Okta Suspicious Activity Reported by End-user
Detects when an Okta end-user reports activity by their account as being potentially suspicious.
Sigma rule (View on GitHub)
1title: Okta Suspicious Activity Reported by End-user
2id: 07e97cc6-aed1-43ae-9081-b3470d2367f1
3status: test
4description: Detects when an Okta end-user reports activity by their account as being potentially suspicious.
5references:
6 - https://developer.okta.com/docs/reference/api/system-log/
7 - https://github.com/okta/workflows-templates/blob/1164f0eb71ce47c9ddc7d850e9ab87b5a2b42333/workflows/suspicious_activity_reported/readme.md
8author: kelnage
9date: 2023-09-07
10modified: 2026-04-27
11tags:
12 - attack.resource-development
13 - attack.t1586.003
14logsource:
15 product: okta
16 service: okta
17detection:
18 selection:
19 eventType: 'user.account.report_suspicious_activity_by_enduser'
20 condition: selection
21falsepositives:
22 - If an end-user incorrectly identifies normal activity as suspicious.
23level: high
References
-
workflows-templates. Contribute to okta/workflows-templates development by creating an account on GitHub.
Read More
Related rules
- Program Executions in Suspicious Folders
- PUA - Sysinternal Tool Execution - Registry
- PUA - Sysinternals Tools Execution - Registry
- Suspicious Execution Of Renamed Sysinternals Tools - Registry
- Conti Volume Shadow Listing