Okta New Admin Console Behaviours
Detects when Okta identifies new activity in the Admin Console.
Sigma rule (View on GitHub)
1title: Okta New Admin Console Behaviours
2id: a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9
3status: experimental
4description: Detects when Okta identifies new activity in the Admin Console.
5references:
6 - https://developer.okta.com/docs/reference/api/system-log/
7 - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
8author: kelnage
9date: 2023/09/07
10modified: 2023/10/25
11tags:
12 - attack.initial_access
13 - attack.t1078.004
14logsource:
15 product: okta
16 service: okta
17detection:
18 selection:
19 eventtype: 'policy.evaluate_sign_on'
20 target.displayname: 'Okta Admin Console'
21 debugcontext.debugdata.behaviors: 'POSITIVE'
22 debugcontext.debugdata.logonlysecuritydata: 'POSITIVE'
23 condition: selection
24falsepositives:
25 - Whenever an admin starts using new features of the admin console.
26level: low
References
Related rules
- Account Disabled or Blocked for Sign in Attempts
- Azure AD Only Single Factor Authentication Required
- Azure Subscription Permission Elevation Via ActivityLogs
- Failed Authentications From Countries You Do Not Operate Out Of
- Multifactor Authentication Interrupted