Skip to main content

Okta v2

This Integration is part of the Okta Pack.#

Integration with Okta's cloud-based identity management service.

Configure Okta v2 in Cortex#

API Token Authentication Prerequisites#

  1. Sign in to your Okta organization as a user with administrator privileges.
  2. On the Admin Console, select Security > API from the menu, and then select the Tokens tab.
  3. Click Create Token.
  4. Name your token and click Create Token.

Notes#

  • API tokens have the same permissions as the user who creates them, and if the permissions of a user change, so do the permissions of the API token.
  • If more than one certificate is assigned to the application, the Key ID parameter is required to specify which certificate to use for signing the JWT token.

For more information, see the 'Create an API token' official documentation article.

OAuth 2.0 Authentication Prerequisites#

Required Scopes#

The following scopes are required for the Okta v2 integration to work properly:

  • okta.apps.manage
  • okta.apps.read
  • okta.groups.manage
  • okta.groups.read
  • okta.logs.read
  • okta.networkZones.manage
  • okta.networkZones.read
  • okta.sessions.manage
  • okta.sessions.read
  • okta.users.manage
  • okta.users.read
  1. Sign in to Okta Admin Console.
  2. In the Admin Console, go to Applications > Applications.
  3. Click Create App Integration.
  4. Select API Services as the sign-in method, and click Next.
  5. Enter the desired name for the created app (e.g., "Cortex XSOAR"), and click Save.
  6. In the app configuration page, under the General tab and the Client Credentials section, select Public key / Private key for the Client authentication option.
  7. Under the newly added PUBLIC KEYS section, click Add Key.
  8. In the Add Public Key dialog box, click Generate new key. Make sure to copy the generated private key (in PEM format) to somewhere safe, and click Save.
  9. Under the General Settings section:
    1. Next to the Proof of possession label, uncheck the Require Demonstrating Proof of Possession (DPoP) header in token requests option if it's selected.
    2. Next to the Grant type label, make sure the Client Credentials option is selected, and that the Token Exchange option is not selected.
    3. Click Save.
  10. Under the Okta API Scopes tab, grant the required scopes mentioned above for the app.
  11. Under the Admin roles tab:
    1. Click Edit assignments.
    2. In the dropdown list under "Role", select Super Administrator.
    3. Click Save changes at the top.

For more information, see the 'Implement OAuth for Okta' official documentation article.

Instance Configuration#

ParameterDescriptionRequired
Okta URL (https://<domain>.okta.com)True
API TokenFalse
Use OAuth 2.0 AuthenticationSee detailed instructions on the 'Help' tab.False
Client IDRequired and used if OAuth 2.0 is used for authentication. See detailed instructions on the 'Help' tab.False
Private KeyIn PEM format. Required and used if OAuth 2.0 is used for authentication. See detailed instructions on the 'Help' tab.False
JWT Signing AlgorithmAlgorithm to sign generated JWT tokens with. Doesn't affect integration's functionality. Required and used if OAuth 2.0 is used for authentication. See detailed instructions on the 'Help' tab.False
Key IDRequired and used if more than one key is used for signing JWT tokens.False
Trust any certificate (not secure)False
Use system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

okta-unlock-user#


Unlocks a single user.

Base Command#

okta-unlock-user

Input#

Argument NameDescriptionRequired
usernameUsername to unlock.Required

Context Output#

There is no context output for this command.

Command Example#

!okta-unlock-user username=testForDocs@test.com

Human Readable Output#

User testForDocs@test.com unlocked

okta-deactivate-user#


Deactivates a single user.

Base Command#

okta-deactivate-user

Input#

Argument NameDescriptionRequired
usernameUsername to deactivate.Required

Context Output#

There is no context output for this command.

Command Example#

!okta-deactivate-user username=testForDocs@test.com

Human Readable Output#

User testForDocs@test.com deactivated

okta-activate-user#


Activates a single user.

Base Command#

okta-activate-user

Input#

Argument NameDescriptionRequired
usernameUsername to activate.Required

Context Output#

There is no context output for this command.

Command Example#

!okta-activate-user username=testForDocs@test.com

Human Readable Output#

testForDocs@test.com is active now#

okta-suspend-user#


Suspends a single user. This operation can only be performed on users with an ACTIVE status. After the porcess is completed, the user's status is SUSPENDED.

Base Command#

okta-suspend-user

Input#

Argument NameDescriptionRequired
usernameUsername to suspend.Required

Context Output#

There is no context output for this command.

Command Example#

!okta-suspend-user username=testForDocs@test.com

Human Readable Output#

testForDocs@test.com status is Suspended#

okta-unsuspend-user#


Returns a single user to ACTIVE status. This operation can only be performed on users that have a SUSPENDED status.

Base Command#

okta-unsuspend-user

Input#

Argument NameDescriptionRequired
usernameUsername to change the status to ACTIVE.Required

Context Output#

There is no context output for this command.

Command Example#

!okta-unsuspend-user username=testForDocs@test.com

Human Readable Output#

testForDocs@test.com is no longer SUSPENDED#

okta-get-user-factors#


Returns all the enrolled factors for the specified user.

Base Command#

okta-get-user-factors

Input#

Argument NameDescriptionRequired
usernameUsername for which to return all enrolled factors.Optional
userIdUser ID of the user for which to get all enrolled factors.Optional

Context Output#

PathTypeDescription
Account.IDStringOkta account ID.
Account.Factor.IDStringOkta account factor ID.
Account.Factor.ProviderStringOkta account factor provider.
Account.Factor.ProfileStringOkta account factor profile.
Account.Factor.FactorTypeStringOkta account factor type.
Account.Factor.StatusUnknownOkta account factor status.
Command Example#

!okta-get-user-factors username=factor@test.com

Context Example#
{
"Account": {
"Factor": [
{
"FactorType": "sms",
"ID": "mblpt21nffaaN5F060h7",
"Profile": {
"phoneNumber": "+12025550191"
},
"Provider": "OKTA",
"Status": "PENDING_ACTIVATION"
},
{
"FactorType": "token:software:totp",
"ID": "uftpt24kdrDJ7fDOq0h7",
"Profile": {
"credentialId": "factor@test.com"
},
"Provider": "GOOGLE",
"Status": "PENDING_ACTIVATION"
},
{
"FactorType": "push",
"ID": "opfpt1joeaArlg27g0h7",
"Provider": "OKTA",
"Status": "PENDING_ACTIVATION"
}
],
"ID": "00upt1w8tgFQM2v6t4"
}
}
Human Readable Output#

Factors for user: 00upt1w8tgFQM2v0h7

Factors#

FactorTypeIDProfileProviderStatus
smsmbgt21nffaaN5F060h7phoneNumber: +12025550191OKTAPENDING_ACTIVATION
token:software:totpuftptgdrDJ7fDOq0h7credentialId: factor@test.comGOOGLEPENDING_ACTIVATION
pushopfg1joeaArlg27g0h7OKTAPENDING_ACTIVATION

okta-reset-factor#


Un-enrolls an existing factor for the specified user. This enables the user to enroll a new factor.

Base Command#

okta-reset-factor

Input#

Argument NameDescriptionRequired
userIdThe user ID.Optional
usernameUsername for which to un-enroll an existing factor.Optional
factorIdThe ID of the factor to reset.Required

Context Output#

There is no context output for this command.

Command Example#

!okta-reset-factor factorId=ufsq7cvptfbjQa72c0h7 userId=00upt1w8t40wFQM2v6t4

Human Readable Output#

Factor: ufsq7cvptfbjQa72c0h7 deleted

okta-set-password#


Sets passwords without validating existing user credentials.

Base Command#

okta-set-password

Input#

Argument NameDescriptionRequired
usernameOkta username for which to set the password.Required
passwordThe new password to set for the user.Required
temporary_passwordWhen true, you'll need to change the password in the next login. Possible values are: true, false. Default is false.Optional

Context Output#

There is no context output for this command.

Command Example#

!okta-set-password username=testForDocs@test.com password=N3wPa55word!

Human Readable Output#

testForDocs@test.com password was last changed on 2020-03-26T13:57:13.000Z

okta-add-to-group#


Adds a user to a group with OKTA_GROUP type.

Base Command#

okta-add-to-group

Input#

Argument NameDescriptionRequired
userIdID of the user to add to the group.Optional
usernameName of the user to add to the group.Optional
groupIdID of the group to add the user to.Optional
groupNameName of the group to add the user to.Optional

Context Output#

There is no context output for this command.

Command Example#

!okta-add-to-group groupName=Demisto username=testForDocs@test.com

Human Readable Output#

User: 00uqk1qesl3k0SRbH0h7 added to group: Demisto successfully

okta-remove-from-group#


Removes a user from a group with OKTA_GROUP type.

Base Command#

okta-remove-from-group

Input#

Argument NameDescriptionRequired
userIdID of the user to remove from the group.Optional
usernameName of the user to remove from the group.Optional
groupIdID of the group to remove the user from.Optional
groupNameName of the group to remove the user from.Optional

Context Output#

There is no context output for this command.

Command Example#

!okta-remove-from-group groupName=demisto username=testForDocs@test.com

Human Readable Output#

User: 00uqk1qesl3k0SRbH0h7 was removed from group: demisto successfully

okta-get-groups#


Returns all user groups associated with a specified user.

Base Command#

okta-get-groups

Input#

Argument NameDescriptionRequired
usernameUsername in Okta for which to get the associated groups.Required

Context Output#

PathTypeDescription
Account.GroupUnknownOkta groups with which the account is associated.
Account.IDStringOkta account ID.
Account.TypeStringOkta account type.
Account.Group.IDStringUnique key for the group.
Account.Group.CreatedDateTimestamp when the group was created.
Account.Group.ObjectClassStringThe object class, which determines the group's profile.
Account.Group.LastUpdatedDateTimestamp when the group's profile was last updated.
Account.Group.LastMembershipUpdatedDateTimestamp when the group's memberships were last updated.
Account.Group.TypeStringGroup type, which determines how a group's profile and memberships are managed.
Account.Group.DescriptionStringDescription of the group.
Account.Group.NameStringName of the group.
Command Example#

!okta-get-groups username=testForDocs@test.com

Context Example#
{
"Account": {
"Group": [
{
"Created": "2016-04-12T15:01:50.000Z",
"Description": "All users in your organization",
"ID": "00g66lckcsAJpLcNc0h7",
"LastMembershipUpdated": "2020-03-26T13:56:49.000Z",
"LastUpdated": "2016-04-12T15:01:50.000Z",
"Name": "Everyone",
"ObjectClass": [
"okta:user_group"
],
"Type": "BUILT_IN"
},
{
"Created": "2018-01-19T02:02:06.000Z",
"ID": "00gdougcq3zEaf7c50h7",
"LastMembershipUpdated": "2020-03-26T13:49:47.000Z",
"LastUpdated": "2018-01-19T02:02:06.000Z",
"Name": "Demisto",
"ObjectClass": [
"okta:user_group"
],
"Type": "OKTA_GROUP"
}
],
"ID": "00uqk1qesl3k0SRbH0h7",
"Type": "Okta"
}
}
Human Readable Output#

Okta groups for user: testForDocs@test.com

Groups#

CreatedDescriptionIDLastMembershipUpdatedLastUpdatedNameObjectClassType
2016-04-12T15:01:50.000ZAll users in your organization00g66lckgAJpLcNc0h72020-03-26T13:56:49.000Z2016-04-12T15:01:50.000ZEveryoneokta:user_groupBUILT_IN
2018-01-19T02:02:06.000Z00gdougcgzEaf7c50h72020-03-26T13:49:47.000Z2018-01-19T02:02:06.000ZDemistookta:user_groupOKTA_GROUP

okta-verify-push-factor#


Enrolls and verifies a push factor for the specified user.

Base Command#

okta-verify-push-factor

Input#

Argument NameDescriptionRequired
userIdThe ID of the user to enroll and verify.Required
factorIdThe push factor ID.Required

Context Output#

PathTypeDescription
Account.IDStringOkta user ID.
Account.VerifyPushResultStringOkta user push factor result.
Command Example#

!okta-verify-push-factor factorId=opfpt1joeaArlg27g0h7 userId=00upt1w8t40wFQM2v0h7

Human Readable Output#

Verify push factor result for user 00upt1w8t40wgQM2v0h7: WAITING

Context Example#
{
"factorResult": "WAITING",
"profile": {
"credentialId": "test@this.com",
"deviceType": "SmartPhone_IPhone",
"keys": [
{
"kty": "EC",
"use": "sig",
"kid": "default",
"x": "3Y53lDoQYwzzVbjsbsPnqOnVaotIrVByQh5Sa-RwOHQ",
"y": "0zHY_y9rVh-bq_-lR-MrmzNtUZrrIMbTrsjtxUyUT2Q",
"crv": "P-256"
}
],
"name": "iPhone (5)",
"platform": "IOS",
"version": "13.1.3"
},
"expiresAt": "2020-02-24T11:37:08.000Z",
"_links": {
"cancel": {
"href": "https://test.com/api/v1/users/00upt1w8t40wgQM2v0h7/factors/FactorID/transactions/TransactionID",
"hints": {
"allow": [
"DELETE"
]
}
},
"poll": {
"href": "https://test.com/api/v1/users/00upt1w8t40wgQM2v0h7/factors/FactorID/transactions/TransactionID",
"hints": {
"allow": [
"GET"
]
}
}
}
}

okta-search#


Searches for Okta users.

Base Command#

okta-search

Input#

Argument NameDescriptionRequired
termTerm by which to search. Can be a first name, last name, or email address. The argument term or advanced_search is required.Optional
advanced_searchSearches for users with a supported filtering expression for most properties, including custom-defined properties. The argument term or advanced_search is required.Optional
limitThe maximum number of results to return. The default and maximum is 200.Optional
verboseWhether to return details of users that match the found term. Can be "true" or "false". The default is "false". Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
Account.IDStringOkta account IDs returned by the search.
Account.UsernameStringOkta account usernames returned by the search.
Account.EmailStringOkta account emails returned by the search.
Account.DisplayNameStringOkta account display names returned by the search.
Account.TypeStringOkta account type returned by the search.
Account.StatusStringOkta account current status.
Account.CreatedDateTimestamp for when the user was created.
Account.ActivatedDateTimestamp for when the user was activated.
Account.StatusChangedDateTimestamp for when the user's status was last changed.
Account.PasswordChangedDateTimestamp for when the user's password was last changed.
Command Example#

!okta-search term=test verbose=true

Context Example#
{
"Account": [
{
"Activated": "2020-02-12T14:03:51.000Z",
"Created": "2020-02-12T14:03:50.000Z",
"DisplayName": "bar test",
"Email": "bartest@test.com",
"ID": "00uppjeleqJQ2kkN80h7",
"Status": "PROVISIONED",
"StatusChanged": "2020-02-12T14:03:51.000Z",
"Type": "Okta",
"Username": "bartest@test.com"
},
{
"Activated": "2020-02-19T12:33:20.000Z",
"Created": "2018-07-31T12:48:33.000Z",
"DisplayName": "test that",
"Email": "test@that.com",
"ID": "00ufufhqits3y78Ju0h7",
"PasswordChanged": "2020-02-06T13:32:56.000Z",
"Status": "PROVISIONED",
"StatusChanged": "2020-02-19T12:33:20.000Z",
"Type": "Okta",
"Username": "test@that.com"
},
{
"Activated": "2020-03-26T13:56:52.000Z",
"Created": "2020-03-26T13:56:49.000Z",
"DisplayName": "test that",
"Email": "testForDocs@test.com",
"ID": "00uqk1qesl3k0SRbH0h7",
"PasswordChanged": "2020-03-26T13:56:50.000Z",
"Status": "ACTIVE",
"StatusChanged": "2020-03-26T13:56:52.000Z",
"Type": "Okta",
"Username": "testForDocs@test.com"
}
]
}
Human Readable Output#

Okta users found: User:bartest@test.com

Profile#

EmailFirst NameLast NameLoginMobile PhoneSecond Email
bartest@test.combartestbartest@test.com
Additional Data#
ActivatedCreatedCredentialsIDLast LoginLast UpdatedPassword ChangedStatusStatus ChangedType_links
2020-02-12T14:03:51.000Z2020-02-12T14:03:50.000Zprovider: {"type": "OKTA", "name": "OKTA"}00uppjeleqJQ2kkN80h72020-02-12T14:03:51.000ZPROVISIONEDid: oty66lckcvDyVcGzS0h7self: {"href": "https://yourdomain.okta.com/api/v1/users/00uppjeleqJQ2kkN80h7"}
User:test@that.com#
Profile#
EmailFirst NameLast NameLoginMobile PhoneSecond Email
test@that.comtestthattest@that.comtest@that.com
Additional Data#
ActivatedCreatedCredentialsIDLast LoginLast UpdatedPassword ChangedStatusStatus ChangedType_links
2020-02-19T12:33:20.000Z2018-07-31T12:48:33.000Zprovider: {"type": "OKTA", "name": "OKTA"}00ufufhqits3y78Ju0h72020-02-19T12:33:20.000Z2020-02-06T13:32:56.000ZPROVISIONEDid: oty66lckcvDyVcGzS0h7self: {"href": "https://yourdomain.okta.com/api/v1/users/00ufufhqits3y78Ju0h7"}
User:testForDocs@test.com#
Profile#
EmailFirst NameLast NameLoginMobile PhoneSecond Email
testForDocs@test.comtestthattestForDocs@test.com
Additional Data#
ActivatedCreatedCredentialsIDLast LoginLast UpdatedPassword ChangedStatusStatus ChangedType_links
2020-03-26T13:56:52.000Z2020-03-26T13:56:49.000Zpassword: {}recovery_question: {"question": "whats is your favourite integration"}provider: {"type": "OKTA", "name": "OKTA"}00uqk1qesl3k0SRbH0h72020-03-26T13:56:52.000Z2020-03-26T13:56:50.000ZACTIVEid: oty66lckcvDyVcGzS0h7self: {"href": "https://yourdomain.okta.com/api/v1/users/00uqk1qesl3k0SRbH0h7"}

okta-get-user#


Fetches information for a single user. You must enter one or more parameters for the command to run.

Base Command#

okta-get-user

Input#

Argument NameDescriptionRequired
usernameOkta username for which to get information.Optional
userIdUser ID of the user for which to get information.Optional
verboseWhether to return extended user information. Can be "true" or "false". The default is "false". Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
Account.IDStringOkta account ID.
Account.EmailStringOkta account email.
Account.UsernameStringOkta account username.
Account.DisplayNameStringOkta account display name.
Account.StatusStringOkta account status.
Account.CreatedDateTimestamp for when the user was created.
Account.ActivatedDateTimestamp for when the user was activated.
Account.StatusChangedDateTimestamp for when the user's status was last changed.
Account.PasswordChangedDateTimestamp for when the user's password was last changed.
Account.ManagerStringThe manager.
Account.ManagerEmailStringThe manager email.
Command Example#

!okta-get-user username=testForDocs@test.com verbose=true

Context Example#
{
"Account": {
"Activated": "2020-03-26T13:56:52.000Z",
"Created": "2020-03-26T13:56:49.000Z",
"DisplayName": "test that",
"Email": "testForDocs@test.com",
"ID": "00uqk1qesl3k0SRbH0h7",
"Manager": "manager@test.com",
"ManagerEmail": null,
"PasswordChanged": "2020-03-26T13:56:50.000Z",
"Status": "ACTIVE",
"StatusChanged": "2020-03-26T13:56:52.000Z",
"Type": "Okta",
"Username": "testForDocs@test.com"
}
}
Human Readable Output#

User:testForDocs@test.com#

Profile#

EmailFirst NameLast NameLoginManagerManager EmailMobile PhoneSecond Email
testForDocs@test.comtestthattestForDocs@test.commanager@test.com
Additional Data#
ActivatedCreatedCredentialsIDLast LoginLast UpdatedPassword ChangedStatusStatus ChangedType_links
2020-03-26T13:56:52.000Z2020-03-26T13:56:49.000Zpassword: {}recovery_question: {"question": "whats is your favourite integration"} provider: {"type": "OKTA", "name": "OKTA"}00uqk1qesl3k0SRbH0h72020-03-26T13:56:52.000Z2020-03-26T13:56:50.000ZACTIVEid: oty66lckcvDyVcGzS0h7links

okta-list-users#


Lists users in your organization.

Base Command#

okta-list-users

Input#

Argument NameDescriptionRequired
afterThe cursor in which to retrive the results from and on. if the query didn't reach the end of results, the tag can be obtained from the bottom of the grid in the readable output, or in the context path Okta.User.tag.Optional
limitThe maximum number of results to return. Default is 200.Optional
verboseWhether to return extended user information. Possible values are: true, false. Default is false.Optional
querySearches the name property of groups for matching values.Optional
filterUseful for performing structured queries where constraints on group attribute values can be explicitly targeted.
The following expressions are supported(among others) for groups with the filter query parameter:
type eq "OKTA_GROUP" - Groups that have a type of OKTA_GROUP; lastUpdated lt "yyyy-MM-dd''T''HH:mm:ss.SSSZ" - Groups with profile last updated before a specific timestamp; lastMembershipUpdated eq "yyyy-MM-dd''T''HH:mm:ss.SSSZ" - Groups with memberships last updated at a specific timestamp; id eq "00g1emaKYZTWRYYRRTSK" - Group with a specified ID. For more information about filtering, visit https://developer.okta.com/docs/api/getting_started/design_principles#filtering.
Optional

Context Output#

PathTypeDescription
Account.IDStringOkta account ID.
Account.EmailStringOkta account email.
Account.UsernameStringOkta account username.
Account.DisplayNameStringOkta account display name.
Account.StatusStringOkta account status.
Account.CreatedDateTimestamp for when the user was created.
Account.ActivatedDateTimestamp for when the user was activated.
Account.StatusChangedDateTimestamp for when the user's status was last changed.
Account.PasswordChangedDateTimestamp for when the user's password was last changed.
Okta.User.tagStringThe location of the next item, used with after param.

okta-create-user#


Creates a new user with an option of setting a password, recovery question, and answer. The new user will immediately be able to log in after activation with the assigned password. This flow is common when developing a custom user registration experience.

Base Command#

okta-create-user

Input#

Argument NameDescriptionRequired
firstNameFirst name of the user (givenName).Required
lastNameFamily name of the user (familyName).Required
emailPrimary email address of the user.Required
loginUnique identifier for the user (username).Required
secondEmailSecondary email address of user. Usually used for account recovery.Optional
middleNameMiddle name(s) of the user.Optional
honorificPrefixA comma-separated list of honorific prefix(es) of the user, or title in most Western languages.Optional
honorificSuffixA comma-separated list of honorific suffix(es) of the user.Optional
titleUser's title. for example, Vice President.Optional
displayNameDisplay name of the user.Optional
nickNameCasual way to address the user (nick name).Optional
profileUrlURL of the user online profile. For example, a web page.Optional
primaryPhonePrimary phone number of the user.Optional
mobilePhoneMobile phone number of the user.Optional
streetAddressFull street address component of the user's address.Optional
cityCity or locality component of the user's address (locality).Optional
stateState or region component of the user's address (region).Optional
zipCodeZip code or postal code component of the user's address (postalCode).Optional
countryCodeCountry name component of the user's address (country).Optional
postalAddressMailing address component of the user's address.Optional
preferredLanguageUser's preferred written or spoken languages.Optional
localeUser's default location, for purposes of localizing items such as currency, date-time format, numerical representations, etc.Optional
timezoneUser's time zone.Optional
userTypeThe user type, which is used to identify the organization-to-user relationship such as "Employee" or "Contractor".Optional
employeeNumberOrganization or company assigned unique identifier for the user.Optional
costCenterName of a cost center the user is assigned to.Optional
organizationName of the user's organization.Optional
divisionName of the user's division.Optional
departmentName of the user's department.Optional
managerIdID of the user's manager.Optional
managerDisplay name of the user's manager.Optional
passwordPassword for the new user.Optional
passwordQuestionPassword question for the new user.Optional
passwordAnswerPassword answer for question.Optional
providerTypeThe provider type. Can be "OKTA", "ACTIVE_DIRECTORY", "LDAP", "FEDERATION", or "SOCIAL". Possible values are: OKTA, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL.Optional
providerNameName of the provider.Optional
groupIdsIDs of groups that the user will be immediately added to at time of creation (does Not include default group).Optional
activateWhether to activate the lifecycle operation when creating the user. Can be "true" or "false". Possible values are: true, false.Optional

Context Output#

PathTypeDescription
Account.IDStringCreated Okta account ID.
Account.EmailStringCreated Okta account email address.
Account.UsernameStringCreated okta account username.
Account.DisplayNameStringCreated Okta account display name.
Account.TypeStringType of created account - Okta.
Account.StatusStringOkta account current status.
Account.CreatedDateTimestamp for when the user was created.
Account.ActivatedDateTimestamp for when the user was activated.
Account.StatusChangedDateTimestamp for when the user's status was last changed.
Account.PasswordChangedDateTimestamp for when the user's password was last changed.
Command Example#

!okta-create-user email=testForDocs@test.com firstName=test lastName=that login=testForDocs@test.com password=Pa55word! passwordQuestion="whats is your favourite integration" passwordAnswer="Okta of course"

Context Example#
{
"Account": {
"Activated": null,
"Created": "2020-03-26T13:56:49.000Z",
"DisplayName": "test that",
"Email": "testForDocs@test.com",
"ID": "00uqk1qesl3k0SRbH0h7",
"PasswordChanged": "2020-03-26T13:56:50.000Z",
"Status": "STAGED",
"StatusChanged": null,
"Type": "Okta",
"Username": "testForDocs@test.com"
}
}
Human Readable Output#

Okta User Created: testForDocs@test.com:#

First NameIDLast LoginLast NameLoginMobile PhoneStatus
test00uqk1qesl3k0SRbH0h7thattestForDocs@test.comSTAGED

okta-update-user#


Updates a user with a given login. All fields are optional. Fields which are not set, will not be overwritten.

Base Command#

okta-update-user

Input#

Argument NameDescriptionRequired
firstNameFirst name of the user (given name).Optional
lastNameFamily name of the user.Optional
emailPrimary email address of the user.Optional
usernameUnique identifier for the user (login).Required
secondEmailSecondary email address of the user (typically used for account recovery.Optional
middleNameMiddle name(s) of the user.Optional
honorificPrefixHonorific prefix(es) of the user, or title in most Western languages.Optional
honorificSuffixHonorific suffix(es) of the user.Optional
titleUser's title. For example, Vice President.Optional
displayNameDisplay name of the user.Optional
nickNameCasual way to address the user in real life (nick name).Optional
profileUrlURL of the user's online profile. For example, a web page.Optional
primaryPhonePrimary phone number of the user.Optional
mobilePhoneMobile phone number of the user.Optional
streetAddressFull street address component of the user's address.Optional
cityCity or locality component of the user's address (locality).Optional
stateState or region component of the user's address (region).Optional
zipCodeZip code or postal code component of the user's address (postalCode).Optional
countryCodeCountry name component of the user's address (country).Optional
postalAddressMailing address component of the user's address.Optional
preferredLanguageUser's preferred written or spoken languages.Optional
localeUser's default location for purposes of localizing items such as currency, date-time format, numerical representations, etc.Optional
timezoneUser time zone.Optional
userTypeThe user type, which is used to identify the organization-to-user relationship such as "Employee" or "Contractor".Optional
employeeNumberOrganization or company assigned unique identifier for the user.Optional
costCenterName of a cost center the user is assigned to.Optional
organizationName of the user's organization.Optional
divisionName of the user's division.Optional
departmentName of the user's department.Optional
managerIdID of the user's manager.Optional
managerDisplay name of the user's manager.Optional
passwordNew password for the specified user.Optional
passwordQuestionPassword question for the specified user.Optional
passwordAnswerPassword answer for the question.Optional
providerTypeThe provider type. Can be "OKTA", "ACTIVE_DIRECTORY", "LDAP", "FEDERATION", or "SOCIAL". Possible values are: OKTA, ACTIVE_DIRECTORY, FEDERATION, SOCIAL.Optional
providerNameName of the provider.Optional

Context Output#

There is no context output for this command.

Command Example#

!okta-update-user username=testForDocs@test.com firstName="First Name Updated"

Human Readable Output#

Okta user: testForDocs@test.com Updated:#

emailfirstNamelastNameloginmobilePhonesecondEmail
testForDocs@test.comFirst Name UpdatedthattestForDocs@test.com

okta-get-group-members#


Enumerates all users that are members of a group.

Base Command#

okta-get-group-members

Input#

Argument NameDescriptionRequired
groupIdID of the group.Optional
limitThe maximum number of results to return.Optional
verboseWhether to print extended user details. Can be "true" or "false". The default is "false". Possible values are: true, false. Default is false.Optional
groupNameName of the group.Optional

Context Output#

PathTypeDescription
Account.IDStringOkta account ID.
Account.EmailStringOkta account email address.
Account.UsernameStringOkta account username.
Account.DisplayNameStringOkta account display name.
Account.TypeStringAccount type - Okta.
Account.StatusStringOkta account current status.
Account.CreatedDateTimestamp for when the user was created.
Account.ActivatedDateTimestamp for when the user was activated.
Account.StatusChangedDateTimestamp for when the user's status was last changed.
Account.PasswordChangedDateTimestamp for when the user's password was last changed.
Command Example#

!okta-get-group-members groupName=Demisto limit=1 verbose=true

Context Example#
{
"Account": {
"Created": "2016-04-12T15:01:52.000Z",
"DisplayName": "Test Demisto",
"Email": "XSOAR@demisto.com",
"ID": "00u66ljhpjidYi0h7",
"PasswordChanged": "2020-02-24T11:40:08.000Z",
"Status": "ACTIVE",
"StatusChanged": "2016-04-12T15:05:06.000Z",
"Type": "Okta",
"Username": "XSOAR@demisto.com"
}
}
Human Readable Output#

Users for group: Demisto:#

User:Test@demisto.com#

Profile#

EmailFirst NameLast NameLoginMobile PhoneSecond Email
XSOAR@demisto.comTestDemistoXSOAR@demisto.com
Additional Data#
ActivatedCreatedCredentialsIDLast LoginLast UpdatedPassword ChangedStatusStatus ChangedType_links
2016-04-12T15:01:52.000Zpassword: {} recovery_question: {"question": "born city"} provider: {"type": "OKTA", "name": "OKTA"}00u66lckd7lpjidYi0h72020-03-12T09:54:36.000Z2020-02-24T11:42:22.000Z2020-02-24T11:40:08.000ZACTIVEid: oty66lckcyVcGzS0h7self: {"href": "https://yourdomain.okta.com/api/v1/users/00uclpjidYi0h7"}

okta-list-groups#


Lists groups in your organization. A subset of groups can be returned that match a supported filter expression or query.

Base Command#

okta-list-groups

Input#

Argument NameDescriptionRequired
querySearches the name property of groups for matching values.Optional
filterUseful for performing structured queries where constraints on group attribute values can be explicitly targeted.
The following expressions are supported(among others) for groups with the filter query parameter:
type eq "OKTA_GROUP" - Groups that have a type of OKTA_GROUP; lastUpdated lt "yyyy-MM-dd''T''HH:mm:ss.SSSZ" - Groups with profile last updated before a specific timestamp; lastMembershipUpdated eq "yyyy-MM-dd''T''HH:mm:ss.SSSZ" - Groups with memberships last updated at a specific timestamp; id eq "00g1emaKYZTWRYYRRTSK" - Group with a specified ID. For more information about filtering, visit https://developer.okta.com/docs/api/getting_started/design_principles#filtering.
Optional
limitThe maximum number of results to return. The default is 200. Default is 200.Optional

Context Output#

PathTypeDescription
Okta.Group.IDStringUnique key for the group.
Okta.Group.CreatedDateTimestamp for when the group was created.
Okta.Group.ObjectClassUnknownThe group's profile.
Okta.Group.LastUpdatedDateTimestamp for when the group's profile was last updated.
Okta.Group.LastMembershipUpdatedDateTimestamp for when the group's membership was last updated.
Okta.Group.TypeStringThe group type, which determines how a group's profile and membership are managed. Can be "OKTA_GROUP", "APP_GROUP", or "BUILT_IN".
Okta.Group.NameStringName of the group.
Okta.Group.DescriptionStringDescription of the group.
Command Example#

!okta-list-groups filter=`type eq "OKTA_GROUP" and lastUpdated lt "2019-04-30T00:00:00.000Z" and lastMembershipUpdated gt "2019-04-30T00:00:00.000Z"` query=demisto

Context Example#
{
"Okta": {
"Group": {
"Created": "2018-01-19T02:02:06.000Z",
"ID": "00gdout3zEaf7c50h7",
"LastMembershipUpdated": "2020-03-26T13:56:56.000Z",
"LastUpdated": "2018-01-19T02:02:06.000Z",
"Name": "Demisto",
"ObjectClass": [
"okta:user_group"
],
"Type": "OKTA_GROUP"
}
}
}
Human Readable Output#

Groups#

CreatedDescriptionIDLastMembershipUpdatedLastUpdatedNameObjectClassType
2018-01-19T02:02:06.000Z00gdougctEaf7c50h72020-03-26T13:56:56.000Z2018-01-19T02:02:06.000ZDemistookta:user_groupOKTA_GROUP

okta-get-failed-logins#


Returns failed login events.

Base Command#

okta-get-failed-logins

Input#

Argument NameDescriptionRequired
sinceFilters the lower time bound of the log events in the Internet Date/Time Format profile of ISO 8601. An example: 2017-05-03T16:22:18Z.Optional
untilFilters the upper time bound of the log events in the Internet Date/Time Format profile of ISO 8601. An example: 2017-05-03T16:22:18Z.Optional
sortOrderThe order of the returned events. Can be "ASCENDING" or "DESCENDING". The default is "ASCENDING". Possible values are: ASCENDING, DESCENDING. Default is ASCENDING.Optional
limitThe maximum number of results to return. The default is 100.Optional

Context Output#

PathTypeDescription
Okta.Logs.Events.actor.alternateIdStringAlternative ID of the actor.
Okta.Logs.Events.actor.displayNameStringDisplay name of the actor.
Okta.Logs.Events.actor.idStringID of the actor.
Okta.Logs.Events.client.userAgent.rawUserAgentStringA raw string representation of the user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field.
Okta.Logs.Events.client.userAgent.osStringThe operating system on which the client runs. For example, Microsoft Windows 10.
Okta.Logs.Events.client.userAgent.browserStringIdentifies the browser type, if relevant. For example, Chrome.
Okta.Logs.Events.client.deviceStringType of device that client operated from. For example, Computer.
Okta.Logs.Events.client.idStringFor OAuth requests, the ID of the OAuth client making the request. For SSWS token requests, the ID of the agent making the request.
Okta.Logs.Events.client.ipAddressStringIP address from which the client made its request.
Okta.Logs.Events.client.geographicalContext.cityStringThe city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco.
Okta.Logs.Events.client.geographicalContext.stateStringFull name of the state or province encompassing the area containing the geo-location coordinates. For example Montana, Incheon.
Okta.Logs.Events.client.geographicalContext.countryStringFull name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda.
Okta.Logs.Events.displayMessageStringThe display message for an event.
Okta.Logs.Events.eventTypeStringType of event that was published.
Okta.Logs.Events.outcome.resultStringResult of the action. Can be "SUCCESS", "FAILURE", "SKIPPED", "UNKNOWN".
Okta.Logs.Events.outcome.reasonStringReason for the result. For example, INVALID_CREDENTIALS.
Okta.Logs.Events.publishedStringTimestamp when the event was published.
Okta.Logs.Events.severityStringThe event severity. Can be "DEBUG", "INFO", "WARN", or "ERROR".
Okta.Logs.Events.securityContext.asNumberNumberAutonomous system number associated with the autonomous system that the event request was sourced to.
Okta.Logs.Events.securityContext.asOrgStringOrganization associated with the autonomous system that the event request was sourced to.
Okta.Logs.Events.securityContext.ispStringInternet service provider used to send the event's request.
Okta.Logs.Events.securityContext.domainStringThe domain name associated with the IP address of the inbound event request.
Okta.Logs.Events.securityContext.isProxyStringSpecifies whether an event's request is from a known proxy.
Okta.Logs.Events.request.ipChain.IPStringIP address.
Okta.Logs.Events.request.ipChain.geographicalContext.cityStringThe city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco.
Okta.Logs.Events.request.ipChain.geographicalContext.stateStringFull name of the state or province encompassing the area containing the geo-location coordinates. For example, Montana, Incheon.
Okta.Logs.Events.request.ipChain.geographicalContext.countryStringFull name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda.
Okta.Logs.Events.request.ipChain.sourceStringDetails regarding the source.
Okta.Logs.Events.target.idStringID of a target.
Okta.Logs.Events.target.typeStringType of a target.
Okta.Logs.Events.target.alternateIdStringAlternative ID of a target.
Okta.Logs.Events.target.displayNameStringDisplay name of a target.
Command Example#

!okta-get-failed-logins since="2019-04-30T00:00:00.000Z" limit=1

Context Example#
{
"Okta": {
"Logs": {
"Events": {
"actor": {
"alternateId": "goo@test.com",
"detailEntry": null,
"displayName": "unknown",
"id": "unknown",
"type": "User"
},
"authenticationContext": {
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "unknown",
"interface": null,
"issuer": null
},
"client": {
"device": "Computer",
"geographicalContext": {
"city": "Tel Aviv",
"country": "Israel",
"geolocation": {
"lat": 32.0678,
"lon": 34.7647
},
"postalCode": null,
"state": "Tel Aviv"
},
"id": null,
"ipAddress": "127.0.0.1",
"userAgent": {
"browser": "CHROME",
"os": "Windows 10",
"rawUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
},
"zone": "null"
},
"debugContext": {
"debugData": {
"loginResult": "VERIFICATION_ERROR",
"requestId": "XYM92q-0Fs0ewvRQZVAlzwAABL8",
"requestUri": "/api/v1/authn",
"url": "/api/v1/authn?"
}
},
"displayMessage": "User login to Okta",
"eventType": "user.session.start",
"legacyEventType": "core.user_auth.login_failed",
"outcome": {
"reason": "VERIFICATION_ERROR",
"result": "FAILURE"
},
"published": "2019-09-19T08:35:38.353Z",
"request": {
"ipChain": [
{
"geographicalContext": {
"city": "Tel Aviv",
"country": "Israel",
"geolocation": {
"lat": 32.0678,
"lon": 34.7647
},
"postalCode": null,
"state": "Tel Aviv"
},
"ip": "127.0.0.1",
"source": null,
"version": "V4"
}
]
},
"securityContext": {
"asNumber": null,
"asOrg": null,
"domain": null,
"isProxy": null,
"isp": null
},
"severity": "INFO",
"target": null,
"transaction": {
"detail": {},
"id": "XYM92q-0Fs0ewvRQZVAlzwAABL8",
"type": "WEB"
},
"uuid": "7503c6b4-dab8-11e9-b336-d163e95fbe00",
"version": "0"
}
}
}
}
Human Readable Output#

Failed Login Events#

ActorActorAlternaneIdChainIPClientEventInfoEventOutcomeEventSeverityRequestIPTargetsTime
unknown (User)admin127.0.0.1CHROME on Windows 10 ComputerUser login to OktaFAILURE: VERIFICATION_ERRORINFO127.0.0.1-09/30/2019, 18:42:38

okta-get-logs#


Gets logs by providing optional filters.

Base Command#

okta-get-logs

Input#

Argument NameDescriptionRequired
filterUseful for performing structured queries where constraints on LogEvent attribute values can be explicitly targeted.
The following expressions are supported for events with the filter query parameter: eventType eq " :eventType"
-Events that have a specific action; eventType target.id eq ":id"
- Events published with a specific target id; actor.id eq ":id"
- Events published with a specific actor ID. For more information about filtering, visit https://developer.okta.com/docs/api/getting_started/design_principles#filtering.
Optional
queryThe query parameter can be used to perform keyword matching against a LogEvents object’s attribute values. To satisfy the constraint, all supplied keywords must be matched exactly. Note that matching is case-insensitive. The following are some examples of common keyword filtering:
Events that mention a specific city: query=San Francisco;
Events that mention a specific url: query=interestingURI.com;
Events that mention a specific person: query=firstName lastName.
Optional
sinceFilters the lower time bound of the log events in the Internet Date/Time Format profile of ISO 8601. For example: 2017-05-03T16:22:18Z.Optional
untilFilters the upper time bound of the log events in the Internet Date/Time Format profile of ISO 8601. For example: 2017-05-03T16:22:18Z.Optional
sortOrderThe order of the returned events. Can be "ASCENDING" or "DESCENDING". The default is "ASCENDING". Possible values are: ASCENDING, DESCENDING. Default is ASCENDING.Optional
limitThe maximum number of results to return. The default is 100. Default is 100.Optional

Context Output#

PathTypeDescription
Okta.Logs.Events.actor.alternateIdStringAlternative ID of the actor.
Okta.Logs.Events.actor.displayNameStringDisplay name of the actor.
Okta.Logs.Events.actor.idStringID of the actor.
Okta.Logs.Events.client.userAgent.rawUserAgentStringA raw string representation of user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field.
Okta.Logs.Events.client.userAgent.osStringThe operating system on which the client runs. For example, Microsoft Windows 10.
Okta.Logs.Events.client.userAgent.browserStringIdentifies the type of web browser, if relevant. For example, Chrome.
Okta.Logs.Events.client.deviceStringType of device from which the client operated. For example, Computer.
Okta.Logs.Events.client.idStringFor OAuth requests, the ID of the OAuth client making the request. For SSWS token requests, the ID of the agent making the request.
Okta.Logs.Events.client.ipAddressStringIP address from which the client made its request.
Okta.Logs.Events.client.geographicalContext.cityStringThe city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco.
Okta.Logs.Events.client.geographicalContext.stateStringFull name of the state or province encompassing the area containing the geo-location coordinates. For example, Montana, Incheon.
Okta.Logs.Events.client.geographicalContext.countryStringFull name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda.
Okta.Logs.Events.displayMessageStringThe display message for an event.
Okta.Logs.Events.eventTypeStringType of event that was published.
Okta.Logs.Events.outcome.resultStringResult of the action. Can be "SUCCESS", "FAILURE", "SKIPPED", or "UNKNOWN".
Okta.Logs.Events.outcome.reasonStringReason for the result. For example, INVALID_CREDENTIALS.
Okta.Logs.Events.publishedStringTimestamp when the event was published.
Okta.Logs.Events.severityStringThe event severity. Can be "DEBUG", "INFO", "WARN", or "ERROR".
Okta.Logs.Events.securityContext.asNumberNumberAutonomous system number associated with the autonomous system that the event request was sourced to.
Okta.Logs.Events.securityContext.asOrgStringOrganization associated with the autonomous system that the event request was sourced to.
Okta.Logs.Events.securityContext.ispStringInternet service provider used to send the event's request.
Okta.Logs.Events.securityContext.domainStringThe domain name associated with the IP address of the inbound event request.
Okta.Logs.Events.securityContext.isProxyStringSpecifies whether an event's request is from a known proxy.
Okta.Logs.Events.request.ipChain.IPStringIP address.
Okta.Logs.Events.request.ipChain.geographicalContext.cityStringThe city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco.
Okta.Logs.Events.request.ipChain.geographicalContext.stateStringFull name of the state or province encompassing the area containing the geo-location coordinates. For example, Montana, Incheon.
Okta.Logs.Events.request.ipChain.geographicalContext.countryStringFull name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda.
Okta.Logs.Events.request.ipChain.sourceStringDetails regarding the source.
Okta.Logs.Events.target.idStringID of a target.
Okta.Logs.Events.target.typeStringType of a target.
Okta.Logs.Events.target.alternateIdStringAlternative ID of a target.
Okta.Logs.Events.target.displayNameStringDisplay name of a target.
Command Example#

!okta-get-logs filter=`actor.id eq "00u66lckvpjidYi0h7"` query=Boardman since="2020-03-03T20:23:17.573Z" limit=1

Context Example#
{
"Okta": {
"Logs": {
"Events": {
"actor": {
"alternateId": "Test@demisto.com",
"detailEntry": null,
"displayName": "Test Demisto",
"id": "00u66lvd7lpjidYi0h7",
"type": "User"
},
"authenticationContext": {
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "trs3hs_F_UQT9K5FOPG7m4i1g",
"interface": null,
"issuer": null
},
"client": {
"device": "Unknown",
"geographicalContext": {
"city": "Boardman",
"country": "United States",
"geolocation": {
"lat": 45.8491,
"lon": -119.7143
},
"postalCode": "97818",
"state": "Oregon"
},
"id": null,
"ipAddress": "127.0.0.1",
"userAgent": {
"browser": "UNKNOWN",
"os": "Unknown",
"rawUserAgent": "Demisto/1.0"
},
"zone": "null"
},
"debugContext": {
"debugData": {
"requestId": "Xl68tch@7iZvNo0k8vPc5gAAAmE",
"requestUri": "/api/v1/groups/00g8mo0l5wuTxmoIC0h7/users/00uptu0jj9V91p5QM0h7",
"threatSuspected": "false",
"url": "/api/v1/groups/00g8mo0l5wuTxmoIC0h7/users/00uptu0jj9V91p5QM0h7?"
}
},
"displayMessage": "Remove user from group membership",
"eventType": "group.user_membership.remove",
"legacyEventType": "core.user_group_member.user_remove",
"outcome": {
"reason": null,
"result": "SUCCESS"
},
"published": "2020-03-03T20:23:17.573Z",
"request": {
"ipChain": [
{
"geographicalContext": {
"city": "Boardman",
"country": "United States",
"geolocation": {
"lat": 45.8491,
"lon": -119.7143
},
"postalCode": "97818",
"state": "Oregon"
},
"ip": "127.0.0.1",
"source": null,
"version": "V4"
}
]
},
"securityContext": {
"asNumber": null,
"asOrg": null,
"domain": null,
"isProxy": null,
"isp": null
},
"severity": "INFO",
"target": [
{
"alternateId": "test@this.com",
"detailEntry": null,
"displayName": "test this",
"id": "00uptu0jj9V91p5QM0h7",
"type": "User"
},
{
"alternateId": "unknown",
"detailEntry": null,
"displayName": "test1",
"id": "00g8mo0l5wuTxmoIC0h7",
"type": "UserGroup"
}
],
"transaction": {
"detail": {},
"id": "Xl68tch@7iZvNo0k8vPc5gAAAmE",
"type": "WEB"
},
"uuid": "d14117f9-5d8c-11ea-a9cb-1f2fbd3b03f7",
"version": "0"
}
}
}
}
Human Readable Output#

Okta Events#

ActorActorAlternaneIdChainIPClientEventInfoEventOutcomeEventSeverityRequestIPTargetsTime
Test Demisto (User)Test@demisto.com127.0.0.1Unknown browser on Unknown OS Unknown deviceRemove user from group membershipSUCCESSINFO127.0.0.1test this (User) test1 (UserGroup)03/03/2020, 20:23:17

okta-get-group-assignments#


Gets events for when a user was added to a group.

Base Command#

okta-get-group-assignments

Input#

Argument NameDescriptionRequired
sinceFilters the lower time bound of the log event in the Internet Date\Time format profile of ISO 8601. For example, 2020-02-14T16:00:18Z.Optional
untilFilters the upper time bound of the log event in the Internet Date\Time format profile of ISO 8601. For example, 2020-02-14T16:00:18Z.Optional
sortOrderThe order of the returned events. Can be "ASCENDING" or "DESCENDING". The default is "ASCENDING". Possible values are: ASCENDING, DESCENDING. Default is ASCENDING.Optional
limitThe maximum number of results to return. The default is 100. Default is 100.Optional

Context Output#

PathTypeDescription
Okta.Logs.Events.actor.alternateIdStringAlternative ID of the actor.
Okta.Logs.Events.actor.displayNameStringDisplay name of the actor.
Okta.Logs.Event.actor.idStringID of the actor.
Okta.Logs.Events.client.userAgent.rawUserAgentStringA raw string representation of user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field.
Okta.Logs.Events.client.userAgent.osStringThe operating system on which the client runs. For example, Microsoft Windows 10.
Okta.Logs.Events.client.userAgent.browserStringIdentifies the type of web browser, if relevant. For example, Chrome.
Okta.Logs.Events.client.deviceStringType of device from which the client operated. For example, Computer.
Okta.Logs.Events.client.idStringFor OAuth requests, the ID of the OAuth client making the request. For SSWS token requests, the ID of the agent making the request.
Okta.Logs.Events.client.ipAddressStringIP address from which the client made its request.
Okta.Logs.Events.client.geographicalContext.cityStringThe city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco.
Okta.Logs.Events.client.geographicalContext.stateStringFull name of the state or province encompassing in the area containing the geo-location coordinates. For example, Montana, Incheon.
Okta.Logs.Events.client.geographicalContext.countryStringFull name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda.
Okta.Logs.Events.displayMessageStringThe display message for an event.
Okta.Logs.Events.eventTypeStringType of event that was published.
Okta.Logs.Events.outcome.resultStringResult of the action. Can be "SUCCESS", "FAILURE", "SKIPPED", or "UNKNOWN".
Okta.Logs.Events.outcome.reasonUnknownReason for the result. For example INVALID_CREDENTIALS.
Okta.Logs.Events.publishedStringTimestamp when the event was published.
Okta.Logs.Events.severityStringThe event severity. Can be "DEBUG", "INFO", "WARN", or "ERROR".
Okta.Logs.Events.securityContext.asNumberNumberAutonomous system number associated with the autonomous system that the event request was sourced to.
Okta.Logs.Events.securityContext.asOrgStringOrganization associated with the autonomous system that the event request was sourced to.
Okta.Logs.Events.securityContext.ispStringInternet service provider used to send the event's request.
Okta.Logs.Events.securityContext.domainStringThe domain name associated with the IP address of the inbound event request.
Okta.Logs.Events.securityContext.isProxyStringSpecifies whether an event's request is from a known proxy.
Okta.Logs.Events.request.ipChain.IPStringIP address.
Okta.Logs.Events.request.ipChain.geographicalContext.cityStringThe city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco.
Okta.Logs.Events.request.ipChain.geographicalContext.stateStringFull name of the state or province encompassing the area containing the geo-location coordinates. For example, Montana, Incheon.
Okta.Logs.Events.request.ipChain.geographicalContext.countryStringFull name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda.
Okta.Logs.Events.request.ipChain.sourceStringDetails regarding the source.
Okta.Logs.Events.target.idStringID of a target.
Okta.Logs.Events.target.typeStringTarget type.
Okta.Logs.Events.target.alternateIdStringAlternative ID of a target.
Okta.Logs.Events.target.displayNameStringDisplay name of a target.
Command Example#

!okta-get-group-assignments since="2019-04-30T00:00:00.000Z" limit=1

Context Example#
{
"Okta": {
"Logs": {
"Events": {
"actor": {
"alternateId": "Test@demisto.com",
"detailEntry": null,
"displayName": "Test Demisto",
"id": "00u66lckd7lpjidYi0h7",
"type": "User"
},
"authenticationContext": {
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "trs4IvlVrvVR9G8RPsPtFjwBA",
"interface": null,
"issuer": null
},
"client": {
"device": "Unknown",
"geographicalContext": {
"city": "Boardman",
"country": "United States",
"geolocation": {
"lat": 45.8491,
"lon": -119.7143
},
"postalCode": "97818",
"state": "Oregon"
},
"id": null,
"ipAddress": "127.0.0.1",
"userAgent": {
"browser": "UNKNOWN",
"os": "Unknown",
"rawUserAgent": "Demisto/1.0"
},
"zone": "null"
},
"debugContext": {
"debugData": {
"requestId": "XXxTqUauHPkBXo4-TEcw9QAAAq0",
"requestUri": "/api/v1/groups/00g8mo0l5wuTxmoIC0h7/users/00ued6gq9jItNhAsN0h7",
"url": "/api/v1/groups/00g8mo0l5wuTxmoIC0h7/users/00ued6gq9jItNhAsN0h7?"
}
},
"displayMessage": "Add user to group membership",
"eventType": "group.user_membership.add",
"legacyEventType": "core.user_group_member.user_add",
"outcome": {
"reason": null,
"result": "SUCCESS"
},
"published": "2019-09-14T02:42:49.379Z",
"request": {
"ipChain": [
{
"geographicalContext": {
"city": "Boardman",
"country": "United States",
"geolocation": {
"lat": 45.8491,
"lon": -119.7143
},
"postalCode": "97818",
"state": "Oregon"
},
"ip": "127.0.0.1",
"source": null,
"version": "V4"
}
]
},
"securityContext": {
"asNumber": null,
"asOrg": null,
"domain": null,
"isProxy": null,
"isp": null
},
"severity": "INFO",
"target": [
{
"alternateId": "test@this.com",
"detailEntry": null,
"displayName": "test this",
"id": "00ued6gq9jItNhAsN0h7",
"type": "User"
},
{
"alternateId": "unknown",
"detailEntry": null,
"displayName": "test1",
"id": "00g8mo0l5wuTxmoIC0h7",
"type": "UserGroup"
}
],
"transaction": {
"detail": {},
"id": "XXxTqUauHPkBXo4-TEcw9QAAAq0",
"type": "WEB"
},
"uuid": "5741ef53-d699-11e9-a08c-d549acc8afb2",
"version": "0"
}
}
}
}
Human Readable Output#

Group Assignment Events#

ActorActorAlternaneIdChainIPClientEventInfoEventOutcomeEventSeverityRequestIPTargetsTime
Test Demisto (User)Test@demisto.com127.0.0.1Unknown browser on Unknown OS Unknown deviceAdd user to group membershipSUCCESSINFO127.0.0.1test this (User) test1 (UserGroup)09/29/2019, 03:47:46

okta-get-application-assignments#


Returns events for when a user was assigned to an application.

Base Command#

okta-get-application-assignments

Input#

Argument NameDescriptionRequired
sinceFilters the lower time bound of the log event in the Internet Date\Time format profile of ISO 8601. For example, 2020-02-14T16:00:18Z.Optional
untilFilters the upper time bound of the log event in the Internet Date\Time format profile of ISO 8601. For example, 2020-02-14T16:00:18Z.Optional
sortOrderThe order of the returned events. Can be "ASCENDING" or "DESCENDING". The default is "ASCENDING". Possible values are: ASCENDING, DESCENDING. Default is ASCENDING.Optional
limitThe maximum number of results to return. The default is 100. Default is 100.Optional

Context Output#

PathTypeDescription
Okta.Logs.Events.actor.alternateIdStringAlternative ID of the actor.
Okta.Logs.Events.actor.displayNameStringDisplay name of the actor.
Okta.Logs.Event.actor.idStringID of the actor.
Okta.Logs.Events.client.userAgent.rawUserAgentStringA raw string representation of the user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field.
Okta.Logs.Events.client.userAgent.osStringThe OS on which the client runs. For example, Microsoft Windows 10.
Okta.Logs.Events.client.userAgent.browserStringIdentifies the type of web browser, if relevant. For example, Chrome.
Okta.Logs.Events.client.deviceStringType of device from which the client operated. For example, Computer.
Okta.Logs.Events.client.idStringFor OAuth requests, the ID of the OAuth client making the request. For SSWS token requests, the ID of the agent making the request.
Okta.Logs.Events.client.ipAddressStringIP address from which the client made its request.
Okta.Logs.Events.client.geographicalContext.cityStringThe city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco.
Okta.Logs.Events.client.geographicalContext.stateStringFull name of the state or province encompassing the area containing the geo-location coordinates. For example, Montana, Incheon.
Okta.Logs.Events.client.geographicalContext.countryStringFull name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda.
Okta.Logs.Events.displayMessageStringThe display message for an event.
Okta.Logs.Events.eventTypeStringType of event that was published.
Okta.Logs.Events.outcome.resultStringResult of the action. For example, "SUCCESS", "FAILURE", "SKIPPED", or "UNKNOWN".
Okta.Logs.Events.outcome.reasonStringReason for the result. For example INVALID_CREDENTIALS.
Okta.Logs.Events.publishedStringTimestamp when the event was published.
Okta.Logs.Events.severityStringThe event severity. Can be "DEBUG", "INFO", "WARN", or "ERROR".
Okta.Logs.Events.securityContext.asNumberNumberAutonomous system number associated with the autonomous system that the event request was sourced to.
Okta.Logs.Events.securityContext.asOrgStringOrganization associated with the autonomous system that the event request was sourced to.
Okta.Logs.Events.securityContext.ispStringInternet service provider used to send the event's request.
Okta.Logs.Events.securityContext.domainStringThe domain name associated with the IP address of the inbound event request.
Okta.Logs.Events.securityContext.isProxyStringSpecifies whether an event's request is from a known proxy.
Okta.Logs.Events.request.ipChain.IPStringIP address.
Okta.Logs.Events.request.ipChain.geographicalContext.cityStringThe city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco.
Okta.Logs.Events.request.ipChain.geographicalContext.stateStringFull name of the state or province encompassing the area containing the geo-location coordinates. For example, Montana, Incheon.
Okta.Logs.Events.request.ipChain.geographicalContext.countryStringFull name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda.
Okta.Logs.Events.request.ipChain.sourceStringDetails regarding the source.
Okta.Logs.Events.target.idStringID of a target.
Okta.Logs.Events.target.typeStringType of a target.
Okta.Logs.Events.target.alternateIdStringAlternative ID of a target.
Okta.Logs.Events.target.displayNameStringDisplay name of a target.
Command Example#

!okta-get-application-assignments since="2019-04-30T00:00:00.000Z" until="2020-02-30T00:00:00.000Z" sortOrder=DESCENDING limit=1

Context Example#
{
"Okta": {
"Logs": {
"Events": {
"actor": {
"alternateId": "Test@demisto.com",
"detailEntry": null,
"displayName": "Test Demisto",
"id": "00u66lckd7lpjidYi0h7",
"type": "User"
},
"authenticationContext": {
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "trsFSV6XXY4TMCSB_xzJrZ85A",
"interface": null,
"issuer": null
},
"client": {
"device": "Unknown",
"geographicalContext": {
"city": "Boardman",
"country": "United States",
"geolocation": {
"lat": 45.8491,
"lon": -119.7143
},
"postalCode": "97818",
"state": "Oregon"
},
"id": null,
"ipAddress": "127.0.0.1",
"userAgent": {
"browser": "UNKNOWN",
"os": "Unknown",
"rawUserAgent": "python-requests/2.22.0"
},
"zone": "null"
},
"debugContext": {
"debugData": {
"requestId": "XlgCgAEBMJsNo5Yh9rHtZAAACPw",
"requestUri": "/api/v1/users/00upywm7l0rL1V0zt0h7/lifecycle/activate",
"threatSuspected": "false",
"url": "/api/v1/users/00upywm7l0rL1V0zt0h7/lifecycle/activate?"
}
},
"displayMessage": "Add user to application membership",
"eventType": "application.user_membership.add",
"legacyEventType": "app.generic.provision.assign_user_to_app",
"outcome": {
"reason": null,
"result": "SUCCESS"
},
"published": "2020-02-27T17:55:12.949Z",
"request": {
"ipChain": [
{
"geographicalContext": {
"city": "Boardman",
"country": "United States",
"geolocation": {
"lat": 45.8491,
"lon": -119.7143
},
"postalCode": "97818",
"state": "Oregon"
},
"ip": "127.0.0.1",
"source": null,
"version": "V4"
}
]
},
"securityContext": {
"asNumber": null,
"asOrg": null,
"domain": null,
"isProxy": null,
"isp": null
},
"severity": "INFO",
"target": [
{
"alternateId": "Test1@test.com",
"detailEntry": null,
"displayName": "Test 1 that",
"id": "0uapywj3yxcjhpjSQ0h7",
"type": "AppUser"
},
{
"alternateId": "ShrikSAML",
"detailEntry": null,
"displayName": "ShrikSAML",
"id": "0oabe0e2jruaQccDf0h7",
"type": "AppInstance"
},
{
"alternateId": "Test1@test.com",
"detailEntry": null,
"displayName": "Test 1 that",
"id": "00upywm7l0rL1V0zt0h7",
"type": "User"
}
],
"transaction": {
"detail": {},
"id": "XlgCgAEBMJsNo5Yh9rHtZAAACPw",
"type": "WEB"
},
"uuid": "4d8a4e9a-598a-11ea-a594-b9fb637659a5",
"version": "0"
}
}
}
}
Human Readable Output#

Application Assignment Events#

ActorActorAlternaneIdChainIPClientEventInfoEventOutcomeEventSeverityRequestIPTargetsTime
Test Demisto (User)Test@demisto.com127.0.0.1Unknown browser on Unknown OS Unknown deviceAdd user to application membershipSUCCESSINFO127.0.0.1Test 1 that (AppUser) ShrikSAML (AppInstance) Test 1 that (User)02/27/2020, 17:55:12

okta-get-application-authentication#


Returns logs using specified filters.

Base Command#

okta-get-application-authentication

Input#

Argument NameDescriptionRequired
sinceFilters the lower time bound of the log event in the Internet Date\Time format profile of ISO 8601. For example, 2020-02-14T16:00:18Z.Optional
untilFilters the upper time bound of the log event in the Internet Date\Time format profile of ISO 8601. For example, 2020-02-14T16:00:18Z.Optional
sortOrderThe order of the returned events. Can be "ASCENDING" or "DESCENDING". The default is "ASCENDING". Possible values are: ASCENDING, DESCENDING. Default is ASCENDING.Optional
limitThe maximum number of results to return. The default is 100. Default is 100.Optional

Context Output#

PathTypeDescription
Okta.Logs.Events.actor.alternateIdStringAlternative ID of the actor.
Okta.Logs.Events.actor.displayNameStringDisplay name of the actor.
Okta.Logs.Events.actor.idStringID of the actor.
Okta.Logs.Events.client.userAgent.rawUserAgentStringA raw string representation of user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field.
Okta.Logs.Events.client.userAgent.osStringThe operating system on which the client runs. For example, Microsoft Windows 10.
Okta.Logs.Events.client.userAgent.browserStringIdentifies the type of web browser, if relevant. For example, Chrome.
Okta.Logs.Events.client.deviceStringType of device from which the client operated. For example, Computer.
Okta.Logs.Events.client.idStringFor OAuth requests, the ID of the OAuth client making the request. For SSWS token requests, the ID of the agent making the request.
Okta.Logs.Events.client.ipAddressStringIP address from which the client made its request.
Okta.Logs.Events.client.geographicalContext.cityStringThe city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco.
Okta.Logs.Events.client.geographicalContext.stateStringFull name of the state or province encompassing the area containing the geo-location coordinates. For example, Montana, Incheon.
Okta.Logs.Events.client.geographicalContext.countryStringFull name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda.
Okta.Logs.Events.displayMessageStringThe display message for an event.
Okta.Logs.Events.eventTypeStringType of event that was published.
Okta.Logs.Events.outcome.resultStringResult of the action. Can be "SUCCESS", "FAILURE", "SKIPPED", or "UNKNOWN".
Okta.Logs.Events.outcome.reasonStringReason for the result. For example INVALID_CREDENTIALS.
Okta.Logs.Events.publishedStringTimestamp when the event was published.
Okta.Logs.Events.severityStringThe event severity. Can be "DEBUG", "INFO", "WARN", or "ERROR".
Okta.Logs.Events.securityContext.asNumberNumberAutonomous system number associated with the autonomous system that the event request was sourced to.
Okta.Logs.Events.securityContext.asOrgStringOrganization associated with the autonomous system that the event request was sourced to.
Okta.Logs.Events.securityContext.ispStringInternet service provider used to send the event's request.
Okta.Logs.Events.securityContext.domainStringThe domain name associated with the IP address of the inbound event request.
Okta.Logs.Events.securityContext.isProxyStringSpecifies whether an event's request is from a known proxy.
Okta.Logs.Events.request.ipChain.IPStringIP address.
Okta.Logs.Events.request.ipChain.geographicalContext.cityStringThe city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco.
Okta.Logs.Events.request.ipChain.geographicalContext.stateStringFull name of the state or province encompassing the area containing the geo-location coordinates. For example, Montana, Incheon.
Okta.Logs.Events.request.ipChain.geographicalContext.countryStringFull name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda.
Okta.Logs.Events.request.ipChain.sourceStringDetails regarding the source.
Okta.Logs.Events.target.idStringID of a target.
Okta.Logs.Events.target.typeStringType of a target.
Okta.Logs.Events.target.alternateIdStringAlternative ID of a target.
Okta.Logs.Events.target.displayNameStringDisplay name of a target.
Command Example#

!okta-get-application-authentication since="2019-04-30T00:00:00.000Z" until="2020-02-30T00:00:00.000Z" limit=1

Context Example#
{
"Okta": {
"Logs": {
"Events": {
"actor": {
"alternateId": "Test@demisto.com",
"detailEntry": null,
"displayName": "Test Demisto",
"id": "00u66lckd7lpjidYi0h7",
"type": "User"
},
"authenticationContext": {
"authenticationProvider": null,
"authenticationStep": 0,
"credentialProvider": null,
"credentialType": null,
"externalSessionId": "102ejbJMP0RSE2zwIOhr_PpHA",
"interface": null,
"issuer": null
},
"client": {
"device": "Computer",
"geographicalContext": {
"city": "Tel Aviv",
"country": "Israel",
"geolocation": {
"lat": 32.0678,
"lon": 34.7647
},
"postalCode": null,
"state": "Tel Aviv"
},
"id": null,
"ipAddress": "127.0.0.1",
"userAgent": {
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
},
"zone": "null"
},
"debugContext": {
"debugData": {
"authnRequestId": "XYI-PiWDTYEsVNLm7sc0vwAACi0",
"initiationType": "SP_INITIATED",
"requestId": "XYI-PzNoI1UMTtFvio-9LAAACAc",
"requestUri": "/app/demistodev725178_benzi_1/exkm30ffmuhcL0rFv0h7/sso/saml",
"signOnMode": "SAML 2.0",
"url": "/app/demistodev725178_benzi_1/exkm30ffmuhcL0rFv0h7/sso/saml?RelayState=&SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iXzRiODZjMGUzLWI0NzktNGU2NS00ZjIwLWJiNTE0YTc3NTUyMiIgVmVyc2lvbj0iMi4wIiBQcm90b2NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVBPU1QiIEFzc2VydGlvbkNvbnN1bWVyU2VydmljZVVSTD0iaHR0cHM6Ly9lYzItNTItNDgtMTItMTIzLmV1LXdlc3QtMS5jb21wdXRlLmFtYXpvbmF3cy5jb20vc2FtbCIgSXNzdWVJbnN0YW50PSIyMDE5LTA5LTE4VDE0OjIyOjM3WiI%2BPHNhbWw6SXNzdWVyPmh0dHBzOi8vZGV2LTcyNTE3OC5va3RhcHJldmlldy5jb20vYXBwL2V4a20zMGZmbXVoY0wwckZ2MGg3L3Nzby9zYW1sL21ldGFkYXRhPC9zYW1sOklzc3Vlcj48c2FtbHA6TmFtZUlEUG9saWN5IEFsbG93Q3JlYXRlPSJ0cnVlIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnBlcnNpc3RlbnQiPjwvc2FtbHA6TmFtZUlEUG9saWN5Pjwvc2FtbHA6QXV0aG5SZXF1ZXN0Pg%3D%3D&fromLoginToken=OODncZp5PTgZ-8QwGMHgbJ6psmQES6dUWiMohfLGGm7GWKko8LFXHz3faG7ZkoocPX2ixv-dyUSOF7qJ9DZDVoVkeETM7n6MskWQ01woQFqUcUVdM1xDBmplZlK1DMhX6ozpZQV2XNK073FfDt4bASBEFFgGkFi5ygH-LmBFSfcoiLWHM5MGJ-JEUB97peJxOL41inNX2r333FMJoDzem0dLAOf4cfApoVz7VDdY06r8i6Lt0vuxmxKyZRWJkCHroKyc3ysag9gbUMR5tSoe3hRPJvCBozjYtzkpVlLBP_6V01eGL2YVP8JR2rkpI8MvBYNDLIoJry1e_eBOF3kzJA"
}
},
"displayMessage": "User single sign on to app",
"eventType": "user.authentication.sso",
"legacyEventType": "app.auth.sso",
"outcome": {
"reason": null,
"result": "SUCCESS"
},
"published": "2019-09-18T14:29:19.329Z",
"request": {
"ipChain": [
{
"geographicalContext": {
"city": "Tel Aviv",
"country": "Israel",
"geolocation": {
"lat": 32.0678,
"lon": 34.7647
},
"postalCode": null,
"state": "Tel Aviv"
},
"ip": "127.0.0.1",
"source": null,
"version": "V4"
}
]
},
"securityContext": {
"asNumber": null,
"asOrg": null,
"domain": null,
"isProxy": null,
"isp": null
},
"severity": "INFO",
"target": [
{
"alternateId": "benzi_master",
"detailEntry": {
"signOnModeType": "SAML_2_0"
},
"displayName": "benzi_master",
"id": "0oam30ffmvM5cLzxo0h7",
"type": "AppInstance"
},
{
"alternateId": "Test@demisto.com",
"detailEntry": null,
"displayName": "Test Demisto",
"id": "0uam30nfffJqV3I4M0h7",
"type": "AppUser"
}
],
"transaction": {
"detail": {},
"id": "XYI-PzNoI1UMTtFvio-9LAAACAc",
"type": "WEB"
},
"uuid": "b349fd35-da20-11e9-81c0-95908eb13131",
"version": "0"
}
}
}
}
Human Readable Output#

Application Authentication Events#

ActorActorAlternaneIdChainIPClientEventInfoEventOutcomeEventSeverityRequestIPTargetsTime
Test Demisto (User)Test@demisto.com127.0.0.1CHROME on Mac OS X ComputerUser single sign on to appSUCCESSINFO127.0.0.1BenziPermanent (AppInstance) Test Demisto (AppUser)10/14/2019, 12:16:53

okta-delete-user#


Deletes the specified user.

Base Command#

okta-delete-user

Input#

Argument NameDescriptionRequired
userIdOkta User ID.Optional
usernameUsername of the user.Optional

Context Output#

There is no context output for this command.

Command Example#

!okta-delete-user username=testForDocs@test.com

Human Readable Output#

User: testForDocs@test.com was Deleted successfully

okta-clear-user-sessions#


Removes all active identity provider sessions. This forces the user to authenticate upon the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user. For more information and examples: https://developer.okta.com/docs/reference/api/users/#user-sessions

Base Command#

okta-clear-user-sessions

Input#

Argument NameDescriptionRequired
userIdOkta User ID.Required

Context Output#

There is no context output for this command.

Command Example#

!okta-clear-user-sessions userId=00ui5brmwtJpMdoZZ0h7

Human Readable Output#

User session was cleared for: 00ui5brmwtJpMdoZZ0h7#

okta-list-zones#


Get an Okta Zone object.

Base Command#

okta-list-zones

Input#

Argument NameDescriptionRequired
limitThe maximum number of results to return.Optional

Context Output#

PathTypeDescription
Okta.Zone.createdDateZone creation timestamp, in the format 2020-04-06T22:23:12.000Z.
Okta.Zone.gateways.typeStringGateways IP entry type, e.g., CIDR.
Okta.Zone.gateways.valueStringGateways IP entry value, e.g., 34.103.1.108/32.
Okta.Zone.idStringZone ID, e.g., nzoqsmcx1qWYJ6wYF0h7.
Okta.Zone.lastUpdatedDateZone last update timestamp, e.g., 2020-04-06T22:23:12.000Z.
Okta.Zone.nameStringZone name.
Okta.Zone.proxies.typeStringProxies IP entry type e.g. CIDR.
Okta.Zone.proxies.valueUnknownProxies IP entry value, e.g., 34.103.1.108/32.
Okta.Zone.statusStringZone status, e.g., ACTIVE.
Okta.Zone.systemNumberTrue if this is a system zone, false if user-created.
Okta.Zone.typeStringZone type, e.g., IP.

Command Example#

!okta-list-zones

Context Example#

{
"Okta": {
"Zone": [
{
"_links": {
"deactivate": {
"hints": {
"allow": [
"POST"
]
},
"href": "https://dev-950355.oktapreview.com/api/v1/zones/nzo9rbw8evGOFV1VE0h7/lifecycle/deactivate"
},
"self": {
"hints": {
"allow": [
"GET",
"PUT",
"DELETE"
]
},
"href": "https://dev-950355.oktapreview.com/api/v1/zones/nzo9rbw8evGOFV1VE0h7"
}
},
"created": "2017-03-03T22:05:24.000Z",
"gateways": [
{
"type": "CIDR",
"value": "2.2.2.2/32"
}
],
"id": "nzo9rbw8evGOFV1VE0h7",
"lastUpdated": "2020-04-23T08:58:55.000Z",
"name": "LegacyIpZone",
"proxies": null,
"status": "ACTIVE",
"system": true,
"type": "IP"
},
{
"_links": {
"deactivate": {
"hints": {
"allow": [
"POST"
]
},
"href": "https://dev-950355.oktapreview.com/api/v1/zones/nzoqsmcx1qWYJ6wY33h7/lifecycle/deactivate"
},
"self": {
"hints": {
"allow": [
"GET",
"PUT",
"DELETE"
]
},
"href": "https://dev-950355.oktapreview.com/api/v1/zones/nzoqsmcx1qWYJ6wY33h7"
}
},
"created": "2020-04-06T22:23:12.000Z",
"gateways": [
{
"type": "CIDR",
"value": "1.1.1.2/32"
},
{
"type": "CIDR",
"value": "1.1.1.3/32"
},
{
"type": "CIDR",
"value": "2.2.2.2/32"
},
{
"type": "CIDR",
"value": "2.2.2.3/32"
}
],
"id": "nzoqsmcx1qWYJ6wY33h7",
"lastUpdated": "2020-06-05T08:57:57.000Z",
"name": "MyZone",
"proxies": null,
"status": "ACTIVE",
"system": false,
"type": "IP"
}
]
}
}

Human Readable Output#

Okta Zones#

nameidgatewaysstatussystemlastUpdatedcreated
LegacyIpZonenzo9rbw8evGOFV1VE0h7{'type': 'CIDR', 'value': '2.2.2.2/32'}ACTIVEtrue2020-04-23T08:58:55.000Z2017-03-03T22:05:24.000Z
MyZonenzoqsmcx1qWYJ6wY33h7{'type': 'CIDR', 'value': '3.3.3.4/32'},
{'type': 'CIDR', 'value': '5.5.5.3/32'},
{'type': 'CIDR', 'value': '3.3.3.1/32'},
{'type': 'CIDR', 'value': '2.2.2.3/32'}
ACTIVEfalse2020-06-05T08:57:57.000Z2020-04-06T22:23:12.000Z

okta-update-zone#


Update an Okta Zone.

Base Command#

okta-update-zone

Input#

Argument NameDescriptionRequired
zoneIDZone ID to update, e.g., nzoqsmcx1qWYJ6wYF0h7.Required
zoneNameUpdates the zone name.Optional
gatewayIPsUpdates Gateway IP addresses: CIDR range (1.1.0.0/16) or single IP address (2.2.2.2).Optional
proxyIPsUpdate Proxy IP addresses: CIDR range (1.1.0.0/16) or single IP address (2.2.2.2).Optional

Context Output#

PathTypeDescription
Okta.Zone.createdDateZone creation timestamp, e.g., 2020-04-06T22:23:12.000Z.
Okta.Zone.gateways.typeStringGateways IP entry type, e.g., CIDR.
Okta.Zone.gateways.valueStringGateways IP entry value, e.g., 34.103.1.108/32.
Okta.Zone.idStringOkta Zone ID, e.g., nzoqsmcx1qWYJ6wYF0h7.
Okta.Zone.lastUpdatedDateZone last update timestamp, in the format 2020-04-06T22:23:12.000Z.
Okta.Zone.nameStringZone name.
Okta.Zone.proxies.typeStringProxies IP entry type, e.g., CIDR.
Okta.Zone.proxies.valueUnknownProxies IP entry value, e.g., 34.103.1.108/32.
Okta.Zone.statusStringZone status, e.g., ACTIVE.
Okta.Zone.systemNumberTrue if this is a system zone, false if user-created.
Okta.Zone.typeStringZone type, e.g., IP.

Command Example#

!okta-update-zone zoneID=nzoqsmcx1qWYJ6wY33h7 zoneName=MyZone

Context Example#

{
"Okta": {
"Zone": {
"_links": {
"deactivate": {
"hints": {
"allow": [
"POST"
]
},
"href": "https://dev-950355.oktapreview.com/api/v1/zones/nzoqsmcx1qWYJ6wY33h7/lifecycle/deactivate"
},
"self": {
"hints": {
"allow": [
"GET",
"PUT",
"DELETE"
]
},
"href": "https://dev-950355.oktapreview.com/api/v1/zones/nzoqsmcx1qWYJ6wY33h7"
}
},
"created": "2020-04-06T22:23:12.000Z",
"gateways": [
{
"type": "CIDR",
"value": "1.1.3.5/32"
},
{
"type": "CIDR",
"value": "5.3.143.103/32"
},
{
"type": "CIDR",
"value": "5.3.246.228/32"
},
{
"type": "CIDR",
"value": "5.3.246.229/32"
}
],
"id": "nzoqsmcx1qWYJ6wY33h7",
"lastUpdated": "2020-06-05T08:57:57.000Z",
"name": "MyZone",
"proxies": null,
"status": "ACTIVE",
"system": false,
"type": "IP"
}
}
}

Human Readable Output#

Okta Zones#

nameidgatewaysstatussystemlastUpdatedcreated
MyZonenzoqsmcx1qWYJ6wY33h7{'type': 'CIDR', 'value': '1.3.1.5/32'},
{'type': 'CIDR', 'value': '1.3.1.5/32'},
{'type': 'CIDR', 'value': '1.3.1.5/32'},
{'type': 'CIDR', 'value': '1.3.1.5/32'}
ACTIVEfalse2020-06-05T08:57:57.000Z2020-04-06T22:23:12.000Z

okta-get-zone#


Get a Zone by its ID.

Base Command#

okta-get-zone

Input#

Argument NameDescriptionRequired
zoneIDZone ID to get, e.g., nzoqsmcx1qWYJ6wYF0h.7.Required

Context Output#

PathTypeDescription
Okta.Zone.createdDateZone creation timestamp, in the format 2020-04-06T22:23:12.000Z.
Okta.Zone.gateways.typeStringGateways IP entry type, e.g., CIDR.
Okta.Zone.gateways.valueStringGateways IP entry value, e.g., 34.103.1.108/32.
Okta.Zone.idStringOkta Zone ID, e.g., nzoqsmcx1qWYJ6wYF0h7.
Okta.Zone.lastUpdatedDateZone last update timestamp, in the format 2020-04-06T22:23:12.000Z.
Okta.Zone.nameStringZone name.
Okta.Zone.proxies.typeStringProxies IP entry type, e.g., CIDR.
Okta.Zone.proxies.valueUnknownProxies IP entry value, e.g., 34.103.1.108/32.
Okta.Zone.statusStringZone status, e.g,. ACTIVE.
Okta.Zone.systemNumberTrue if this is a system zone, false if user-created.
Okta.Zone.typeStringZone type, e.g., IP.

Command Example#

!okta-get-zone zoneID=nzoqsmcx1qWYJ6wY33h7

Context Example#

{
"Okta": {
"Zone": {
"_links": {
"deactivate": {
"hints": {
"allow": [
"POST"
]
},
"href": "https://dev-950355.oktapreview.com/api/v1/zones/nzoqsmcx1qWYJ6wY33h7/lifecycle/deactivate"
},
"self": {
"hints": {
"allow": [
"GET",
"PUT",
"DELETE"
]
},
"href": "https://dev-950355.oktapreview.com/api/v1/zones/nzoqsmcx1qWYJ6wY33h7"
}
},
"created": "2020-04-06T22:23:12.000Z",
"gateways": [
{
"type": "CIDR",
"value": "1.3.1.3/32"
},
{
"type": "CIDR",
"value": "3.5.146.103/32"
},
{
"type": "CIDR",
"value": "3.5.1.228/32"
},
{
"type": "CIDR",
"value": "3.5.1.229/32"
}
],
"id": "nzoqsmcx1qWYJ6wY33h7",
"lastUpdated": "2020-06-05T08:57:57.000Z",
"name": "MyZone",
"proxies": null,
"status": "ACTIVE",
"system": false,
"type": "IP"
}
}
}

Human Readable Output#

Okta Zones#

nameidgatewaysstatussystemlastUpdatedcreated
MyZonenzoqsmcx1qWYJ6wY33h7{'type': 'CIDR', 'value': '1.3.1.3/32'},
{'type': 'CIDR', 'value': '3.5.146.103/32'},
{'type': 'CIDR', 'value': '3.5.1.228/32'},
{'type': 'CIDR', 'value': '3.5.1.229/32'}
ACTIVEfalse2020-06-05T08:57:57.000Z2020-04-06T22:23:12.000Z

okta-list-users#


Lists users in your organization.

Base Command#

okta-list-users

Input#

Argument NameDescriptionRequired
verboseWhether to return extended user information. Can be "true" or "false". The default is "false". Possible values are: true, false. Default is false.Optional
limitThe maximum number of results to return.Optional
querySearches the name property of groups for matching values.Optional
filterUseful for performing structured queries where constraints on group attribute values can be explicitly targeted.
The following expressions are supported(among others) for groups with the filter query parameter:
type eq "OKTA_GROUP" - Groups that have a type of OKTA_GROUP; lastUpdated lt "yyyy-MM-dd''T''HH:mm:ss.SSSZ" - Groups with profile last updated before a specific timestamp; lastMembershipUpdated eq "yyyy-MM-dd''T''HH:mm:ss.SSSZ" - Groups with memberships last updated at a specific timestamp; id eq "00g1emaKYZTWRYYRRTSK" - Group with a specified ID.
For more information about filtering, visit https://developer.okta.com/docs/api/getting_started/design_principles#filtering.Optional
afterThe cursor in which to retrive the results from and on. If the query didn't reach the end of results, the tag will be found in the readable output under the tag key.Optional

Context Output#

PathTypeDescription
Account.IDStringOkta account ID.
Account.EmailStringOkta account email.
Account.UsernameStringOkta account username.
Account.DisplayNameStringOkta account display name.
Account.StatusStringOkta account status.
Account.CreatedDateTimestamp for when the user was created.
Account.ActivatedDateTimestamp for when the user was activated.
Account.StatusChangedDateTimestamp for when the user's status was last changed.
Account.PasswordChangedDateTimestamp for when the user's password was last changed.
Okta.User.tagStringThe location of the next item, used with after param.

Command Example#

!okta-list-users

Context Example#

{
"Okta":
{
"User":
{
"tag": "test12tag"
}
},
"Account": [
{
"Created": "2018-07-24T20:20:04.000Z",
"DisplayName": "Dbot XSOAR",
"Email": "dbot@xsoar.com",
"ID": "XXXXXXXXX",
"Status": "STAGED",
"Type": "Okta",
"Username": "dbot@xsoar.com"
}
]
}

Human Readable Output#

Okta users found:#

Users#

First NameIDLast LoginLast NameLoginMobile PhoneStatus
DbotXXXXXXSOARdbot@xsoar.comSTAGED

tag: test12tag#

okta-create-zone#


Creates a Zone with the specified name.

Base Command#

okta-create-zone

Input#

Argument NameDescriptionRequired
nameZone name.Required
gateway_ipsUpdate Gateway IP addresses: CIDR range (1.1.0.0/16) or single IP address (2.2.2.2).Optional
proxiesUpdate Proxy IP addresses: CIDR range (1.1.0.0/16) or single IP address (2.2.2.2).Optional

Context Output#

There is no context output for this command.

okta-create-group#


Create a new group in Okta tenant.

Base Command#

okta-create-group

Input#

Argument NameDescriptionRequired
nameName of the group to add.Required
descriptionDescription of the group to add.Optional

Context Output#

PathTypeDescription
OktaGroup.IDUnknownGroup ID in Okta.
OktaGroup.NameUnknownGroup name in Okta.
OktaGroup.DescriptionUnknownGroup description in Okta.
OktaGroup.TypeUnknownGroup type in Okta.

Command example#

!okta-create-group name="TestGroup" description="TestGroup description."

Context Example#

{
"OktaGroup": {
"Description": "TestGroup description.",
"ID": "00g3qb398kItYXzKd1d7",
"Name": "TestGroup",
"Type": "OKTA_GROUP"
}
}

Human Readable Output#

Group Created: [GroupID:00g3qb398kItYXzKd1d7, GroupName: TestGroup]

okta-assign-group-to-app#


Assign a group to an application.

Base Command#

okta-assign-group-to-app

Input#

Argument NameDescriptionRequired
groupNameName of the group to assign to the app.Optional
groupIdID of the group to assign to the app.Optional
appNameFriendly name of the app that the group will be assigned to.Optional

Context Output#

There is no context output for this command.

Command example#

!okta-assign-group-to-app appName="Default-App" groupName="TestGroup"

Human Readable Output#

Group: TestGroup added to PA App successfully

okta-expire-password#


Expires a password for an existing Okta user.

Base Command#

okta-expire-password

Input#

Argument NameDescriptionRequired
usernameOkta username for which to expire the password.Required
temporary_passwordWhen true, you'll need to change the password in the next login. Possible values are: true, false. Default is false.Optional
revoke_sessionWhen true, revokes the user's existing sessions.Optional
hide_passwordWhen true, prevents the password from being saved in the war room.Optional

Context Output#

PathTypeDescription
Account.ActivatedDateTimestamp for when the user was activated.
Account.CreatedDateTimestamp for when the user was created.
Account.DisplayNameStringOkta account display name.
Account.EmailStringOkta account email.
Account.IDStringCreated Okta account ID.
Account.PasswordChangedDateTimestamp for when the user's password was last changed.
Account.StatusStringOkta account current status.
Account.StatusChangedDateTimestamp for when the user's status was last changed.
Account.TypeStringOkta account type.
Account.UsernameStringOkta account usernames returned by the search.

Command example#

!okta-expire-password username="4x1xh5rl@test.com" temporary_password="false"

Context Example#

{
"Account": {
"Activated": "2022-06-20T04:48:04.000Z",
"Created": "2022-06-20T04:47:59.000Z",
"DisplayName": "Test 1 Test1",
"Email": "4x1xh5rl@test.com",
"ID": "00u19cr5qv91HjELI0h8",
"PasswordChanged": "2022-06-20T04:48:07.000Z",
"Status": "PASSWORD_EXPIRED",
"StatusChanged": "2023-09-10T12:56:04.000Z",
"Type": "Okta",
"Username": "4x1xh5rl@test.com"
}
}

Human Readable Output#

Okta Expired Password#

_linksactivatedcreatedcredentialsidlastUpdatedpasswordChangedprofilestatusstatusChangedtype
suspend: {"href": "https://test.oktapreview.com/api/v1/users/00u19cr5qv91HjELI0h8/lifecycle/suspend", "method": "POST"}
schema: {"href": "https://test.oktapreview.com/api/v1/meta/schemas/user/osc66lckcvDyVcGzS0h7"}
resetPassword: {"href": "https://test.oktapreview.com/api/v1/users/00u19cr5qv91HjELI0h8/lifecycle/reset_password", "method": "POST"}
forgotPassword: {"href": "https://test.oktapreview.com/api/v1/users/00u19cr5qv91HjELI0h8/credentials/forgot_password", "method": "POST"}
expirePassword: {"href": "https://test.oktapreview.com/api/v1/users/00u19cr5qv91HjELI0h8/lifecycle/expire_password", "method": "POST"}
changeRecoveryQuestion: {"href": "https://test.oktapreview.com/api/v1/users/00u19cr5qv91HjELI0h8/credentials/change_recovery_question", "method": "POST"}
self: {"href": "https://test.oktapreview.com/api/v1/users/00u19cr5qv91HjELI0h8"}
type: {"href": "https://test.oktapreview.com/api/v1/meta/types/user/oty66lckcvDyVcGzS0h7"}
changePassword: {"href": "https://test.oktapreview.com/api/v1/users/00u19cr5qv91HjELI0h8/credentials/change_password", "method": "POST"}
deactivate: {"href": "https://test.oktapreview.com/api/v1/users/00u19cr5qv91HjELI0h8/lifecycle/deactivate", "method": "POST"}
2022-06-20T04:48:04.000Z2022-06-20T04:47:59.000Zpassword: {}
recovery_question: {"question": "whats the first school?"}
provider: {"type": "OKTA", "name": "OKTA"}
00u19cr5qv91HjELI0h82023-09-10T12:56:04.000Z2022-06-20T04:48:07.000ZfirstName: Test 1
lastName: Test1
preferredLanguage: en
mobilePhone: null
city: Tel-Aviv
displayName: Test 1 that
nickName: Testush
secondEmail: null
login: 4x1xh5rl@test.com
email: 4x1xh5rl@test.com
employeeNumber: 12345
PASSWORD_EXPIRED2023-09-10T12:56:04.000Zid: oty66lckcvDyVcGzS0h7

okta-auth-reset#


Reset OAuth authentication data (authentication process will start from the beginning, and a new token will be generated).

Base Command#

okta-auth-reset

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.