Okta Suspicious Activity Reported by End-user
Detects when an Okta end-user reports activity by their account as being potentially suspicious.
Sigma rule (View on GitHub)
1title: Okta Suspicious Activity Reported by End-user
2id: 07e97cc6-aed1-43ae-9081-b3470d2367f1
3status: test
4description: Detects when an Okta end-user reports activity by their account as being potentially suspicious.
5references:
6 - https://developer.okta.com/docs/reference/api/system-log/
7 - https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md
8author: kelnage
9date: 2023-09-07
10tags:
11 - attack.resource-development
12 - attack.t1586.003
13logsource:
14 product: okta
15 service: okta
16detection:
17 selection:
18 eventtype: 'user.account.report_suspicious_activity_by_enduser'
19 condition: selection
20falsepositives:
21 - If an end-user incorrectly identifies normal activity as suspicious.
22level: high
References
Related rules
- Antivirus Relevant File Paths Alerts
- Bitbucket Unauthorized Access To A Resource
- Bitbucket Unauthorized Full Data Export Triggered
- Conti Volume Shadow Listing
- Creation of a Diagcab