Merge pull request #2023 from austinsonger/okta

Okta Rules
2021-09-13 14:34:52 +02:00
parent ab5d3a9da4 8e1f36ec39
commit 34111b3aaf
12 changed files with 262 additions and 0 deletions
@@ -0,0 +1,23 @@
+title: Okta Admin Role Assigned to an User or Group
+id: 413d4a81-6c98-4479-9863-014785fd579c
+description: Detects when an the Administrator role is assigned to an user or group.
+author: Austin Songer
+status: experimental
+date: 2021/09/12
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        eventtype: 
+            - group.privilege.grant
+            - user.account.privilege.grant
+    condition: selection
+level: medium
+tags:
+    - attack.impact
+falsepositives:
+ - Administrator roles could be assigned to users or group by other admin users. 
+ 
@@ -0,0 +1,21 @@
+title: Okta API Token Created
+id: 19951c21-229d-4ccb-8774-b993c3ff3c5c
+description: Detects when a API token is created
+author: Austin Songer
+status: experimental
+date: 2021/09/12
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        eventtype: system.api_token.create
+    condition: selection
+level: medium
+tags:
+    - attack.persistence
+falsepositives:
+ - Unknown
+
@@ -0,0 +1,21 @@
+title: Okta API Token Revoked
+id: cf1dbc6b-6205-41b4-9b88-a83980d2255b
+description: Detects when a API Token is revoked.
+author: Austin Songer
+status: experimental
+date: 2021/09/12
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        eventtype: system.api_token.revoke
+    condition: selection
+level: medium
+tags:
+    - attack.impact
+falsepositives:
+ - Unknown
+ 
@@ -0,0 +1,23 @@
+title: Okta Application Modified or Deleted
+id: 7899144b-e416-4c28-b0b5-ab8f9e0a541d
+description: Detects when an application is modified or deleted.
+author: Austin Songer
+status: experimental
+date: 2021/09/12
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        eventtype: 
+            - application.lifecycle.update
+            - application.lifecycle.delete
+    condition: selection
+level: medium
+tags:
+    - attack.impact
+falsepositives:
+ - Unknown
+ 
@@ -0,0 +1,22 @@
+title: Okta Application Sign-On Policy Modified or Deleted
+id: 8f668cc4-c18e-45fe-ad00-624a981cf88a
+description: Detects when an application Sign-on Policy is modified or deleted.
+author: Austin Songer
+status: experimental
+date: 2021/09/12
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        eventtype: 
+            - application.policy.sign_on.update
+            - application.policy.sign_on.rule.delete
+    condition: selection
+level: medium
+tags:
+    - attack.impact
+falsepositives:
+ - Unknown
@@ -0,0 +1,22 @@
+title: Okta MFA Reset or Deactivated
+id: 50e068d7-1e6b-4054-87e5-0a592c40c7e0
+description: Detects when an attempt at deactivating  or resetting MFA.
+author: Austin Songer
+status: experimental
+date: 2021/09/21
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        eventtype: 
+            - user.mfa.factor.deactivate
+            - user.mfa.factor.reset_all
+    condition: selection
+level: medium
+tags:
+    - attack.persistence
+falsepositives:
+ - If a MFA reset or deactivated was performed by a system administrator. 
@@ -0,0 +1,23 @@
+title: Okta Network Zone Deactivated or Deleted
+id: 9f308120-69ed-4506-abde-ac6da81f4310
+description: Detects when an Network Zone is Deactivated or Deleted.
+author: Austin Songer
+status: experimental
+date: 2021/09/12
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        eventtype: 
+            - zone.deactivate
+            - zone.delete
+    condition: selection
+level: medium
+tags:
+    - attack.impact
+falsepositives:
+ - Unknown
+ 
@@ -0,0 +1,24 @@
+title: Okta Policy Modified or Deleted
+id: 1667a172-ed4c-463c-9969-efd92195319a
+description: Detects when an Okta policy is modified or deleted.
+author: Austin Songer
+status: experimental
+date: 2021/09/12
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        eventtype: 
+            - policy.lifecycle.update
+            - policy.lifecycle.delete
+    condition: selection
+level: low
+tags:
+    - attack.impact
+falsepositives:
+ - Okta Policies being modified or deleted may be performed by a system administrator. 
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
@@ -0,0 +1,23 @@
+title: Okta Policy Rule Modified or Deleted
+id: 0c97c1d3-4057-45c9-b148-1de94b631931
+description: Detects when an Policy Rule is Modified or Deleted.
+author: Austin Songer
+status: experimental
+date: 2021/09/12
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        eventtype: 
+            - policy.rule.update
+            - policy.rule.delete
+    condition: selection
+level: medium
+tags:
+    - attack.impact
+falsepositives:
+ - Unknown
+ 
@@ -0,0 +1,19 @@
+title: Okta Security Threat Detected
+id: 5c82f0b9-3c6d-477f-a318-0e14a1df73e0
+description: Detects when an security threat is detected in Okta.
+author: Austin Songer
+status: experimental
+date: 2021/09/12
+references:
+    - https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        eventtype: security.threat.detected
+    condition: selection
+level: medium
+falsepositives:
+ - None
@@ -0,0 +1,21 @@
+title: Okta Unauthorized Access to App
+id: 6cc2b61b-d97e-42ef-a9dd-8aa8dc951657
+description: Detects when unauthorized access to app occurs.
+author: Austin Songer
+status: experimental
+date: 2021/09/12
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        displaymessage:
+            - User attempted unauthorized access to app
+    condition: selection
+level: medium
+tags:
+    - attack.impact
+falsepositives:
+ - User might of believe that they had access.
@@ -0,0 +1,20 @@
+title: Okta User Account Locked Out
+id: 14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a
+description: Detects when an user account is locked out.
+author: Austin Songer
+status: experimental
+date: 2021/09/12
+references:
+    - https://developer.okta.com/docs/reference/api/system-log/
+    - https://developer.okta.com/docs/reference/api/event-types/
+logsource:
+  service: okta
+detection:
+    selection:
+        displaymessage: Max sign in attempts exceeded
+    condition: selection
+level: medium
+tags:
+    - attack.impact
+falsepositives:
+ - Unknown