Unauthorized Access to an Okta Application
Identifies unauthorized access attempts to Okta applications.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/05/14"
3integration = ["okta"]
4maturity = "production"
5min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
6min_stack_version = "8.10.0"
7updated_date = "2023/10/24"
8
9[rule]
10author = ["Elastic", "Austin Songer"]
11description = "Identifies unauthorized access attempts to Okta applications."
12index = ["filebeat-*", "logs-okta*"]
13language = "kuery"
14license = "Elastic License v2"
15name = "Unauthorized Access to an Okta Application"
16note = """## Setup
17
18The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
19references = [
20 "https://developer.okta.com/docs/reference/api/system-log/",
21 "https://developer.okta.com/docs/reference/api/event-types/",
22 "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
23]
24risk_score = 21
25rule_id = "4edd3e1a-3aa0-499b-8147-4d2ea43b1613"
26severity = "low"
27tags = ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1078"
40name = "Valid Accounts"
41reference = "https://attack.mitre.org/techniques/T1078/"
42
43
44[rule.threat.tactic]
45id = "TA0001"
46name = "Initial Access"
47reference = "https://attack.mitre.org/tactics/TA0001/"
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50
51[rule.threat.tactic]
52id = "TA0005"
53name = "Defense Evasion"
54reference = "https://attack.mitre.org/tactics/TA0005/"
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57
58[rule.threat.tactic]
59id = "TA0003"
60name = "Persistence"
61reference = "https://attack.mitre.org/tactics/TA0003/"
62[[rule.threat]]
63framework = "MITRE ATT&CK"
64
65[rule.threat.tactic]
66id = "TA0004"
67name = "Privilege Escalation"
68reference = "https://attack.mitre.org/tactics/TA0004/"
Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Suspicious Activity Reported by Okta User
- Administrator Privileges Assigned to an Okta Group
- Administrator Role Assigned to an Okta User
- Attempt to Create Okta API Token
- Attempt to Deactivate an Okta Application