okta (Deprecated)

Deprecated

Use the Okta v2 integration instead

Use the Okta integration to create, edit, and view user and group information on Okta.

This integration was integrated and tested with Okta v2018.12.

Use cases

  • Unlock, activate, or deactivate users.
  • Set passwords.
  • Create and update users.
  • Get information about users.
  • Add, remove, or view user group members.

Prerequisites

Go to Okta documentation to create an API token to use on Demisto.

Configure Okta on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Okta.
  3. Click Add instance to create and configure a new integration instance.
    • Name : A textual name for the integration instance
    • okta URL (https://<domain.okta.com>)
    • API Token
    • Trust any certificate (not secure)
    • Use system proxy settings
  1. Click Test to validate the URLs, token, and connection.

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Unlock a user: okta-unlock-user
  2. Deactivate a user: okta-deactivate-user
  3. Activate a user: okta-activate-user
  4. Suspend a user: okta-suspend-user
  5. Reactivate a suspended user: okta-unsuspend-user
  6. Get enrolled factors for a user: okta-get-user-factors
  7. Create and verify a push factor for a user: okta-verify-push-factor
  8. Remove a factor from a user: okta-reset-factor
  9. Get all user groups associated with a specified user: okta-get-groups
  10. Create user without a recovery question: okta-set-password
  11. Search a specified term: okta-search
  12. Get a specified user: okta-get-user
  13. Create a new user: okta-create-user
  14. Update user details: okta-update-user
  15. Get failed logins: okta-get-failed-logins
  16. Get information about a user that has been added to a group: okta-get-group-assignments
  17. Get information about a user that was assigned to an application: okta-get-application-assignments
  18. Get information about a user who made an SSO attempt: okta-get-application-authentication
  19. Add a user to a group: okta-add-to-group
  20. Remove a user from a group: okta-remove-from-group
  21. Get logs: okta-get-logs
  22. Get a list of groups: okta-list-groups
  23. Get all members of a specified group: okta-get-group-members

1. Unlock a user


Unlocks a specified user.

Base Command

okta-unlock-user

Input
Argument Name Description Required
username Okta username to unlock. Required

Context Output

There is no context output for this command.

Command Example
  !okta-unlock-user username=test@this.com
Human Readable Output

Okta user unlocked

2. Deactivate a user


Deactivate a specified user.

Base Command

okta-deactivate-user

Input
Argument Name Description Required
username Okta username to deactivate. Required

Context Output

There is no context output for this command.

Command Example
!okta-deactivate-user username=test@this.com
Human Readable Output

Okta user deactivated

War Room Output

image

3. Activate a user


Activate a specified user.

Base Command

okta-activate-user

Input
Argument Name Description Required
username Okta username to activate Required

Context Output

There is no context output for this command.

Command Example
  !okta-activate-user username=test@this.com
War Room  Output

image

4. Suspend a user


Suspends a user. This operation can only be performed on users with an ACTIVE status. The user's status changes to SUSPENDED when the process is complete.

Base Command

okta-suspend-user

Input
Argument Name Description Required
username Okta username of the user you want to change to SUSPEND status Required

Context Output

There is no context output for this command.

Command Example
  !okta-suspend-user username="test@this.com"
Human Readable Output

image

5. Reactivate a suspended user


Returns a user to ACTIVE status. This operation can only be performed on users that have a SUSPENDED status.

Base Command

okta-unsuspend-user

Input
Argument Name Description Required
username Okta username of the user you want to change to ACTIVE status True

Context Output

There is no context output for this command.

Command Example
  !okta-unsuspend-user username="test@this.com"
Human Readable Output

image

6. Get enrolled factors for a user


Returns all the enrolled factors for the specified user.

Base Command

okta-get-user-factors

Input
Argument Name Description Required
userId User ID of the user in which to get enrolled factors. Optional
username Username of the user in which to get enrolled factors. Optional

Context Output
Path Type Description
Account.ID string Okta account ID.
Account.Factor.ID string Okta account factor ID.
Account.Factor.FactorType string Okta account factor type.
Account.Factor.Provider string Okta account factor provider.
Account.Factor.Status string Okta account factor status.
Account.Factor.Profile string Okta account factor profile.

Command Example
!okta-get-user-factors userId=00ugo6k55kHeoJMYC0h7
Context Example
{
    "Account": {
        "Factor": [
            {
                "FactorType": "push",
                "ID": "opfi25ztilatndHD80h7",
                "Profile": {
                    "credentialId": "test@domain.com",
                    "deviceType": "SmartPhone_Android",
                    "keys": [
                        {
                            "kid": "default",
                            "kty": "XYZ",
                            "use": "xyz",
                            "x5c": [
                                "ABCDEFG"
                            ]
                        }
                    ],
                    "name": "SMARTPHONE",
                    "platform": "ANDROID",
                    "version": "20"
                },
                "Provider": "OKTA",
                "Status": "ACTIVE"
            }
        ],
        "ID": "00ugo6k55kHeoJMYC0h7"
    }
}
Human Readable Output

image

7. Enroll and verify a push factor for a user


Enrolls and verifies a push factor for a specified user.

Base Command

< okta-verify-push-factor

Input
Argument Name Description Required
userId The user ID of the user to verify. True
factorId The push factor ID. True
Context Output
Path Type Description
Account.ID string Okta user ID.
Account.VerifyPushResult string Okta user push factor result.

Command Example
!okta-verify-push-factor factorId=opfi25ztilatndHD80h7 userId=00ugo6k55kHeoJMYC0h7
Context Example
{
    "Account": {
        "ID": "00ugo6k55kHeoJMYC0h7",
        "VerifyPushResult": "SUCCESS"
    }
}
Human Readable Output

image

8. Remove a factor from a user


Removes an existing factor for the specified user, allowing the user to enroll a new factor.

Base Command

okta-reset-factor

Input
Argument Name Description Required
userId The user ID. Optional
username The user name. Optional
factorId The ID of the factor to reset. Required

Context Output

There is no context output for this command.

Command Example
!okta-reset-factor factorId=osti2xdcf0FwcR9x80h7 userId=00ugo6k55kHeoJMYC0h7
Human Readable Output

image

9. Get user groups associated with a specified user


Returns all user groups associated with a specified user.

Base Command

okta-get-groups

Input
Argument Name Description Required
username Okta username in which to get groups. Required

Context Output
Path Type Description
Account.Group unknown Okta group in which the account is associated.
Account.ID string Okta account ID.
Account.Type string Type of account, such as Okta.
Account.Group.ID string Unique key for group.
Account.Group.Created date Timestamp when group was created.
Account.Group.ObjectClass string Determines the group profile.
Account.Group.LastUpdated date Timestamp when group profile was last updated.
Account.Group.LastMembershipUpdated date Timestamp when group memberships were last updated.
Account.Group.Type string Determines how a group profile and memberships are managed.
Account.Group.Name string Name of the group.
Account.Group.Description string Description of the group.

Command Example
  !okta-get-groups username=test@this.com
Context Example
{
    "Account": {
        "Group": [
            {
                "Created": "2016-04-12T15:01:50.000Z",
                "Description": "All users in your organization",
                "ID": "00g66lckcsAJpLcNc0h7",
                "LastMembershipUpdated": "2018-07-30T19:56:59.000Z",
                "LastUpdated": "2016-04-12T15:01:50.000Z",
                "Name": "Everyone",
                "ObjectClass": [
                    "okta:user_group"
                ],
                "Type": "BUILT_IN"
            },
            {
                "Created": "2016-10-25T14:52:38.000Z",
                "Description": null,
                "ID": "00g8mo0l5wuTxmoIC0h7",
                "LastMembershipUpdated": "2018-07-31T09:30:33.000Z",
                "LastUpdated": "2016-10-25T14:52:38.000Z",
                "Name": "test1",
                "ObjectClass": [
                    "okta:user_group"
                ],
                "Type": "OKTA_GROUP"
            }
        ],
        "ID": "00ued6gq9jItNhAsN0h7",
        "Type": "Okta"
    }
}
War Room Output

image

10. Create a user without a recovery question


Creates a user without a recovery question-and-answer requirement.

Base Command

okta-set-password

Input
Argument Name Description Required
username Okta username in whcih to change the password. Required
password The new password to set for the user. Required

Context Output

There is no context output for this command.

Command Example
!okta-set-password username=test@this.com password=newpassword
Human Readable Output

Okta user password set

11. Search a specified term


Returns details of users that match the found term.

Base Command

okta-search

Input
Argument Name Description Required
term The term to search for. Can be first name, last name, or email. Required
limit Maximum number of results to return (default 200). Optional
verbose Whether to list all details of users that match search term. Optional

Context Output
Path Type Description
Account.ID string Okta account IDs returned by search.
Account.Username string Okta account usernames returned by search.
Account.Email string Okta account emails returned by search.
Accout.DisplayName string Okta account display names returned by search.
Account.Type string Account type returned by search, such as Okta.

Command Example
  !okta-search term=test@this.com
Context Example
{
    "Account": [
        {
            "DisplayName": "test this",
            "Email": "test@this.com",
            "ID": "00ued6gq9jItNhAsN0h7",
            "Type": "Okta",
            "Username": "test@this.com",
            "id": "00ued6gq9jItNhAsN0h7"
        }
    ]
}
War Room Output

image

12. Get a specified user


Fetches information for a specified user. You must enter one or more parameters for the command to run.

Base Command

okta-get-user

Input
Argument Name Description Required
username Username in which to return information. Usernames must not  contain a forward slash ('/'). Optional
userid User ID of the requested user in which to return information. Optional
verbose Whether to return all details of the user. Optional

Context Output
Path Type Description
Account.ID string Okta account ID.
Account.Email string Okta account email.
Account.Username string Okta account username.
Account.DisplayName string Okta account display name.
Account.Type string Type of account, such as Okta.

Command Example
  !okta-get-user username=test@this.com verbose=true
Context Example
{
    "Account": [
        {
            "DisplayName": "test this",
            "Email": "test@this.com",
            "ID": "00ued6gq9jItNhAsN0h7",
            "Type": "Okta",
            "Username": "test@this.com",
            "id": "00ued6gq9jItNhAsN0h7"
        }
    ]
}
War Room Output

image

13. Create a new user


Creates a new user with the option to set a password, and recovery question and answer. This flow is common when developing a custom user registration experience.

Base Command

okta-create-user

Input
Argument Name Description Required
firstName First name of the user (givenName). Required
lastName Family name of the user (familyName). Required
email Primary email address of the user. Required
login Unique identifier for the user (username). Required
secondEmail Secondary email address of the user.  Usually for account recovery. Optional
middleName Middle name(s) of the user. Optional
honorificPrefix Honorific prefix(es) of the user, or title in most Western languages. Optional
honorificSuffix Honorific suffix(es) of the user. Optional
title User title. For example, Vice President. Optional
displayName Name of the user, suitable for display to end users. Optional
nickName Casual way to address the user. Optional
profileUrl

URL of user online profile. For example, a web page.

Optional
primaryPhone

Primary phone number of the user.

Optional
mobilePhone Mobile phone number of the user. Optional
streetAddress Full street address component of the user address. Optional
city City or locality component of the user address (locality). Optional
state State or region component of the user address (region). Optional
zipCode Zipcode or postal code component of the user address (postalCode). Optional
countryCode Country name component of the user address (country). Optional
postalAddress Mailing address component of the user address. Optional
preferredLanguage User preferred written or spoken language. Optional
locale User default location for localizing items such as currency, date time format, numerical representations, and so on. Optional
timezone User time zone. Optional
userType Identify the organization's relationship with the user such as Employee or Contractor. Optional
employeeNumber Organization or company assigned unique identifier for the user. Optional
costCenter Name of the cost center in which the user is assigned. Optional
organization The organization in which the user belongs. Optional
division The division in which the user belongs. Optional
department The Department in which the user belongs. Optional
managerId ID of the user’s manager. Optional
manager DisplayName of the user’s manager. Optional
password Password for the new user. Optional
passwordQuestion Password question for the new user. Optional
passwordAnswer Password answer for the specified question. Optional
providerType

Type of provider. Valid providerType s are:

  • OKTA
  • ACTIVE_DIRECTORY
  • LDAP
  • FEDERATION
  • SOCIAL
Optional
providerName Name of provider. Optional
groupIds IDs of groups that user is immediately added to at the time of creation (Do not include default group). Optional
activate Activates the lifecycle operation when creating the user. Optional

Context Output
Path Type Description
Account.ID string Created Okta account ID.
Account.Email string Created Okta account email.
Account.Username string Created Okta account username.
Account.DisplayName string Created Okta account display name.
Account.Type string Type of account that was created, such as Okta.

Command Example
  !okta-create-user email=test@that.com firstName=test lastName=that login=test@that.com
Context Example
{
    "Account": [
        {
            "DisplayName": "test that",
            "Email": "test@that.com",
            "ID": "00ufufhqits3y78Ju0h7",
            "Type": "Okta",
            "Username": "test@that.com",
            "id": "00ufufhqits3y78Ju0h7"
        }
    ]
}
War Room Output

image

14. Update user details


Updates account details for a specified user. The only required parameter is username.

Base Command

okta-update-user

Input
Argument Name Description Required
username Unique identifier for the user (login). Required
firstName First name of the user (givenName). Optional
lastName Family name of the user (familyName). Optional
email Primary email address of the user. Optional
secondEmail Secondary email address of user typically used for account recovery. Optional
middleName Middle name of the user. Supports multiple middle names. Optional
honorificPrefix Honorific prefix of the user, or title in most Western languages. Supports multiple input. Optional
honorificSuffix Honorific suffix of the user. Supports multiple input. Optional
title The user’s title (for example, Vice President) Optional
displayName Name of the user, suitable for display to end users. Optional
nickName Casual way to address the user. Optional
profileUrl URL of user’s online profile (for example, a web page). Optional
primaryPhone Primary phone number of user. Optional
mobilePhone Mobile phone number of user. Optional
streetAddress Full street address component of user. Optional
city City or locality component of user’s address (locality). Optional
state State or region component of user’s address (region). Optional
zipCode Zipcode or postal code component of user’s address (postalCode). Optional
countryCode Country name component of user’s address (country). Optional
postalAddress Mailing address of the user. Optional
preferredLanguage User’s preferred written or spoken languages. Optional
locale User’s default location for purposes of localizing items such as currency, date time format, numerical representations, and so on. Optional
timezone User’s time zone. Optional
userType Used to identify the organization to user relationship such as E mployee or Contractor. Optional
employeeNumber Organization or company assigned unique identifier for the user. Optional
costCenter Name of a cost center assigned to the user. Optional
organization The organization the user belongs to. Optional
division The division the user belongs to. Optional
department The department that the user belongs to. Optional
managerId ID of a user’s manager. Optional
manager DisplayName of the user’s manager. Optional
password Password for the new user. Optional
passwordQuestion Password question for new user. Optional
passwordAnswer Password answer for the specified question. Optional
providerType

Valid providerType s are:

  • OKTA
  • ACTIVE_DIRECTORY
  • LDAP
  • FEDERATION
  • SOCIAL
Optional
providerName Name of provider. Optional

Context Output

There is no context output for this command.

Command Example

!okta-update-user username=test@that.com displayName=alsotest

War Room Output

image

15. Get failed logins


Returns event details of Okta issued sessions for user authentication for user failed logins.

Base Command

okta-get-failed-logins

Input
Argument Name Description More Information Required
since

The start date of the search range in the Internet Date/Time.

Format profile: ISO 8601

Example: 2017-05-03T16:22:18Z

Optional
until The end date of the search range in the Internet Date/Time.

Format profile: ISO 8601

Example: 2017-05-03T16:22:18Z

Optional
sortOrder The order of the returned events. default is ASCENDING Optional
limit Sets the number of results returned in the response. Default is 100 Optional

Context Output
Path Type Description
Okta.Logs.Events.actor.alternateId string Alternative ID of the actor.
Okta.Logs.Events.actor.displayName string Display name of actor.
Okta.Logs.Events.actor.id string ID of the actor.
Okta.Logs.Events.client.userAgent.rawUserAgent string A raw string representation of the user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field.
Okta.Logs.Events.client.userAgent.os string The Operating System on which the client runs. For example, Microsoft Windows 10).
Okta.Logs.Events.client.userAgent.browser string Identifies the web browser type. For example, Chrome.
Okta.Logs.Events.client.device string Type of device that the client operated from (for example, Computer).
Okta.Logs.Events.client.id string

For OAuth requests:ID of the requesting OAuth client.

For SSWS token requests: ID of the requesting agent.

Okta.Logs.Events.client.ipAddress string IP address in which the client made the request.
Okta.Logs.Events.client.geographicalContext.city string The city encompassing the area containing the geolocation coordinates, if available. For example, Seattle, San Francisco.
Okta.Logs.Events.geographicalContext.state string Full name of the state or province encompassing the area containing the geolocation coordinates. For example, Montana, Incheon.
Okta.Logs.Events.client.geographicalContext.country string Full name of the country encompassing the area containing the geolocation coordinates. For example,  France, Uganda.
Okta.Logs.Events.displayMessage string The display message for an event.
Okta.Logs.Events.eventType string Type of event that was published.
Okta.Logs.Events.outcome.result string

Result of the action:

  • SUCCESS
  • FAILURE
  • SKIPPED
  • UNKNOWN
Okta.Logs.Events.outcome.reason string Reason for the result. For example, INVALID_CREDENTIALS.
Okta.Logs.Events.published string Timestamp when event was published.
Okta.Logs.Events.severity string

Indicates how severe the event is:

  • DEBUG
  • INFO
  • WARN
  • ERROR
Okta.Logs.Events.securityContext.asNumber number Autonomous system number associated with the autonomous system that the event request was sourced to.
Okta.Logs.Events.securityContext.asOrg string Organization associated with the autonomous system that the event request was sourced to.
Okta.Logs.Events.securityContext.isp string Internet service provider used to sent the event request.
Okta.Logs.Events.securityContext.domain string The domain name associated with the IP address of the inbound event request.
Okta.Logs.Events.securityContext.isProxy string Specifies whether an event’s request is from a known proxy.
Okta.Logs.Events.request.ipChain.IP string IP address.
Okta.Logs.Events.request.ipChain.geographicalContext.city string The city encompassing the area containing the geolocation coordinates, if available (for example, Seattle, San Francisco).
Okta.Logs.Events.request.ipChain.geographicalContext.state string Full name of the state or province encompassing the area containing the geolocation coordinates (for example, Montana, Incheon).
Okta.Logs.Events.request.ipChain.geographicalContext.country string Full name of the country encompassing the area containing the geolocation coordinates (for examplem France, Uganda).
Okta.Logs.Events.request.ipChain.source string Details regarding the source.
Okta.Logs.Events.target.id string ID of a target.
Okta.Logs.Events.target.type string Type of a target.
Okta.Logs.Events.target.alternateId string Alternative ID of a target.
Okta.Logs.Events.target.displayName string Display name of a target.

Command Example
  !okta-get-failed-logins limit=1 since=2018-07-30T16:22:18Z
Context Example
{
    "Okta": {
        "Logs": {
            "Events": {
                "actor": {
                    "alternateId": "test@this.com",
                    "detailEntry": null,
                    "displayName": "test1",
                    "id": "00ued6gq9jItNhAsN0h7",
                    "type": "User"
                },
                "authenticationContext": {
                    "authenticationProvider": null,
                    "authenticationStep": 0,
                    "credentialProvider": null,
                    "credentialType": null,
                    "externalSessionId": "unknown",
                    "interface": null,
                    "issuer": null
                },
                "client": {
                    "device": "Computer",
                    "geographicalContext": {
                        "city": "Tel Aviv",
                        "country": "Israel",
                        "geolocation": {
                            "lat": 32.0667,
                            "lon": 34.7667
                        },
                        "postalCode": null,
                        "state": "Tel Aviv"
                    },
                    "id": null,
                    "ipAddress": "1.2.3.4",
                    "userAgent": {
                        "browser": "CHROME",
                        "os": "Mac OS X",
                        "rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36"
                    },
                    "zone": "null"
                },
                "debugContext": {
                    "debugData": {
                        "requestUri": "/api/v1/authn"
                    }
                },
                "displayMessage": "User login to Okta",
                "eventType": "user.session.start",
                "legacyEventType": "core.user_auth.login_failed",
                "outcome": {
                    "reason": "GENERAL_NONSUCCESS",
                    "result": "FAILURE"
                },
                "published": "2018-07-31T12:55:59.231Z",
                "request": {
                    "ipChain": [
                        {
                            "geographicalContext": {
                                "city": "Tel Aviv",
                                "country": "Israel",
                                "geolocation": {
                                    "lat": 32.0667,
                                    "lon": 34.7667
                                },
                                "postalCode": null,
                                "state": "Tel Aviv"
                            },
                            "ip": "1.2.3.4",
                            "source": null,
                            "version": "V4"
                        }
                    ]
                },
                "securityContext": {
                    "asNumber": null,
                    "asOrg": null,
                    "domain": null,
                    "isProxy": null,
                    "isp": null
                },
                "severity": "WARN",
                "target": null,
                "transaction": {
                    "detail": {},
                    "id": "W2BcX2qHbXMeIQ9PwrRMgQAABKY",
                    "type": "WEB"
                },
                "uuid": "ff9cb6c1-e8a0-474f-8d0e-56e45bb0f9d6",
                "version": "0"
            }
        }
    }
}
War Room Output

image

16. Get information about a user that was added to a group


Returns event details for when a user is added to a group.

Base Command

okta-get-group-assignments

Input
Argument Name Description More Information Required
since

The start date of the search range in the Internet Date/Time

Format profile:ISO 8601.

For example: 2017-05-03T16:22:18Z.

Optional
until The end date of the search range in the Internet Date/Time

Format profile:ISO 8601.

For example: 2017-05-03T16:22:18Z.

Optional
sortOrder The order of the returned events Default is ASCENDING. Optional
limit Sets the number of results returned in the response Default is 100. Optional

Context Output
Path Type Description
Okta.Logs.Events.actor.alternateId string Alternative ID of the actor.
Okta.Logs.Events.actor.displayName string Display name of the actor.
Okta.Logs.Events.actor.id string ID of the actor.
Okta.Logs.Events.client.userAgent.rawUserAgent string A raw string representation of the user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field.
Okta.Logs.Events.client.userAgent.os string The Operating System the client runs on (for example, Windows 10).
Okta.Logs.Events.client.userAgent.browser string If the client is a web browser, this field identifies the type of web browser (for example, CHROME, FIREFOX).
Okta.Logs.Events.client.device string Type of device that the client operated from (for example, Computer).
Okta.Logs.Events.client.id string

For OAuth requests this is the ID of the requesting OAuth client.

For SSWS token requests, this is the ID of the requesting agent.

Okta.Logs.Events.client.ipAddress string IP address that the client made the request from.
Okta.Logs.Events.client.geographicalContext.city string The city encompassing the area containing the geolocation coordinates, if available (for example, Seattle, San Francisco).
Okta.Logs.Events.geographicalContext.state string Full name of the state or province encompassing the area containing the geolocation coordinates (for example, Montana, Incheon).
Okta.Logs.Events.client.geographicalContext.country string Full name of the country encompassing the area containing the geolocation coordinates (for example, France, Uganda).
Okta.Logs.Events.displayMessage string The display message for an event.
Okta.Logs.Events.eventType string The type of event that was published.
Okta.Logs.Events.outcome.result string

Result of the action:

  • SUCCESS
  • FAILURE
  • SKIPPED
  • UNKNOWN
Okta.Logs.Events.outcome.reason string Reason for the result (for example, INVALID_CREDENTIALS)
Okta.Logs.Events.published string Timestamp when event was published.
Okta.Logs.Events.severity string

Indicates how severe the event is:

  • DEBUG
  • INFO
  • WARN
  • ERROR
Okta.Logs.Events.securityContext.asNumber number Autonomous system number associated with the autonomous system that the event request was sourced to.
Okta.Logs.Events.securityContext.asOrg string Organization associated with the autonomous system that the event request was sourced to.
Okta.Logs.Events.securityContext.isp string Internet service provider used to sent the event’s request.
Okta.Logs.Events.securityContext.domain string The domain name associated with the IP address of the inbound event request.
Okta.Logs.Events.securityContext.isProxy string Specifies whether an event’s request is from a known proxy.
Okta.Logs.Events.request.ipChain.IP string IP address.
Okta.Logs.Events.request.ipChain.geographicalContext.city string The city encompassing the area containing the geolocation coordinates, if available (for example, Seattle, San Francisco).
Okta.Logs.Events.request.ipChain.geographicalContext.state string Full name of the state or province encompassing the area containing the geolocation coordinates (for example, Montana, Incheon).
Okta.Logs.Events.request.ipChain.geographicalContext.country string Full name of the country encompassing the area containing the geolocation coordinates (for example, France, Uganda).
Okta.Logs.Events.request.ipChain.source string Details regarding the source.
Okta.Logs.Events.target.id string Target ID.
Okta.Logs.Events.target.type string Target type.
Okta.Logs.Events.target.alternateId string Alternative ID of target.
Okta.Logs.Events.target.displayName string Display name of the target.

Command Example
!okta-get-group-assignments limit=1 since=2018-07-30T16:22:18Z
Context Example
{
    "Okta": {
        "Logs": {
            "Events": {
                "actor": {
                    "alternateId": "actor@org.com",
                    "detailEntry": null,
                    "displayName": "the actor",
                    "id": "00u66lckd7lpjidYi0h7",
                    "type": "User"
                },
                "authenticationContext": {
                    "authenticationProvider": null,
                    "authenticationStep": 0,
                    "credentialProvider": null,
                    "credentialType": null,
                    "externalSessionId": "trsd7PuSH7sSDS_UIfWdOsPPg",
                    "interface": null,
                    "issuer": null
                },
                "client": {
                    "device": "Unknown",
                    "geographicalContext": {
                        "city": "Boardman",
                        "country": "United States",
                        "geolocation": {
                            "lat": 45.8696,
                            "lon": -119.688
                        },
                        "postalCode": "97818",
                        "state": "Oregon"
                    },
                    "id": null,
                    "ipAddress": "54.190.157.130",
                    "userAgent": {
                        "browser": "UNKNOWN",
                        "os": "Unknown",
                        "rawUserAgent": "Go-http-client/1.1"
                    },
                    "zone": "null"
                },
                "debugContext": {
                    "debugData": {
                        "requestUri": "/api/v1/groups/00g8mo0l5wuTxmoIC0h7/users/00ued6gq9jItNhAsN0h7"
                    }
                },
                "displayMessage": "Add user to group membership",
                "eventType": "group.user_membership.add",
                "legacyEventType": "core.user_group_member.user_add",
                "outcome": {
                    "reason": null,
                    "result": "SUCCESS"
                },
                "published": "2018-07-30T16:25:02.936Z",
                "request": {
                    "ipChain": [
                        {
                            "geographicalContext": {
                                "city": "Boardman",
                                "country": "United States",
                                "geolocation": {
                                    "lat": 45.8696,
                                    "lon": -119.688
                                },
                                "postalCode": "97818",
                                "state": "Oregon"
                            },
                            "ip": "1.2.3.4",
                            "source": null,
                            "version": "V4"
                        }
                    ]
                },
                "securityContext": {
                    "asNumber": null,
                    "asOrg": null,
                    "domain": null,
                    "isProxy": null,
                    "isp": null
                },
                "severity": "INFO",
                "target": [
                    {
                        "alternateId": "test@this.com",
                        "detailEntry": null,
                        "displayName": "test this",
                        "id": "00ued6gq9jItNhAsN0h7",
                        "type": "User"
                    },
                    {
                        "alternateId": "unknown",
                        "detailEntry": null,
                        "displayName": "test1",
                        "id": "00g8mo0l5wuTxmoIC0h7",
                        "type": "UserGroup"
                    }
                ],
                "transaction": {
                    "detail": {},
                    "id": "W1873sDkmmCcshePrev2GQAAAws",
                    "type": "WEB"
                },
                "uuid": "db8e9dda-62d2-458c-a311-9e18eec59c8e",
                "version": "0"
            }
        }
    }
}
War Room Output

image

17. Get information about a user that was assigned to an application


Returns event details for when a user is assigned to an application.

Base Command

okta-get-application-assignments

Input
Argument Name Description More Information Required
since

The start date of the search range in the Internet Date/Time

Format profile: ISO 8601

For example: 2017-05-03T16:22:18Z.

Optional
until The end date of the search range in the Internet Date/Time

Format profile: ISO 8601

For example: 2017-05-03T16:22:18Z.

Optional
sortOrder The order of the returned event Default is ASCENDING. Optional
limit Sets the number of results returned in the response Default is 100. Optional

Context Output
Path Type Description
Okta.Logs.Events.actor.alternateId string Alternative ID of actor.
Okta.Logs.Events.actor.displayName string Display name of actor.
Okta.Logs.Events.actor.id string ID of actor.
Okta.Logs.Events.client.userAgent.rawUserAgent string A raw string representation of the user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field.
Okta.Logs.Events.client.userAgent.os string The Operating System the client runs on (for example, Windows 10).
Okta.Logs.Events.client.userAgent.browser string If the client is a web browser, this field identifies the type of web browser (for example, CHROME, FIREFOX).
Okta.Logs.Events.client.device string The type of device that the client operated from (for example, Computer).
Okta.Logs.Events.client.id string

For OAuth requests this is the ID of the requesting OAuth client.

For SSWS token requests, this is the ID of the requesting agent.

Okta.Logs.Events.client.ipAddress string IP address that the client made the request from.
Okta.Logs.Events.client.geographicalContext.city string The city encompassing the area containing the geolocation coordinates, if available (for example, Seattle, San Francisco)
Okta.Logs.Events.geographicalContext.state string Full name of the state or province encompassing the area containing the geolocation coordinates (for example, Montana, Incheon).
Okta.Logs.Events.client.geographicalContext.country string Full name of the country encompassing the area containing the geolocation coordinates (for example, France, Uganda).
Okta.Logs.Events.displayMessage string The display message for an event.
Okta.Logs.Events.eventType string The type of event that was published.
Okta.Logs.Events.outcome.result string

Result of the action:

  • SUCCESS
  • FAILURE
  • SKIPPED
  • UNKNOWN
Okta.Logs.Events.outcome.reason string Reason for the result (for example, INVALID_CREDENTIALS).
Okta.Logs.Events.published string Timestamp when the event was published.
Okta.Logs.Events.severity string

Indicates how severe the event is:

  • DEBUG
  • INFO
  • WARN
  • ERROR
Okta.Logs.Events.securityContext.asNumber number Autonomous system number associated with the autonomous system that the event request was sourced to.
Okta.Logs.Events.securityContext.asOrg string Organization associated with the autonomous system that the event request was sourced to.
Okta.Logs.Events.securityContext.isp string Internet service provider used to sent the event’s request.
Okta.Logs.Events.securityContext.domain string The domain name associated with the IP address of the inbound event request.
Okta.Logs.Events.securityContext.isProxy string Specifies whether an event’s request is from a known proxy.
Okta.Logs.Events.request.ipChain.IP string IP address.
Okta.Logs.Events.request.ipChain.geographicalContext.city string The city encompassing the area containing the geolocation coordinates, if available (for example, Seattle, San Francisco).
Okta.Logs.Events.request.ipChain.geographicalContext.state string Full name of the state or province encompassing the area containing the geolocation coordinates (for example, Montana, Incheon).
Okta.Logs.Events.request.ipChain.geographicalContext.country string Full name of the country encompassing the area containing the geolocation coordinates (for example, France, Uganda).
Okta.Logs.Events.request.ipChain.source string Details regarding the source.
Okta.Logs.Events.target.id string Target ID.
Okta.Logs.Events.target.type string Target type.
Okta.Logs.Events.target.alternateId string Alternative target ID.
Okta.Logs.Events.target.displayName string Display name of the target.

Command Example

!okta-get-application-assignments limit=1 since=2018-07-31T08:22:18Z

Context Example
{
    "Okta": {
        "Logs": {
            "Events": {
                "actor": {
                    "alternateId": "actor@org.com",
                    "detailEntry": null,
                    "displayName": "the actor",
                    "id": "00u66lckd7lpjidYi0h7",
                    "type": "User"
                },
                "authenticationContext": {
                    "authenticationProvider": null,
                    "authenticationStep": 0,
                    "credentialProvider": null,
                    "credentialType": null,
                    "externalSessionId": "trsTLYkoNfDSRGgbq9SzBnY-Q",
                    "interface": null,
                    "issuer": null
                },
                "client": {
                    "device": "Unknown",
                    "geographicalContext": {
                        "city": "Tel Aviv",
                        "country": "Israel",
                        "geolocation": {
                            "lat": 32.0667,
                            "lon": 34.7667
                        },
                        "postalCode": null,
                        "state": "Tel Aviv"
                    },
                    "id": null,
                    "ipAddress": "1.2.3.4",
                    "userAgent": {
                        "browser": "UNKNOWN",
                        "os": "Unknown",
                        "rawUserAgent": "Go-http-client/1.1"
                    },
                    "zone": "null"
                },
                "debugContext": {
                    "debugData": {
                        "requestUri": "/api/v1/users/00ued6gq9jItNhAsN0h7/lifecycle/activate"
                    }
                },
                "displayMessage": "Add user to application membership",
                "eventType": "application.user_membership.add",
                "legacyEventType": "app.generic.provision.assign_user_to_app",
                "outcome": {
                    "reason": null,
                    "result": "SUCCESS"
                },
                "published": "2018-07-31T12:02:31.078Z",
                "request": {
                    "ipChain": [
                        {
                            "geographicalContext": {
                                "city": "Tel Aviv",
                                "country": "Israel",
                                "geolocation": {
                                    "lat": 32.0667,
                                    "lon": 34.7667
                                },
                                "postalCode": null,
                                "state": "Tel Aviv"
                            },
                            "ip": "1.2.3.4",
                            "source": null,
                            "version": "V4"
                        }
                    ]
                },
                "securityContext": {
                    "asNumber": null,
                    "asOrg": null,
                    "domain": null,
                    "isProxy": null,
                    "isp": null
                },
                "severity": "INFO",
                "target": [
                    {
                        "alternateId": "test@this.com",
                        "detailEntry": null,
                        "displayName": "test1",
                        "id": "0uafuf6i7ardNkj7X0h7",
                        "type": "AppUser"
                    },
                    {
                        "alternateId": "org",
                        "detailEntry": null,
                        "displayName": "org",
                        "id": "0oabfkvxe1npBRdow0h7",
                        "type": "AppInstance"
                    },
                    {
                        "alternateId": "test@this.com",
                        "detailEntry": null,
                        "displayName": "test1",
                        "id": "00ued6gq9jItNhAsN0h7",
                        "type": "User"
                    }
                ],
                "transaction": {
                    "detail": {},
                    "id": "W2BP1iZAuMuRo8nEWoBn5QAABgw",
                    "type": "WEB"
                },
                "uuid": "eef74c84-4e91-45b8-be35-51d3953ad2ac",
                "version": "0"
            }
        }
    }
}
War Room Output

image

18. Get information about a user who made an SSO attempt


Returns event details for when a user attempts to sign on using SSO to an application managed in Okta.

Base Command

okta-get-application-authentication

Input
Argument Name Description More Information Required
since

The start date of the search range in the Internet Date/Time

Format profile: ISO 8601

For example: 2017-05-03T16:22:18Z.

Optional
until The end date of the search range in the Internet Date/Time

Format profile: ISO 8601

For example: 2017-05-03T16:22:18Z.

Optional
sortOrder The order of the returned event Default is ASCENDING. Optional
limit Sets the number of results returned in the response Default is 100. Optional

Context Output
Path Type Description
Okta.Logs.Events.actor.alternateId string Alternative ID of actor.
Okta.Logs.Events.actor.displayName string Display name of actor.
Okta.Logs.Events.actor.id string Actor ID.
Okta.Logs.Events.client.userAgent.rawUserAgent string A raw string representation of the user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field.
Okta.Logs.Events.client.userAgent.os string The Operating System the client runs on (for example, Windows 10).
Okta.Logs.Events.client.userAgent.browser string If the client is a web browser, this field identifies the type of web browser (for example, CHROME, FIREFOX).
Okta.Logs.Events.client.device string The type of device that the client operated from (for example, Computer).
Okta.Logs.Events.client.id string

For OAuth requests this is the ID of the requesting OAuth client.

For SSWS token requests, this is the ID of the requesting agent.

Okta.Logs.Events.client.ipAddress string IP address that the client made the request from.
Okta.Logs.Events.client.geographicalContext.city string The city encompassing the area containing the geolocation coordinates, if available (for example, Seattle, San Francisco).
Okta.Logs.Events.geographicalContext.state string Full name of the state or province encompassing the area containing the geolocation coordinates (for example, Montana, Incheon).
Okta.Logs.Events.client.geographicalContext.country string Full name of the country encompassing the area containing the geolocation coordinates (for example, France, Uganda).
Okta.Logs.Events.displayMessage string The display message for an event.
Okta.Logs.Events.eventType string The type of event that was published.
Okta.Logs.Events.outcome.result string

Result of the action:

  • SUCCESS
  • FAILURE
  • SKIPPED
  • UNKNOWN
Okta.Logs.Events.outcome.reason string Reason for the result (for example, INVALID_CREDENTIALS).
Okta.Logs.Events.published string Timestamp when event was published.
Okta.Logs.Events.severity string

Indicates how severe the event is:

  • DEBUG
  • INFO
  • WARN
  • ERROR
Okta.Logs.Events.securityContext.asNumber number Autonomous system number associated with the autonomous system that the event request was sourced to.
Okta.Logs.Events.securityContext.asOrg string Organization associated with the autonomous system that the event request was sourced to.
Okta.Logs.Events.securityContext.isp string Internet service provider used to sent the event’s request.
Okta.Logs.Events.securityContext.domain string The domain name associated with the IP address of the inbound event request.
Okta.Logs.Events.securityContext.isProxy string Specifies whether an event’s request is from a known proxy
Okta.Logs.Events.request.ipChain.IP string IP address.
Okta.Logs.Events.request.ipChain.geographicalContext.city string The city encompassing the area containing the geolocation coordinates, if available (for example, Seattle, San Francisco).
Okta.Logs.Events.request.ipChain.geographicalContext.state string Full name of the state or province encompassing the area containing the geolocation coordinates (for example, Montana, Incheon).
Okta.Logs.Events.request.ipChain.geographicalContext.country string Full name of the country encompassing the area containing the geolocation coordinates (for example, France, Uganda).
Okta.Logs.Events.request.ipChain.source string Details regarding the source.
Okta.Logs.Events.target.id string Target ID.
Okta.Logs.Events.target.type string Target type.
Okta.Logs.Events.target.alternateId string Alternative target ID.
Okta.Logs.Events.target.displayName string Display name of the target.

Command Example

!okta-get-application-authentication limit=1

Context Example
{
    "Okta": {
        "Logs": {
            "Events": {
                "actor": {
                    "alternateId": "actor@org.com",
                    "detailEntry": null,
                    "displayName": "the actor",
                    "id": "00u66lckd7lpjidYi0h7",
                    "type": "User"
                },
                "authenticationContext": {
                    "authenticationProvider": null,
                    "authenticationStep": 0,
                    "credentialProvider": null,
                    "credentialType": null,
                    "externalSessionId": "102Mir-8MMcRSyiM0JUWgA3Xg",
                    "interface": null,
                    "issuer": null
                },
                "client": {
                    "device": "Computer",
                    "geographicalContext": {
                        "city": "Cupertino",
                        "country": "United States",
                        "geolocation": {
                            "lat": 37.3042,
                            "lon": -122.0946
                        },
                        "postalCode": "95014",
                        "state": "California"
                    },
                    "id": null,
                    "ipAddress": "1.2.3.4",
                    "userAgent": {
                        "browser": "CHROME",
                        "os": "Mac OS X",
                        "rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36"
                    },
                    "zone": "null"
                },
                "debugContext": {
                    "debugData": {
                        "initiationType": "IDP_INITIATED",
                        "requestUri": "/app/demistodev725178_examplesamlapplication_1/exk66lba7vkLRUBQj0h7/sso/saml",
                        "signOnMode": "SAML 2.0"
                    }
                },
                "displayMessage": "User single sign on to app",
                "eventType": "user.authentication.sso",
                "legacyEventType": "app.auth.sso",
                "outcome": {
                    "reason": null,
                    "result": "SUCCESS"
                },
                "published": "2018-07-24T20:16:30.670Z",
                "request": {
                    "ipChain": [
                        {
                            "geographicalContext": {
                                "city": "Cupertino",
                                "country": "United States",
                                "geolocation": {
                                    "lat": 37.3042,
                                    "lon": -122.0946
                                },
                                "postalCode": "95014",
                                "state": "California"
                            },
                            "ip": "1.2.3.4",
                            "source": null,
                            "version": "V4"
                        }
                    ]
                },
                "securityContext": {
                    "asNumber": null,
                    "asOrg": null,
                    "domain": null,
                    "isProxy": null,
                    "isp": null
                },
                "severity": "INFO",
                "target": [
                    {
                        "alternateId": "Application",
                        "detailEntry": {
                            "signOnModeType": "SAML_2_0"
                        },
                        "displayName": "Application",
                        "id": "0oa66lba7w3Ns1ril0h7",
                        "type": "AppInstance"
                    },
                    {
                        "alternateId": "target@org.com",
                        "detailEntry": null,
                        "displayName": "the target",
                        "id": "0ua66lsm6uLy0L8aZ0h7",
                        "type": "AppUser"
                    }
                ],
                "transaction": {
                    "detail": {},
                    "id": "W1eJHiPpdkHoLVc0yU04WwAAB20",
                    "type": "WEB"
                },
                "uuid": "0ef202af-0bc5-4fa9-a972-4aeedcb68428",
                "version": "0"
            }
        }
    }
}
War Room Output

image

19. Add a user to a group


Adds a user to a group with the OKTA_GROUP type.

Base Command

okta-add-to-group

Input
Argument Name Description Required
userId ID of the user to add Optional
groupId ID of the group to add the user to Optional
username Name of the user to add Optional
groupName Name of the group to add the user to Optional

Context Output

There is no context output for this command.

Command Example

!okta-add-to-group username=test@this.com groupName=test1

War Room Output

image

20 Remove a user from a group


Removes a user from a group with the OKTA_GROUP type.

Base Command

okta-remove-from-group

Input
Argument Name Description Required
userId ID of the user to remove Optional
groupId ID of the group to remove the user from Optional
username Name of the user to add Optional
groupName Name of the group to add the user to Optional

Context Output

There is no context output for this command.

Command Example
  !okta-remove-from-group username=test@this.com groupName=test1
War Room Output

image

21. Get logs


Returns logs using specified filters.

Base Command

okta-get-logs

Input
Argument Name Description More Information Required
filter

Useful for performing structured queries where constraints on LogEvent attribute values can be explicitly targeted.

For more information about filtering, visit Okta Support on Filtering

These Okta parameters are supported on Demisto:

  • eventType - Events that have a specific action ( eventType eq on Okta)
  • id - Events published with a specific target ID ( eventType target.id eq on Okta)
  • id - Events published with a specific actor ID ( actor.id eq on Okta)
Optional
query

Can be used to perform keyword matching against a LogEvents object’s attribute values. In order to satisfy the constraint, all supplied keywords must be matched exactly. Matching is case-insensitive.

Examples of common keyword filtering:

  • Events that mention a specific city query=San Francisco
  • Events that mention a specific URL query=interestingURI.com
  • Events that mention a specific person query=firstName lastName
Optional
since The start date of the search range in the Internet Date/Time

Format profile: ISO 8601

For example: 2017-05-03T16:22:18Z

Optional
until The end date of the search range in the Internet Date/Time

Format profile: ISO 8601

For example: 2017-05-03T16:22:18Z

Optional
sortOrder The order of the returned events Default is ASCENDING Optional
limit Sets the number of results returned in the response Default is 100 Optional

Context Output
Path Type Description
Okta.Logs.Events.actor.alternateId string Alternative actor ID.
Okta.Logs.Events.actor.displayName string Display name of actor.
Okta.Logs.Events.actor.id string Actor ID.
Okta.Logs.Events.client.userAgent.rawUserAgent string A raw string representation of the user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field.
Okta.Logs.Events.client.userAgent.os string The Operating System the client runs on (for example, Windows 10).
Okta.Logs.Events.client.userAgent.browser string If the client is a web browser, this field identifies the type of web browser (for example, CHROME, FIREFOX).
Okta.Logs.Events.client.device string The type of device that the client operated from (for example, Computer).
Okta.Logs.Events.client.id string

For OAuth requests this is the ID of the requesting OAuth client.

For SSWS token requests, this is the ID of the requesting agent.

Okta.Logs.Events.client.ipAddress string IP address that the client made the request from.
Okta.Logs.Events.client.geographicalContext.city string The city encompassing the area containing the geolocation coordinates, if available (for example, Seattle, San Francisco).
Okta.Logs.Events.geographicalContext.state string Full name of the state or province encompassing the area containing the geolocation coordinates (for example, Montana, Incheon).
Okta.Logs.Events.client.geographicalContext.country string Full name of the country encompassing the area containing the geolocation coordinates (for example, France, Uganda).
Okta.Logs.Events.displayMessage string The display message for an event.
Okta.Logs.Events.eventType string Type of event that was published.
Okta.Logs.Events.outcome.result string

Result of the action:

  • SUCCESS
  • FAILURE
  • SKIPPED
  • UNKNOWN
Okta.Logs.Events.outcome.reason string Reason for the result (for example, INVALID_CREDENTIALS).
Okta.Logs.Events.published string Timestamp when event was published.
Okta.Logs.Events.severity string

Indicates how severe the event is:

  • DEBUG
  • INFO
  • WARN
  • ERROR
Okta.Logs.Events.securityContext.asNumber number Autonomous system number associated with the autonomous system that the event request was sourced to.
Okta.Logs.Events.securityContext.asOrg string Organization associated with the autonomous system that the event request was sourced to.
Okta.Logs.Events.securityContext.isp string Internet service provider used to sent the event’s request.
Okta.Logs.Events.securityContext.domain string The domain name associated with the IP address of the inbound event request.
Okta.Logs.Events.securityContext.isProxy string Specifies whether an event’s request is from a known proxy.
Okta.Logs.Events.request.ipChain.IP string IP address.
Okta.Logs.Events.request.ipChain.geographicalContext.city string The city encompassing the area containing the geolocation coordinates, if available (for example, Seattle, San Francisco).
Okta.Logs.Events.request.ipChain.geographicalContext.state string Full name of the state or province encompassing the area containing the geolocation coordinates (for example, Montana, Incheon).
Okta.Logs.Events.request.ipChain.geographicalContext.country string Full name of the country encompassing the area containing the geolocation coordinates (for example, France, Uganda).
Okta.Logs.Events.request.ipChain.source string Details regarding the source.
Okta.Logs.Events.target.id string Target ID.
Okta.Logs.Events.target.type string Type of Target.
Okta.Logs.Events.target.alternateId string Alternative target ID.
Okta.Logs.Events.target.displayName string Display name of the target.

Command Example

!okta-get-logs filter="eventType eq \"user.session.start\"" until=2018-07-30T16:22:18Z

Context Example
{
    "Okta": {
        "Logs": {
            "Events": {
                "actor": {
                    "alternateId": "test@this.com",
                    "detailEntry": null,
                    "displayName": "test1",
                    "id": "00ued6gq9jItNhAsN0h7",
                    "type": "User"
                },
                "authenticationContext": {
                    "authenticationProvider": null,
                    "authenticationStep": 0,
                    "credentialProvider": null,
                    "credentialType": null,
                    "externalSessionId": "unknown",
                    "interface": null,
                    "issuer": null
                },
                "client": {
                    "device": "Computer",
                    "geographicalContext": {
                        "city": "Tel Aviv",
                        "country": "Israel",
                        "geolocation": {
                            "lat": 32.0667,
                            "lon": 34.7667
                        },
                        "postalCode": null,
                        "state": "Tel Aviv"
                    },
                    "id": null,
                    "ipAddress": "1.2.3.4",
                    "userAgent": {
                        "browser": "CHROME",
                        "os": "Mac OS X",
                        "rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36"
                    },
                    "zone": "null"
                },
                "debugContext": {
                    "debugData": {
                        "requestUri": "/api/v1/authn"
                    }
                },
                "displayMessage": "User login to Okta",
                "eventType": "user.session.start",
                "legacyEventType": "core.user_auth.login_failed",
                "outcome": {
                    "reason": "GENERAL_NONSUCCESS",
                    "result": "FAILURE"
                },
                "published": "2018-07-31T12:55:59.231Z",
                "request": {
                    "ipChain": [
                        {
                            "geographicalContext": {
                                "city": "Tel Aviv",
                                "country": "Israel",
                                "geolocation": {
                                    "lat": 32.0667,
                                    "lon": 34.7667
                                },
                                "postalCode": null,
                                "state": "Tel Aviv"
                            },
                            "ip": "1.2.3.4",
                            "source": null,
                            "version": "V4"
                        }
                    ]
                },
                "securityContext": {
                    "asNumber": null,
                    "asOrg": null,
                    "domain": null,
                    "isProxy": null,
                    "isp": null
                },
                "severity": "WARN",
                "target": null,
                "transaction": {
                    "detail": {},
                    "id": "W2BcX2qHbXMeIQ9PwrRMgQAABKY",
                    "type": "WEB"
                },
                "uuid": "ff9cb6c1-e8a0-474f-8d0e-56e45bb0f9d6",
                "version": "0"
            }
        }
    }
}
War Room Output

image

22. Get a list of groups


Enumerates groups in your organization. A subset of groups can be returned that match a supported filter expression or query.

Base Command

okta-list-groups

Input
Argument Name Description Required
query Searches the name property of groups for matching value. Optional
filter

Useful for performing structured queries where constraints on group attribute values are explicitly targeted.

These are some examples of Okta parameters that are supported on Demisto for groups with the filter query parameter:

  • type eq "OKTA_GROUP" - Groups that have an OKTA_GROUP type
  • lastUpdated lt "yyyy-MM-dd'T'HH:mm:ss.SSSZ" - Groups with profile last updated before a specific timestamp
  • lastMembershipUpdated eq "yyyy-MM-dd'T'HH:mm:ss.SSSZ" - Groups with memberships last updated at a specific timestamp
  • id eq "00g1emaKYZTWRYYRRTSK" - Group with a specified ID

For more information about filtering, visit Okta Support on Filtering

Optional
limit Sets the number of results returned in the response. Optional

Context Output
Path Type Description
Okta.Group.ID string Unique key for the group
Okta.Group.Created date Timestamp for when the group was created
Okta.Group.ObjectClass unknown The group profile
Okta.Group.LastUpdated date Timestamp for when the group profile was last updated
Okta.Group.LastMembershipUpdated date Timestamp for when the group’s memberships were last updated
Okta.Group.Type string

Determines how a group’s profile and memberships are managed

  • OKTA_GROUP
  • APP_GROUP
  • BUILT_IN
Okta.Group.Name string Name of the group
Okta.Group.Description string Description of the group

Command Example
  !okta-list-groups query=test1
Context Example
{
    "Okta": {
        "Group": {
            "Created": "2016-10-25T14:52:38.000Z",
            "Description": null,
            "ID": "00g8mo0l5wuTxmoIC0h7",
            "LastMembershipUpdated": "2018-07-31T13:58:28.000Z",
            "LastUpdated": "2016-10-25T14:52:38.000Z",
            "Name": "test1",
            "ObjectClass": [
                "okta:user_group"
            ],
            "Type": "OKTA_GROUP"
        }
    }
}
War Room Output

image

23. Get members of a specified group


Returns members of a specified group.

Base Command

okta-get-group-members

Input
Argument Name Description Required
groupId Id of the group Optional
limit Limits the number of user results Optional
verbose Print all details Optional
groupName Name of the group Optional

Context Output
Path Type Description
Account.ID string Okta account ID
Account.Email string Okta account email
Account.Username string Okta account username
Account.DisplayName string Okta account display name
Account.Type string Account type - Okta

Command Example
!okta-get-group-members groupName=test1
Context Example
{
    "Account": [
        {
            "DisplayName": "User1 Fam1",
            "Email": "user1@demisto.com",
            "Group": [
                {
                    "Created": "2016-10-25T14:52:38.000Z",
                    "Description": null,
                    "ID": "00g8mo0l5wuTxmoIC0h7",
                    "LastMembershipUpdated": "2018-07-31T13:59:57.000Z",
                    "LastUpdated": "2016-10-25T14:52:38.000Z",
                    "Name": "test1",
                    "ObjectClass": [
                        "okta:user_group"
                    ],
                    "Type": "OKTA_GROUP"
                }
            ],
            "ID": "00u8mnv647IGaq5Wr0h7",
            "Type": "Okta",
            "Username": "user1@demisto.com",
            "id": "00u8mnv647IGaq5Wr0h7"
        },
        {
            "DisplayName": "user2 test2",
            "Email": "user2@demisto.com",
            "Group": [
                {
                    "Created": "2016-10-25T14:52:38.000Z",
                    "Description": null,
                    "ID": "00g8mo0l5wuTxmoIC0h7",
                    "LastMembershipUpdated": "2018-07-31T13:59:57.000Z",
                    "LastUpdated": "2016-10-25T14:52:38.000Z",
                    "Name": "test1",
                    "ObjectClass": [
                        "okta:user_group"
                    ],
                    "Type": "OKTA_GROUP"
                }
            ],
            "ID": "00u8mo28qn8pmbLBJ0h7",
            "Type": "Okta",
            "Username": "user2@demisto.com",
            "id": "00u8mo28qn8pmbLBJ0h7"
        },
        {
            "DisplayName": "John Doe",
            "Email": "jondoe@test.org",
            "Group": [
                {
                    "Created": "2016-10-25T14:52:38.000Z",
                    "Description": null,
                    "ID": "00g8mo0l5wuTxmoIC0h7",
                    "LastMembershipUpdated": "2018-07-31T13:59:57.000Z",
                    "LastUpdated": "2016-10-25T14:52:38.000Z",
                    "Name": "test1",
                    "ObjectClass": [
                        "okta:user_group"
                    ],
                    "Type": "OKTA_GROUP"
                }
            ],
            "ID": "00u8od2zcd5cFBMBU0h7",
            "Type": "Okta",
            "Username": "johndoe@test.org",
            "id": "00u8od2zcd5cFBMBU0h7"
        },
        {
            "DisplayName": "test this",
            "Email": "test@this.com",
            "Group": [
                {
                    "Created": "2016-10-25T14:52:38.000Z",
                    "Description": null,
                    "ID": "00g8mo0l5wuTxmoIC0h7",
                    "LastMembershipUpdated": "2018-07-31T13:59:57.000Z",
                    "LastUpdated": "2016-10-25T14:52:38.000Z",
                    "Name": "test1",
                    "ObjectClass": [
                        "okta:user_group"
                    ],
                    "Type": "OKTA_GROUP"
                }
            ],
            "ID": "00ued6gq9jItNhAsN0h7",
            "Type": "Okta",
            "Username": "test@this.com",
            "id": "00ued6gq9jItNhAsN0h7"
        }
    ]
}
War Room Output

image

Troubleshooting


This is a list of probable reasons for possible errors.

Error Possible Causes
401 Unauthorized

Wrong API URL or wrong API token

404 not found The user or the search term does not exsist
400 Bad request Request arguments are not provided correctly (for example, the date might be in the wrong format)