Skip to content

[ASIM] Make changes to Authentication ASIM OktaSSO and OktaV2 parser #13401

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
yummyblabla wants to merge 9 commits into
base: master
Choose a base branch
from
Open

[ASIM] Make changes to Authentication ASIM OktaSSO and OktaV2 parser #13401

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
e2d1d03
Make changes to Okta SSO parser
Jan 7, 2026
083431f
Add OktaV2
Jan 7, 2026
274a73d
Changes according to PR comments
Jan 7, 2026
3862c80
Maybe fix kql validations
Jan 7, 2026
2cabaf0
Rewrite parsers
Jan 8, 2026
d581e0f
Remove unused
Jan 8, 2026
f9bc1ef
Update date
Jan 8, 2026
dc29593
Project-renames and remove coalesce
Jan 8, 2026
4b96485
Undo project renames in OktaV2
Jan 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
"displayName": "Authentication ASIM parser for Okta",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationOktaSSO",
"query": "let parser=(disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let emptyOctV1Table = datatable(TimeGenerated:datetime)[];\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n let OktaV1 = union isfuzzy=true emptyOctV1Table, Okta_CL \n | where not(disabled)\n | extend\n outcome_result_s=column_ifexists('outcome_result_s', \"\")\n ,\n eventType_s=column_ifexists('eventType_s', \"\")\n ,\n legacyEventType_s=column_ifexists('legacyEventType_s', \"\")\n ,\n client_geographicalContext_geolocation_lat_d=column_ifexists('client_geographicalContext_geolocation_lat_d', \"\")\n ,\n client_geographicalContext_geolocation_lon_d=column_ifexists('client_geographicalContext_geolocation_lon_d', \"\")\n | where eventType_s in (OktaSigninEvents)\n | extend \n EventProduct='Okta'\n ,\n EventVendor='Okta'\n ,\n EventSchema = 'Authentication'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial')\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')\n ,\n EventSubType=legacyEventType_s\n ,\n EventMessage=column_ifexists('displayMessage_s', \"\")\n ,\n EventOriginalResultDetails=column_ifexists('outcome_reason_s', \"\")\n ,\n EventOriginalUid = column_ifexists('uuid_g', \"\")\n ,\n TargetUserIdType='OktaId'\n ,\n TargetUsernameType='UPN'\n ,\n TargetSessionId=column_ifexists('authenticationContext_externalSessionId_s', \"\")\n ,\n TargetUserId=column_ifexists('actor_id_s', \"\")\n ,\n TargetUsername=column_ifexists('actor_alternateId_s', \"\")\n ,\n TargetUserType=column_ifexists('actor_type_s', \"\")\n ,\n SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\n ,\n SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\n ,\n SrcDvcOs=column_ifexists('client_userAgent_os_s', \"\")\n ,\n SrcIsp=column_ifexists('securityContext_isp_s', \"\")\n ,\n SrcGeoCity=column_ifexists('client_geographicalContext_city_s', \"\")\n ,\n SrcGeoCountry=column_ifexists('client_geographicalContext_country_s', \"\")\n ,\n SrcIpAddr = column_ifexists('client_ipAddress_s', \"\")\n ,\n ActingAppName=column_ifexists('client_userAgent_browser_s', \"\")\n ,\n ActingAppType=\"Browser\"\n ,\n LogonMethod=column_ifexists('authenticationContext_credentialType_s', \"\")\n ,\n HttpUserAgent=column_ifexists('client_userAgent_rawUserAgent_s', \"\")\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n | project-away *_s, *_d, *_b, *_g, *_t;\n OktaV1\n};\nparser(disabled = disabled)",
"query": "let parser=(disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let OutcomeReasonLookup = datatable(outcome_reason_s: string, EventResultDetails: string)\n [\n \"LOCKED_OUT\", \"User locked\",\n \"INVALID_CREDENTIALS\", \"Incorrect password\",\n \"UNKNOWN_USER\", \"No such user\",\n \"VERIFICATION_ERROR\", \"Incorrect key\",\n \"SSO_AUTHENTICATION_FAILURE\", \"Logon violates policy\",\n \"PASSWORD_EXPIRED\", \"Password expired\",\n \"USER_ACCOUNT_EXPIRED\", \"Account expired\",\n \"DEL_AUTH_TIMEOUT\", \"Session expired\",\n \"PASSWORD_BASED_LOGIN_DISALLOWED\", \"Logon violates policy\"\n ];\n let SrcDeviceTypeLookup = datatable(client_device_s: string, SrcDeviceType: string)\n [\n \"Computer\", \"Computer\",\n \"Mobile\", \"Mobile Device\",\n \"Tablet\", \"Mobile Device\"\n ];\n let ActorUserTypeLookup = datatable(ActorOriginalUserType: string, ActorUserType: string)\n [\n \"User\", \"Regular\",\n \"SystemPrincipal\", \"System\"\n ];\n let emptyOktaTable = datatable(\n TimeGenerated: datetime,\n outcome_result_s: string,\n eventType_s: string,\n legacyEventType_s: string,\n client_geographicalContext_geolocation_lat_d: double,\n client_geographicalContext_geolocation_lon_d: double,\n displayMessage_s: string,\n outcome_reason_s: string,\n uuid_g: string,\n actor_id_s: string,\n actor_alternateId_s: string,\n authenticationContext_externalSessionId_s: string,\n actor_type_s: string,\n client_userAgent_os_s: string,\n securityContext_isp_s: string,\n client_geographicalContext_city_s: string,\n client_geographicalContext_country_s: string,\n client_ipAddress_s: string,\n client_userAgent_browser_s: string,\n authenticationContext_credentialType_s: string,\n client_userAgent_rawUserAgent_s: string,\n client_geographicalContext_state_s: string,\n client_device_s: string\n )[];\n let OktaTable = union isfuzzy=true emptyOktaTable, Okta_CL;\n OktaTable\n | where not(disabled)\n | lookup OutcomeReasonLookup on outcome_reason_s\n | extend EventResultDetails = iif(outcome_result_s in (OktaFailedOutcome), coalesce(EventResultDetails, \"Other\"), \"\")\n | extend\n Type = \"Okta_CL\",\n EventProduct='Okta',\n EventVendor='Okta',\n EventSchema = 'Authentication',\n EventCount=int(1),\n EventSchemaVersion='0.1.3',\n EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial'),\n EventStartTime=TimeGenerated,\n EventEndTime=TimeGenerated,\n EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff'),\n TargetUserIdType = \"OktaId\",\n ActingAppType = \"Browser\"\n | project-rename\n EventOriginalSubType=legacyEventType_s,\n EventMessage=displayMessage_s,\n EventOriginalResultDetails=outcome_reason_s,\n EventOriginalUid=uuid_g,\n TargetUserId = actor_id_s,\n TargetUsername = actor_alternateId_s,\n TargetSessionId = authenticationContext_externalSessionId_s,\n ActorOriginalUserType = actor_type_s,\n SrcGeoLatitude = client_geographicalContext_geolocation_lat_d,\n SrcGeoLongitude = client_geographicalContext_geolocation_lon_d,\n SrcDvcOs = client_userAgent_os_s,\n SrcIsp = securityContext_isp_s,\n SrcGeoCity = client_geographicalContext_city_s,\n SrcGeoCountry = client_geographicalContext_country_s,\n SrcIpAddr = client_ipAddress_s,\n ActingAppName = client_userAgent_browser_s,\n LogonMethod = authenticationContext_credentialType_s,\n HttpUserAgent = client_userAgent_rawUserAgent_s,\n SrcGeoRegion = client_geographicalContext_state_s\n | extend\n ActorUserId = TargetUserId,\n ActorUsername = TargetUsername,\n ActorUserIdType = TargetUserIdType\n | lookup ActorUserTypeLookup on ActorOriginalUserType\n | extend\n TargetUserType = ActorUserType,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | lookup SrcDeviceTypeLookup on client_device_s\n | extend SrcDeviceType = coalesce(SrcDeviceType, \"Other\")\n | extend \n User=TargetUsername,\n Dvc=EventVendor,\n IpAddr=SrcIpAddr\n | project\n TimeGenerated,\n Type,\n EventResultDetails,\n EventProduct,\n EventVendor,\n EventSchema,\n EventCount,\n EventSchemaVersion,\n EventResult,\n EventStartTime,\n EventEndTime,\n EventType,\n EventOriginalSubType,\n EventMessage,\n EventOriginalResultDetails,\n EventOriginalUid,\n TargetUserIdType,\n TargetUserId,\n TargetUsername,\n TargetSessionId,\n ActorOriginalUserType,\n SrcGeoLatitude,\n SrcGeoLongitude,\n SrcDvcOs,\n SrcIsp,\n SrcGeoCity,\n SrcGeoCountry,\n SrcIpAddr,\n ActingAppType,\n LogonMethod,\n HttpUserAgent,\n ActorUserId,\n ActorUsername,\n ActorUserIdType,\n ActorUserType,\n TargetUserType,\n TargetUsernameType,\n ActorUsernameType,\n SrcDeviceType,\n User,\n Dvc,\n IpAddr\n};\nparser(disabled = disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}
Expand Down
2 changes: 1 addition & 1 deletion Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaV2/ASimAuthenticationOktaV2.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
"displayName": "Authentication ASIM parser for OktaV2",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationOktaV2",
"query": "let parser=(disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let emptyOctaV2Table = datatable(\n TimeGenerated: datetime,\n ActorDetailEntry: dynamic,\n ActorDisplayName: string,\n AuthenticationContext: string,\n AuthenticationProvider: string,\n AuthenticationStep: string,\n AuthenticationContextAuthenticationProvider: string,\n AuthenticationContextAuthenticationStep: int,\n AuthenticationContextCredentialProvider: string,\n AuthenticationContextInterface: string,\n AuthenticationContextIssuerId: string,\n AuthenticationContextIssuerType: string,\n DebugData: dynamic,\n DvcAction: string,\n EventResult:string,\n OriginalActorAlternateId: string,\n OriginalClientDevice: string,\n OriginalOutcomeResult: string,\n OriginalSeverity: string,\n OriginalTarget: dynamic,\n OriginalUserId: string,\n OriginalUserType: string,\n Request: dynamic,\n SecurityContextAsNumber: int,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SecurityContextIsProxy: bool,\n TransactionDetail: dynamic,\n TransactionId: string,\n TransactionType: string\n)[];\n let OktaV2 = union isfuzzy=true emptyOctaV2Table, OktaV2_CL\n | where not(disabled) \n | extend\n EventOriginalType=column_ifexists('EventOriginalType', \"\") \n ,\n OriginalActorAlternateId = column_ifexists('OriginalActorAlternateId', \"\")\n ,\n ActorUsername=column_ifexists('ActorUsername', \"\")\n ,\n SrcIpAddr = column_ifexists('SrcIpAddr', \"\")\n | where EventOriginalType in (OktaSigninEvents)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | extend \n EventProduct='Okta'\n ,\n EventSchema = 'Authentication'\n ,\n EventVendor='Okta'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff') \n ,\n TargetSessionId=column_ifexists('ActorSessionId', \"\")\n ,\n TargetUserId= column_ifexists('ActorUserId', \"\")\n ,\n TargetUsername=column_ifexists('ActorUsername', \"\")\n ,\n TargetUserType=column_ifexists('ActorUserType', \"\")\n ,\n TargetUserIdType=column_ifexists('ActorUserIdType', \"\")\n ,\n TargetUsernameType=column_ifexists('ActorUsernameType', \"\")\n ,\n SrcIpAddr = column_ifexists('SrcIpAddr', \"\")\n //** extend non-normalized fields to be projected-away \n ,\n ActorDetailEntry,\n ActorDisplayName,\n AuthenticationContextAuthenticationProvider,\n AuthenticationContextAuthenticationStep,\n AuthenticationContextCredentialProvider,\n AuthenticationContextInterface,\n AuthenticationContextIssuerId,\n AuthenticationContextIssuerType\n ,\n DebugData,\n DvcAction,\n OriginalActorAlternateId,\n OriginalClientDevice,\n OriginalOutcomeResult,\n OriginalSeverity,\n OriginalTarget,\n OriginalUserId,\n OriginalUserType,\n Request,\n SecurityContextAsNumber,\n SecurityContextAsOrg,\n SecurityContextDomain,\n SecurityContextIsProxy\n ,\n TransactionDetail,\n TransactionId,\n TransactionType\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n | project-away\n ActorDetailEntry,\n ActorDisplayName,\n AuthenticationContextAuthenticationProvider,\n AuthenticationContextAuthenticationStep,\n AuthenticationContextCredentialProvider,\n AuthenticationContextInterface,\n AuthenticationContextIssuerId,\n AuthenticationContextIssuerType,\n DebugData,\n DvcAction,\n OriginalActorAlternateId,\n OriginalClientDevice,\n OriginalOutcomeResult,\n OriginalSeverity,\n OriginalTarget,\n OriginalUserId,\n OriginalUserType,\n Request,\n SecurityContextAsNumber,\n SecurityContextAsOrg,\n SecurityContextDomain,\n SecurityContextIsProxy,\n TransactionId,\n TransactionType;\n OktaV2\n};\nparser(disabled = disabled)",
"query": "let parser=(disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let SrcDeviceTypeLookup = datatable(OriginalClientDevice: string, SrcDeviceType: string)\n [\n \"Computer\", \"Computer\",\n \"Mobile\", \"Mobile Device\",\n \"Tablet\", \"Mobile Device\"\n ];\n let OutcomeReasonLookup = datatable(EventOriginalResultDetails: string, EventResultDetails: string)\n [\n \"LOCKED_OUT\", \"User locked\",\n \"INVALID_CREDENTIALS\", \"Incorrect password\",\n \"UNKNOWN_USER\", \"No such user\",\n \"VERIFICATION_ERROR\", \"Incorrect key\",\n \"SSO_AUTHENTICATION_FAILURE\", \"Logon violates policy\",\n \"PASSWORD_EXPIRED\", \"Password expired\",\n \"USER_ACCOUNT_EXPIRED\", \"Account expired\",\n \"DEL_AUTH_TIMEOUT\", \"Session expired\",\n \"PASSWORD_BASED_LOGIN_DISALLOWED\", \"Logon violates policy\"\n ];\n OktaV2_CL\n | where not(disabled)\n | where EventOriginalType in (OktaSigninEvents)\n | lookup OutcomeReasonLookup on EventOriginalResultDetails\n | extend EventResultDetails = iif(OriginalOutcomeResult in (OktaFailedOutcome), coalesce(EventResultDetails, \"Other\"), \"\")\n | lookup SrcDeviceTypeLookup on OriginalClientDevice\n | extend SrcDeviceType = coalesce(SrcDeviceType, \"Other\")\n | extend\n Type = \"OktaV2_CL\",\n EventProduct = \"Okta\",\n EventSchema = \"Authentication\",\n EventVendor = \"Okta\",\n EventCount = int(1),\n EventSchemaVersion='0.1.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff'),\n ActorUsername = coalesce(ActorUsername, OriginalActorAlternateId),\n ActorUserIdType = \"OktaId\",\n EventResult = coalesce(EventResult,\n case (\n OriginalOutcomeResult in (OktaSuccessfulOutcome), 'Success',\n OriginalOutcomeResult in (OktaFailedOutcome), 'Failure',\n 'Partial')),\n SrcIpAddr,\n ActorSessionId,\n ActorUserId,\n SrcGeoRegion,\n SrcGeoCity,\n SrcGeoCountry,\n SrcDvcOs,\n SrcDvcId,\n SrcDvcIdType,\n DvcAction,\n EventOriginalUid,\n TargetSessionId = ActorSessionId,\n TargetUserId = ActorUserId,\n TargetUsername = ActorUsername,\n TargetUserType = ActorUserType,\n TargetUserIdType = ActorUserIdType\n | extend TargetUserType = case(\n TargetUserType == \"System Principal\", \"System\",\n TargetUserType\n )\n | extend\n ActorUserType = TargetUserType,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n // ** Aliases\n | extend \n User=TargetUsername,\n Dvc=EventVendor,\n IpAddr=SrcIpAddr\n | project\n TimeGenerated,\n EventOriginalType,\n EventOriginalResultDetails,\n EventOriginalUid,\n EventResultDetails,\n SrcDeviceType,\n Type,\n EventProduct,\n EventSchema,\n EventVendor,\n EventCount,\n EventSchemaVersion,\n EventStartTime,\n EventEndTime,\n EventType,\n TargetSessionId,\n TargetUserId,\n TargetUsername,\n TargetUserType,\n TargetUserIdType,\n SrcIpAddr,\n ActorSessionId,\n ActorUserId,\n ActorUsername,\n ActorUserType,\n ActorUserIdType,\n EventResult,\n SrcGeoRegion,\n SrcGeoCity,\n SrcGeoCountry,\n SrcDvcOs,\n SrcDvcId,\n SrcDvcIdType,\n DvcAction,\n TargetUsernameType,\n ActorUsernameType,\n User,\n Dvc,\n IpAddr\n};\nparser(disabled = disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}
Expand Down
Loading
Loading