Okta Security Threat Detected
Detects when an security threat is detected in Okta.
Sigma rule (View on GitHub)
1title: Okta Security Threat Detected
2id: 5c82f0b9-3c6d-477f-a318-0e14a1df73e0
3status: test
4description: Detects when an security threat is detected in Okta.
5references:
6 - https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm
7 - https://developer.okta.com/docs/reference/api/system-log/
8 - https://developer.okta.com/docs/reference/api/event-types/
9author: Austin Songer @austinsonger
10date: 2021/09/12
11modified: 2022/10/09
12tags:
13 - attack.command_and_control
14logsource:
15 product: okta
16 service: okta
17detection:
18 selection:
19 eventtype: security.threat.detected
20 condition: selection
21falsepositives:
22 - Unknown
23level: medium
References
Related rules
- Bitsadmin to Uncommon IP Server Address
- DNS Exfiltration and Tunneling Tools Execution
- Equation Group C2 Communication
- Hijack Legit RDP Session to Move Laterally
- Potential RDP Tunneling Via Plink