Unauthorized Access to an Okta Application
Identifies unauthorized access attempts to Okta applications.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/05/14"
3integration = ["okta"]
4maturity = "production"
5updated_date = "2024/12/09"
6min_stack_version = "8.15.0"
7min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
8
9[rule]
10author = ["Elastic", "Austin Songer"]
11description = "Identifies unauthorized access attempts to Okta applications."
12index = ["filebeat-*", "logs-okta*"]
13language = "kuery"
14license = "Elastic License v2"
15name = "Unauthorized Access to an Okta Application"
16note = """## Setup
17
18The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
19references = [
20 "https://developer.okta.com/docs/reference/api/system-log/",
21 "https://developer.okta.com/docs/reference/api/event-types/",
22 "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
23 "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
24 "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
25]
26risk_score = 21
27rule_id = "4edd3e1a-3aa0-499b-8147-4d2ea43b1613"
28severity = "low"
29tags = ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"]
30timestamp_override = "event.ingested"
31type = "query"
32
33query = '''
34event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt
35'''
36
37
38[[rule.threat]]
39framework = "MITRE ATT&CK"
40[[rule.threat.technique]]
41id = "T1078"
42name = "Valid Accounts"
43reference = "https://attack.mitre.org/techniques/T1078/"
44
45
46[rule.threat.tactic]
47id = "TA0001"
48name = "Initial Access"
49reference = "https://attack.mitre.org/tactics/TA0001/"
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52
53[rule.threat.tactic]
54id = "TA0005"
55name = "Defense Evasion"
56reference = "https://attack.mitre.org/tactics/TA0005/"
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59
60[rule.threat.tactic]
61id = "TA0003"
62name = "Persistence"
63reference = "https://attack.mitre.org/tactics/TA0003/"
64[[rule.threat]]
65framework = "MITRE ATT&CK"
66
67[rule.threat.tactic]
68id = "TA0004"
69name = "Privilege Escalation"
70reference = "https://attack.mitre.org/tactics/TA0004/"
Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
-
-
Testing your Okta visibility and detection with Dorothy and Elastic Security — Elastic Security Labs
Dorothy is a tool for security teams to test their visibility and detection capabilities for their Okta environment. IAM solutions are frequently targeted by adversaries but poorly monitored. Learn how to get started with Dorothy in this post.
Read More -
This article guides readers through establishing an Okta threat detection lab, emphasizing the importance of securing SaaS platforms like Okta. It details creating a lab environment with the Elastic Stack, integrating SIEM solutions, and Okta.
Read More -
This article delves into Okta's architecture and services, laying a solid foundation for threat research and detection engineering. Essential reading for those aiming to master threat hunting and detection in Okta environments.
Read More
Related rules
- First Occurrence of Okta User Session Started via Proxy
- New Okta Authentication Behavior Detected
- Okta FastPass Phishing Detection
- Okta Sign-In Events via Third-Party IdP
- Okta User Sessions Started from Different Geolocations