Okta ThreatInsight Threat Suspected Promotion
Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes, which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and other similar threats.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/05/21"
3integration = ["okta"]
4maturity = "production"
5promotion = true
6updated_date = "2024/07/23"
7
8[rule]
9author = ["Elastic"]
10description = """
11Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes,
12which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents
13Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests
14the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and
15other similar threats.
16"""
17index = ["filebeat-*", "logs-okta*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Okta ThreatInsight Threat Suspected Promotion"
21note = """## Setup
22
23## Triage and analysis
24
25This is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor.
26Consult vendor documentation on interpreting specific events.
27"""
28references = [
29 "https://developer.okta.com/docs/reference/api/system-log/",
30 "https://developer.okta.com/docs/reference/api/event-types/",
31 "https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html",
32 "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
33]
34risk_score = 47
35rule_id = "6885d2ae-e008-4762-b98a-e8e1cd3a81e9"
36rule_name_override = "okta.display_message"
37severity = "medium"
38tags = ["Use Case: Identity and Access Audit", "Data Source: Okta"]
39timestamp_override = "event.ingested"
40type = "query"
41
42query = '''
43event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true)
44'''
45
46
47[[rule.severity_mapping]]
48field = "okta.debug_context.debug_data.risk_level"
49operator = "equals"
50severity = "low"
51value = "LOW"
52
53[[rule.severity_mapping]]
54field = "okta.debug_context.debug_data.risk_level"
55operator = "equals"
56severity = "medium"
57value = "MEDIUM"
58
59[[rule.severity_mapping]]
60field = "okta.debug_context.debug_data.risk_level"
61operator = "equals"
62severity = "high"
63value = "HIGH"
Setup
Triage and analysis
This is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor. Consult vendor documentation on interpreting specific events.
References
-
-
-
Testing your Okta visibility and detection with Dorothy and Elastic Security — Elastic Security Labs
Dorothy is a tool for security teams to test their visibility and detection capabilities for their Okta environment. IAM solutions are frequently targeted by adversaries but poorly monitored. Learn how to get started with Dorothy in this post.
Read More
Related rules
- Administrator Privileges Assigned to an Okta Group
- Administrator Role Assigned to an Okta User
- Attempt to Create Okta API Token
- Attempt to Deactivate an Okta Application
- Attempt to Deactivate an Okta Network Zone