Suspicious Activity Reported by Okta User
Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/05/21"
3integration = ["okta"]
4maturity = "production"
5min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
6min_stack_version = "8.10.0"
7updated_date = "2023/10/24"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can
13help security teams identify when an adversary is attempting to gain access to their network.
14"""
15false_positives = ["A user may report suspicious activity on their Okta account in error."]
16index = ["filebeat-*", "logs-okta*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Suspicious Activity Reported by Okta User"
20note = """## Setup
21
22The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
23references = [
24 "https://developer.okta.com/docs/reference/api/system-log/",
25 "https://developer.okta.com/docs/reference/api/event-types/",
26 "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
27]
28risk_score = 47
29rule_id = "f994964f-6fce-4d75-8e79-e16ccc412588"
30severity = "medium"
31tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"]
32timestamp_override = "event.ingested"
33type = "query"
34
35query = '''
36event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser
37'''
38
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42[[rule.threat.technique]]
43id = "T1078"
44name = "Valid Accounts"
45reference = "https://attack.mitre.org/techniques/T1078/"
46
47
48[rule.threat.tactic]
49id = "TA0001"
50name = "Initial Access"
51reference = "https://attack.mitre.org/tactics/TA0001/"
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1078"
56name = "Valid Accounts"
57reference = "https://attack.mitre.org/techniques/T1078/"
58
59
60[rule.threat.tactic]
61id = "TA0003"
62name = "Persistence"
63reference = "https://attack.mitre.org/tactics/TA0003/"
64[[rule.threat]]
65framework = "MITRE ATT&CK"
66[[rule.threat.technique]]
67id = "T1078"
68name = "Valid Accounts"
69reference = "https://attack.mitre.org/techniques/T1078/"
70
71
72[rule.threat.tactic]
73id = "TA0004"
74name = "Privilege Escalation"
75reference = "https://attack.mitre.org/tactics/TA0004/"
76[[rule.threat]]
77framework = "MITRE ATT&CK"
78[[rule.threat.technique]]
79id = "T1078"
80name = "Valid Accounts"
81reference = "https://attack.mitre.org/techniques/T1078/"
82
83
84[rule.threat.tactic]
85id = "TA0005"
86name = "Defense Evasion"
87reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
-
-
Testing your Okta visibility and detection with Dorothy and Elastic Security — Elastic Security Labs
Dorothy is a tool for security teams to test their visibility and detection capabilities for their Okta environment. IAM solutions are frequently targeted by adversaries but poorly monitored. Learn how to get started with Dorothy in this post.
Read More
Related rules
- Unauthorized Access to an Okta Application
- Administrator Privileges Assigned to an Okta Group
- Administrator Role Assigned to an Okta User
- Attempt to Create Okta API Token
- Attempt to Deactivate an Okta Application