Okta ThreatInsight Threat Suspected Promotion

calendar Dec 9, 2024 · Use Case: Identity and Access Audit Data Source: Okta  ·
Share on: linkedin copy

Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes, which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and other similar threats.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/05/21"
 3integration = ["okta"]
 4maturity = "production"
 5promotion = true
 6updated_date = "2024/12/09"
 7min_stack_version = "8.15.0"
 8min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 9
10[rule]
11author = ["Elastic"]
12description = """
13Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes,
14which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents
15Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests
16the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and
17other similar threats.
18"""
19index = ["filebeat-*", "logs-okta*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "Okta ThreatInsight Threat Suspected Promotion"
23note = """## Setup
24
25## Triage and analysis
26
27This is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor.
28Consult vendor documentation on interpreting specific events.
29"""
30references = [
31    "https://developer.okta.com/docs/reference/api/system-log/",
32    "https://developer.okta.com/docs/reference/api/event-types/",
33    "https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html",
34    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
35    "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
36    "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
37]
38risk_score = 47
39rule_id = "6885d2ae-e008-4762-b98a-e8e1cd3a81e9"
40rule_name_override = "okta.display_message"
41severity = "medium"
42tags = ["Use Case: Identity and Access Audit", "Data Source: Okta"]
43timestamp_override = "event.ingested"
44type = "query"
45
46query = '''
47event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true)
48'''
49
50
51[[rule.severity_mapping]]
52field = "okta.debug_context.debug_data.risk_level"
53operator = "equals"
54severity = "low"
55value = "LOW"
56
57[[rule.severity_mapping]]
58field = "okta.debug_context.debug_data.risk_level"
59operator = "equals"
60severity = "medium"
61value = "MEDIUM"
62
63[[rule.severity_mapping]]
64field = "okta.debug_context.debug_data.risk_level"
65operator = "equals"
66severity = "high"
67value = "HIGH"

Setup

Triage and analysis

This is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor. Consult vendor documentation on interpreting specific events.

References

Related rules

to-top