Okta 2023 Breach Indicator Of Compromise
Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach. This rule can be enhanced by filtering out known and legitimate username used in your environnement.
Sigma rule (View on GitHub)
1title: Okta 2023 Breach Indicator Of Compromise
2id: 00a8e92a-776b-425f-80f2-82d8f8fab2e5
3status: experimental
4description: |
5 Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach.
6 This rule can be enhanced by filtering out known and legitimate username used in your environnement.
7author: Muhammad Faisal (@faisalusuf)
8date: 2023/10/25
9references:
10 - https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
11 - https://developer.okta.com/docs/reference/api/event-types/
12tags:
13 - attack.credential_access
14 - detection.emerging_threats
15logsource:
16 service: okta
17 product: okta
18detection:
19 selection:
20 eventtype:
21 - 'user.lifecycle.create'
22 - 'user.lifecycle.activate'
23 target.user.display.name|contains: 'svc_network_backup'
24 condition: selection
25falsepositives:
26 - Unknown
27level: medium
References
-
This blog shared details of the Okta support unit attack to educate other Okta users and infosec professionals. For BeyondTrust customers who leverage our…
Read More -
Related rules
- CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
- GALLIUM Artefacts - Builtin
- GALLIUM IOCs
- CVE-2021-31979 CVE-2021-33771 Exploits
- APT31 Judgement Panda Activity