | String | Proxies IP entry type e.g. CIDR. |
Okta.Zone.proxies.value | Unknown | Proxies IP entry value, e.g., 34.103.1.108/32. |
Okta.Zone.status | String | Zone status, e.g., ACTIVE. |
Okta.Zone.system | Number | True if this is a system zone, false if user-created. |
Okta.Zone.type | String | Zone type, e.g., IP. |
#
Command Example!okta-list-zones
#
Context Example#
Human Readable Output#
Okta Zones
name id gateways status system lastUpdated created LegacyIpZone nzo9rbw8evGOFV1VE0h7 {'type': 'CIDR', 'value': '2.2.2.2/32'} ACTIVE true 2020-04-23T08:58:55.000Z 2017-03-03T22:05:24.000Z MyZone nzoqsmcx1qWYJ6wY33h7 {'type': 'CIDR', 'value': '3.3.3.4/32'},
{'type': 'CIDR', 'value': '5.5.5.3/32'},
{'type': 'CIDR', 'value': '3.3.3.1/32'},
{'type': 'CIDR', 'value': '2.2.2.3/32'}ACTIVE false 2020-06-05T08:57:57.000Z 2020-04-06T22:23:12.000Z
#
okta-update-zoneUpdate an Okta Zone.
#
Base Commandokta-update-zone
#
InputArgument Name | Description | Required |
---|---|---|
zoneID | Zone ID to update, e.g., nzoqsmcx1qWYJ6wYF0h7. | Required |
zoneName | Updates the zone name. | Optional |
gatewayIPs | Updates Gateway IP addresses: CIDR range (1.1.0.0/16) or single IP address (2.2.2.2). | Optional |
proxyIPs | Update Proxy IP addresses: CIDR range (1.1.0.0/16) or single IP address (2.2.2.2). | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Okta.Zone.created | Date | Zone creation timestamp, e.g., 2020-04-06T22:23:12.000Z. |
Okta.Zone.gateways.type | String | Gateways IP entry type, e.g., CIDR. |
Okta.Zone.gateways.value | String | Gateways IP entry value, e.g., 34.103.1.108/32. |
Okta.Zone.id | String | Okta Zone ID, e.g., nzoqsmcx1qWYJ6wYF0h7. |
Okta.Zone.lastUpdated | Date | Zone last update timestamp, in the format 2020-04-06T22:23:12.000Z. |
Okta.Zone.name | String | Zone name. |
Okta.Zone.proxies.type | String | Proxies IP entry type, e.g., CIDR. |
Okta.Zone.proxies.value | Unknown | Proxies IP entry value, e.g., 34.103.1.108/32. |
Okta.Zone.status | String | Zone status, e.g., ACTIVE. |
Okta.Zone.system | Number | True if this is a system zone, false if user-created. |
Okta.Zone.type | String | Zone type, e.g., IP. |
#
Command Example!okta-update-zone zoneID=nzoqsmcx1qWYJ6wY33h7 zoneName=MyZone
#
Context Example#
Human Readable Output#
Okta Zones
name id gateways status system lastUpdated created MyZone nzoqsmcx1qWYJ6wY33h7 {'type': 'CIDR', 'value': '1.3.1.5/32'},
{'type': 'CIDR', 'value': '1.3.1.5/32'},
{'type': 'CIDR', 'value': '1.3.1.5/32'},
{'type': 'CIDR', 'value': '1.3.1.5/32'}ACTIVE false 2020-06-05T08:57:57.000Z 2020-04-06T22:23:12.000Z
#
okta-get-zoneGet a Zone by its ID.
#
Base Commandokta-get-zone
#
InputArgument Name | Description | Required |
---|---|---|
zoneID | Zone ID to get, e.g., nzoqsmcx1qWYJ6wYF0h.7. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Okta.Zone.created | Date | Zone creation timestamp, in the format 2020-04-06T22:23:12.000Z. |
Okta.Zone.gateways.type | String | Gateways IP entry type, e.g., CIDR. |
Okta.Zone.gateways.value | String | Gateways IP entry value, e.g., 34.103.1.108/32. |
Okta.Zone.id | String | Okta Zone ID, e.g., nzoqsmcx1qWYJ6wYF0h7. |
Okta.Zone.lastUpdated | Date | Zone last update timestamp, in the format 2020-04-06T22:23:12.000Z. |
Okta.Zone.name | String | Zone name. |
Okta.Zone.proxies.type | String | Proxies IP entry type, e.g., CIDR. |
Okta.Zone.proxies.value | Unknown | Proxies IP entry value, e.g., 34.103.1.108/32. |
Okta.Zone.status | String | Zone status, e.g,. ACTIVE. |
Okta.Zone.system | Number | True if this is a system zone, false if user-created. |
Okta.Zone.type | String | Zone type, e.g., IP. |
#
Command Example!okta-get-zone zoneID=nzoqsmcx1qWYJ6wY33h7
#
Context Example#
Human Readable Output#
Okta Zones
name id gateways status system lastUpdated created MyZone nzoqsmcx1qWYJ6wY33h7 {'type': 'CIDR', 'value': '1.3.1.3/32'},
{'type': 'CIDR', 'value': '3.5.146.103/32'},
{'type': 'CIDR', 'value': '3.5.1.228/32'},
{'type': 'CIDR', 'value': '3.5.1.229/32'}ACTIVE false 2020-06-05T08:57:57.000Z 2020-04-06T22:23:12.000Z
#
okta-list-usersLists users in your organization.
#
Base Commandokta-list-users
#
InputArgument Name | Description | Required |
---|---|---|
verbose | Whether to return extended user information. Can be "true" or "false". The default is "false". Possible values are: true, false. Default is false. | Optional |
limit | The maximum number of results to return. | Optional |
query | Searches the name property of groups for matching values. | Optional |
filter | Useful for performing structured queries where constraints on group attribute values can be explicitly targeted. The following expressions are supported(among others) for groups with the filter query parameter: type eq "OKTA_GROUP" - Groups that have a type of OKTA_GROUP; lastUpdated lt "yyyy-MM-dd''T''HH:mm:ss.SSSZ" - Groups with profile last updated before a specific timestamp; lastMembershipUpdated eq "yyyy-MM-dd''T''HH:mm:ss.SSSZ" - Groups with memberships last updated at a specific timestamp; id eq "00g1emaKYZTWRYYRRTSK" - Group with a specified ID. | |
For more information about filtering, visit https://developer.okta.com/docs/api/getting_started/design_principles#filtering. | Optional | |
after | The cursor in which to retrive the results from and on. If the query didn't reach the end of results, the tag will be found in the readable output under the tag key. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Account.ID | String | Okta account ID. |
Account.Email | String | Okta account email. |
Account.Username | String | Okta account username. |
Account.DisplayName | String | Okta account display name. |
Account.Status | String | Okta account status. |
Account.Created | Date | Timestamp for when the user was created. |
Account.Activated | Date | Timestamp for when the user was activated. |
Account.StatusChanged | Date | Timestamp for when the user's status was last changed. |
Account.PasswordChanged | Date | Timestamp for when the user's password was last changed. |
Okta.User.tag | String | The location of the next item, used with after param. |
#
Command Example!okta-list-users
#
Context Example#
Human Readable Output#
Okta users found:#
Users
First Name ID Last Login Last Name Login Mobile Phone Status Dbot XXXXX XSOAR dbot@xsoar.com STAGED #
tag: test12tag#
okta-create-zone
Creates a Zone with the specified name.
#
Base Commandokta-create-zone
#
InputArgument Name | Description | Required |
---|---|---|
name | Zone name. | Required |
gateway_ips | Update Gateway IP addresses: CIDR range (1.1.0.0/16) or single IP address (2.2.2.2). | Optional |
proxies | Update Proxy IP addresses: CIDR range (1.1.0.0/16) or single IP address (2.2.2.2). | Optional |
#
Context OutputThere is no context output for this command.
#
okta-create-groupCreate a new group in Okta tenant.
#
Base Commandokta-create-group
#
InputArgument Name | Description | Required |
---|---|---|
name | Name of the group to add. | Required |
description | Description of the group to add. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
OktaGroup.ID | Unknown | Group ID in Okta. |
OktaGroup.Name | Unknown | Group name in Okta. |
OktaGroup.Description | Unknown | Group description in Okta. |
OktaGroup.Type | Unknown | Group type in Okta. |
#
Command example!okta-create-group name="TestGroup" description="TestGroup description."
#
Context Example#
Human Readable OutputGroup Created: [GroupID:00g3qb398kItYXzKd1d7, GroupName: TestGroup]
#
okta-assign-group-to-appAssign a group to an application.
#
Base Commandokta-assign-group-to-app
#
InputArgument Name | Description | Required |
---|---|---|
groupName | Name of the group to assign to the app. | Optional |
groupId | ID of the group to assign to the app. | Optional |
appName | Friendly name of the app that the group will be assigned to. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!okta-assign-group-to-app appName="Default-App" groupName="TestGroup"
#
Human Readable OutputGroup: TestGroup added to PA App successfully
#
okta-expire-password
Expires a password for an existing Okta user.
#
Base Commandokta-expire-password
#
InputArgument Name | Description | Required |
---|---|---|
username | Okta username for which to expire the password. | Required |
temporary_password | When true, you'll need to change the password in the next login. Possible values are: true, false. Default is false. | Optional |
revoke_session | When true, revokes the user's existing sessions. | Optional |
hide_password | When true, prevents the password from being saved in the war room. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Account.Activated | Date | Timestamp for when the user was activated. |
Account.Created | Date | Timestamp for when the user was created. |
Account.DisplayName | String | Okta account display name. |
Account.Email | String | Okta account email. |
Account.ID | String | Created Okta account ID. |
Account.PasswordChanged | Date | Timestamp for when the user's password was last changed. |
Account.Status | String | Okta account current status. |
Account.StatusChanged | Date | Timestamp for when the user's status was last changed. |
Account.Type | String | Okta account type. |
Account.Username | String | Okta account usernames returned by the search. |
#
Command example!okta-expire-password username="4x1xh5rl@test.com" temporary_password="false"
#
Context Example#
Human Readable Output#
Okta Expired Password
_links activated created credentials id lastUpdated passwordChanged profile status statusChanged type suspend: {"href": "https://test.oktapreview.com/api/v1/users/00u19cr5qv91HjELI0h8/lifecycle/suspend", "method": "POST"}
schema: {"href": "https://test.oktapreview.com/api/v1/meta/schemas/user/osc66lckcvDyVcGzS0h7"}
resetPassword: {"href": "https://test.oktapreview.com/api/v1/users/00u19cr5qv91HjELI0h8/lifecycle/reset_password", "method": "POST"}
forgotPassword: {"href": "https://test.oktapreview.com/api/v1/users/00u19cr5qv91HjELI0h8/credentials/forgot_password", "method": "POST"}
expirePassword: {"href": "https://test.oktapreview.com/api/v1/users/00u19cr5qv91HjELI0h8/lifecycle/expire_password", "method": "POST"}
changeRecoveryQuestion: {"href": "https://test.oktapreview.com/api/v1/users/00u19cr5qv91HjELI0h8/credentials/change_recovery_question", "method": "POST"}
self: {"href": "https://test.oktapreview.com/api/v1/users/00u19cr5qv91HjELI0h8"}
type: {"href": "https://test.oktapreview.com/api/v1/meta/types/user/oty66lckcvDyVcGzS0h7"}
changePassword: {"href": "https://test.oktapreview.com/api/v1/users/00u19cr5qv91HjELI0h8/credentials/change_password", "method": "POST"}
deactivate: {"href": "https://test.oktapreview.com/api/v1/users/00u19cr5qv91HjELI0h8/lifecycle/deactivate", "method": "POST"}2022-06-20T04:48:04.000Z 2022-06-20T04:47:59.000Z password: {}
recovery_question: {"question": "whats the first school?"}
provider: {"type": "OKTA", "name": "OKTA"}00u19cr5qv91HjELI0h8 2023-09-10T12:56:04.000Z 2022-06-20T04:48:07.000Z firstName: Test 1
lastName: Test1
preferredLanguage: en
mobilePhone: null
city: Tel-Aviv
displayName: Test 1 that
nickName: Testush
secondEmail: null
login: 4x1xh5rl@test.com
email: 4x1xh5rl@test.com
employeeNumber: 12345PASSWORD_EXPIRED 2023-09-10T12:56:04.000Z id: oty66lckcvDyVcGzS0h7
#
okta-auth-resetReset OAuth authentication data (authentication process will start from the beginning, and a new token will be generated).
#
Base Commandokta-auth-reset
#
InputThere are no input arguments for this command.
#
Context OutputThere is no context output for this command.