Okta ThreatInsight Threat Suspected Promotion

Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes, which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and other similar threats.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/05/21"
 3integration = ["okta"]
 4maturity = "production"
 5promotion = true
 6updated_date = "2024/09/23"
 7
 8[rule]
 9author = ["Elastic"]
10description = """
11Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes,
12which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents
13Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests
14the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and
15other similar threats.
16"""
17index = ["filebeat-*", "logs-okta*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Okta ThreatInsight Threat Suspected Promotion"
21note = """## Setup
22
23## Triage and analysis
24
25This is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor.
26Consult vendor documentation on interpreting specific events.
27"""
28references = [
29    "https://developer.okta.com/docs/reference/api/system-log/",
30    "https://developer.okta.com/docs/reference/api/event-types/",
31    "https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html",
32    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
33    "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
34    "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
35]
36risk_score = 47
37rule_id = "6885d2ae-e008-4762-b98a-e8e1cd3a81e9"
38rule_name_override = "okta.display_message"
39severity = "medium"
40tags = ["Use Case: Identity and Access Audit", "Data Source: Okta"]
41timestamp_override = "event.ingested"
42type = "query"
43
44query = '''
45event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true)
46'''
47
48
49[[rule.severity_mapping]]
50field = "okta.debug_context.debug_data.risk_level"
51operator = "equals"
52severity = "low"
53value = "LOW"
54
55[[rule.severity_mapping]]
56field = "okta.debug_context.debug_data.risk_level"
57operator = "equals"
58severity = "medium"
59value = "MEDIUM"
60
61[[rule.severity_mapping]]
62field = "okta.debug_context.debug_data.risk_level"
63operator = "equals"
64severity = "high"
65value = "HIGH"

Setup

Triage and analysis

This is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor. Consult vendor documentation on interpreting specific events.

References

Related rules

to-top