Okta Suspicious Activity Reported by End-user

Sep 11, 2023 · attack.resource_development attack.t1586.003 ·

Detects when an Okta end-user reports activity by their account as being potentially suspicious.

Sigma rule (View on GitHub)

 1title: Okta Suspicious Activity Reported by End-user
 2id: 07e97cc6-aed1-43ae-9081-b3470d2367f1
 3status: experimental
 4description: Detects when an Okta end-user reports activity by their account as being potentially suspicious.
 5references:
 6    - https://developer.okta.com/docs/reference/api/system-log/
 7    - https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md
 8author: kelnage
 9date: 2023/09/07
10tags:
11    - attack.resource_development
12    - attack.t1586.003
13logsource:
14    product: okta
15    service: okta
16detection:
17    selection:
18        eventtype: 'user.account.report_suspicious_activity_by_enduser'
19    condition: selection
20falsepositives:
21    - If an end-user incorrectly identifies normal activity as suspicious.
22level: high

References

System Log | Okta Developer

Secure, scalable, and highly available authentication and user management for any app.

Read More
workflows-templates/workflows/suspicious_activity_reported/readme.md at master · okta/workflows-templates

workflows-templates. Contribute to okta/workflows-templates development by creating an account on GitHub.

Read More

Okta Suspicious Activity Reported by End-user

Sigma rule (View on GitHub)

References

System Log | Okta Developer

workflows-templates/workflows/suspicious_activity_reported/readme.md at master · okta/workflows-templates

Related rules