Unauthorized Access to an Okta Application
Identifies unauthorized access attempts to Okta applications.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/05/14"
3integration = ["okta"]
4maturity = "production"
5min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
6min_stack_version = "8.10.0"
7updated_date = "2023/10/24"
8
9[rule]
10author = ["Elastic", "Austin Songer"]
11description = "Identifies unauthorized access attempts to Okta applications."
12index = ["filebeat-*", "logs-okta*"]
13language = "kuery"
14license = "Elastic License v2"
15name = "Unauthorized Access to an Okta Application"
16note = """## Setup
17
18The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
19references = [
20 "https://developer.okta.com/docs/reference/api/system-log/",
21 "https://developer.okta.com/docs/reference/api/event-types/",
22 "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
23]
24risk_score = 21
25rule_id = "4edd3e1a-3aa0-499b-8147-4d2ea43b1613"
26severity = "low"
27tags = ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1078"
40name = "Valid Accounts"
41reference = "https://attack.mitre.org/techniques/T1078/"
42
43
44[rule.threat.tactic]
45id = "TA0001"
46name = "Initial Access"
47reference = "https://attack.mitre.org/tactics/TA0001/"
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50
51[rule.threat.tactic]
52id = "TA0005"
53name = "Defense Evasion"
54reference = "https://attack.mitre.org/tactics/TA0005/"
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57
58[rule.threat.tactic]
59id = "TA0003"
60name = "Persistence"
61reference = "https://attack.mitre.org/tactics/TA0003/"
62[[rule.threat]]
63framework = "MITRE ATT&CK"
64
65[rule.threat.tactic]
66id = "TA0004"
67name = "Privilege Escalation"
68reference = "https://attack.mitre.org/tactics/TA0004/"
Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
-
-
Testing your Okta visibility and detection with Dorothy and Elastic Security — Elastic Security Labs
Dorothy is a tool for security teams to test their visibility and detection capabilities for their Okta environment. IAM solutions are frequently targeted by adversaries but poorly monitored. Learn how to get started with Dorothy in this post.
Read More
Related rules
- Suspicious Activity Reported by Okta User
- Administrator Privileges Assigned to an Okta Group
- Administrator Role Assigned to an Okta User
- Attempt to Create Okta API Token
- Attempt to Deactivate an Okta Application