Okta New Admin Console Behaviours

Detects when Okta identifies new activity in the Admin Console.

Sigma rule (View on GitHub)

 1title: Okta New Admin Console Behaviours
 2id: a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9
 3status: experimental
 4description: Detects when Okta identifies new activity in the Admin Console.
 5references:
 6    - https://developer.okta.com/docs/reference/api/system-log/
 7    - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
 8author: kelnage
 9date: 2023/09/07
10modified: 2024/06/26
11tags:
12    - attack.initial_access
13    - attack.t1078.004
14logsource:
15    product: okta
16    service: okta
17detection:
18    selection_event:
19        eventtype: 'policy.evaluate_sign_on'
20        target.displayname: 'Okta Admin Console'
21    selection_positive:
22        - debugcontext.debugdata.behaviors|contains: 'POSITIVE'
23        - debugcontext.debugdata.logonlysecuritydata|contains: 'POSITIVE'
24    condition: all of selection_*
25falsepositives:
26    - When an admin begins using the Admin Console and one of Okta's heuristics incorrectly identifies the behavior as being unusual.
27level: high

References

Related rules

to-top