Okta ThreatInsight Threat Suspected Promotion
Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes, which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and other similar threats.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/05/21"
3integration = ["okta"]
4maturity = "production"
5min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
6min_stack_version = "8.10.0"
7updated_date = "2023/10/24"
8promotion = true
9
10[rule]
11author = ["Elastic"]
12description = """
13Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes,
14which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents
15Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests
16the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and
17other similar threats.
18"""
19index = ["filebeat-*", "logs-okta*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "Okta ThreatInsight Threat Suspected Promotion"
23note = """## Setup
24
25## Triage and analysis
26
27This is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor.
28Consult vendor documentation on interpreting specific events.
29"""
30references = [
31 "https://developer.okta.com/docs/reference/api/system-log/",
32 "https://developer.okta.com/docs/reference/api/event-types/",
33 "https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html",
34 "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
35]
36risk_score = 47
37rule_id = "6885d2ae-e008-4762-b98a-e8e1cd3a81e9"
38rule_name_override = "okta.display_message"
39severity = "medium"
40tags = ["Use Case: Identity and Access Audit", "Data Source: Okta"]
41timestamp_override = "event.ingested"
42type = "query"
43
44query = '''
45event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true)
46'''
47
48
49[[rule.severity_mapping]]
50field = "okta.debug_context.debug_data.risk_level"
51operator = "equals"
52severity = "low"
53value = "LOW"
54
55[[rule.severity_mapping]]
56field = "okta.debug_context.debug_data.risk_level"
57operator = "equals"
58severity = "medium"
59value = "MEDIUM"
60
61[[rule.severity_mapping]]
62field = "okta.debug_context.debug_data.risk_level"
63operator = "equals"
64severity = "high"
65value = "HIGH"
Setup
Triage and analysis
This is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor. Consult vendor documentation on interpreting specific events.
References
-
-
-
Testing your Okta visibility and detection with Dorothy and Elastic Security — Elastic Security Labs
Dorothy is a tool for security teams to test their visibility and detection capabilities for their Okta environment. IAM solutions are frequently targeted by adversaries but poorly monitored. Learn how to get started with Dorothy in this post.
Read More
Related rules
- Administrator Privileges Assigned to an Okta Group
- Administrator Role Assigned to an Okta User
- Attempt to Create Okta API Token
- Attempt to Deactivate an Okta Application
- Attempt to Deactivate an Okta Network Zone