Suspicious Activity Reported by Okta User

calendar Dec 9, 2024 · Use Case: Identity and Access Audit Data Source: Okta Tactic: Initial Access  ·
Share on: linkedin copy

Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/05/21"
 3integration = ["okta"]
 4maturity = "production"
 5updated_date = "2024/12/09"
 6min_stack_version = "8.15.0"
 7min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can
13help security teams identify when an adversary is attempting to gain access to their network.
14"""
15false_positives = ["A user may report suspicious activity on their Okta account in error."]
16index = ["filebeat-*", "logs-okta*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Suspicious Activity Reported by Okta User"
20note = """## Setup
21
22The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
23references = [
24    "https://developer.okta.com/docs/reference/api/system-log/",
25    "https://developer.okta.com/docs/reference/api/event-types/",
26    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
27    "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
28    "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
29]
30risk_score = 47
31rule_id = "f994964f-6fce-4d75-8e79-e16ccc412588"
32severity = "medium"
33tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"]
34timestamp_override = "event.ingested"
35type = "query"
36
37query = '''
38event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1078"
46name = "Valid Accounts"
47reference = "https://attack.mitre.org/techniques/T1078/"
48
49
50[rule.threat.tactic]
51id = "TA0001"
52name = "Initial Access"
53reference = "https://attack.mitre.org/tactics/TA0001/"
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1078"
58name = "Valid Accounts"
59reference = "https://attack.mitre.org/techniques/T1078/"
60
61
62[rule.threat.tactic]
63id = "TA0003"
64name = "Persistence"
65reference = "https://attack.mitre.org/tactics/TA0003/"
66[[rule.threat]]
67framework = "MITRE ATT&CK"
68[[rule.threat.technique]]
69id = "T1078"
70name = "Valid Accounts"
71reference = "https://attack.mitre.org/techniques/T1078/"
72
73
74[rule.threat.tactic]
75id = "TA0004"
76name = "Privilege Escalation"
77reference = "https://attack.mitre.org/tactics/TA0004/"
78[[rule.threat]]
79framework = "MITRE ATT&CK"
80[[rule.threat.technique]]
81id = "T1078"
82name = "Valid Accounts"
83reference = "https://attack.mitre.org/techniques/T1078/"
84
85
86[rule.threat.tactic]
87id = "TA0005"
88name = "Defense Evasion"
89reference = "https://attack.mitre.org/tactics/TA0005/"

Setup

The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top