Suspicious Activity Reported by Okta User

calendar Sep 25, 2024 · Use Case: Identity and Access Audit Data Source: Okta Tactic: Initial Access  ·
Share on: linkedin copy

Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/05/21"
 3integration = ["okta"]
 4maturity = "production"
 5updated_date = "2024/09/23"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can
11help security teams identify when an adversary is attempting to gain access to their network.
12"""
13false_positives = ["A user may report suspicious activity on their Okta account in error."]
14index = ["filebeat-*", "logs-okta*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "Suspicious Activity Reported by Okta User"
18note = """## Setup
19
20The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
21references = [
22    "https://developer.okta.com/docs/reference/api/system-log/",
23    "https://developer.okta.com/docs/reference/api/event-types/",
24    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
25    "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
26    "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
27]
28risk_score = 47
29rule_id = "f994964f-6fce-4d75-8e79-e16ccc412588"
30severity = "medium"
31tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"]
32timestamp_override = "event.ingested"
33type = "query"
34
35query = '''
36event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser
37'''
38
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42[[rule.threat.technique]]
43id = "T1078"
44name = "Valid Accounts"
45reference = "https://attack.mitre.org/techniques/T1078/"
46
47
48[rule.threat.tactic]
49id = "TA0001"
50name = "Initial Access"
51reference = "https://attack.mitre.org/tactics/TA0001/"
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1078"
56name = "Valid Accounts"
57reference = "https://attack.mitre.org/techniques/T1078/"
58
59
60[rule.threat.tactic]
61id = "TA0003"
62name = "Persistence"
63reference = "https://attack.mitre.org/tactics/TA0003/"
64[[rule.threat]]
65framework = "MITRE ATT&CK"
66[[rule.threat.technique]]
67id = "T1078"
68name = "Valid Accounts"
69reference = "https://attack.mitre.org/techniques/T1078/"
70
71
72[rule.threat.tactic]
73id = "TA0004"
74name = "Privilege Escalation"
75reference = "https://attack.mitre.org/tactics/TA0004/"
76[[rule.threat]]
77framework = "MITRE ATT&CK"
78[[rule.threat.technique]]
79id = "T1078"
80name = "Valid Accounts"
81reference = "https://attack.mitre.org/techniques/T1078/"
82
83
84[rule.threat.tactic]
85id = "TA0005"
86name = "Defense Evasion"
87reference = "https://attack.mitre.org/tactics/TA0005/"

Setup

The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top