Okta 2023 Breach Indicator Of Compromise

calendar Sep 2, 2024 · attack.credential-access detection.emerging-threats  ·
Share on: linkedin copy

Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach. This rule can be enhanced by filtering out known and legitimate username used in your environnement.

Sigma rule (View on GitHub)

 1title: Okta 2023 Breach Indicator Of Compromise
 2id: 00a8e92a-776b-425f-80f2-82d8f8fab2e5
 3status: test
 4description: |
 5    Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach.
 6    This rule can be enhanced by filtering out known and legitimate username used in your environnement.    
 7author: Muhammad Faisal (@faisalusuf)
 8date: 2023-10-25
 9references:
10    - https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
11    - https://developer.okta.com/docs/reference/api/event-types/
12tags:
13    - attack.credential-access
14    - detection.emerging-threats
15logsource:
16    service: okta
17    product: okta
18detection:
19    selection:
20        eventtype:
21            - 'user.lifecycle.create'
22            - 'user.lifecycle.activate'
23        target.user.display.name|contains: 'svc_network_backup'
24    condition: selection
25falsepositives:
26    - Unknown
27level: medium

References

  • Pardon Our Interruption As you were browsing something about your browser made us think you were a bot. There are a few reasons this might happen: You're a power user moving through this website wi...


    Read More

  • Event Types | Okta Developer

    Secure, scalable, and highly available authentication and user management for any app.


    Read More

Related rules

to-top