Merge PR #5964 from @mostafa - Update Okta Rules to use CamelCase fields

update: Okta 2023 Breach Indicator Of Compromise - Update field name to use CamleCase
update: Okta Admin Role Assigned to an User or Group - Update field name to use CamleCase
update: Okta Admin Role Assignment Created - Update field name to use CamleCase
update: Okta API Token Created - Update field name to use CamleCase
update: Okta API Token Revoked - Update field name to use CamleCase
update: Okta Application Modified or Deleted - Update field name to use CamleCase
update: Okta Application Sign-On Policy Modified or Deleted - Update field name to use CamleCase
update: Okta FastPass Phishing Detection - Update field name to use CamleCase
update: Okta Identity Provider Created - Update field name to use CamleCase
update: Okta MFA Reset or Deactivated - Update field name to use CamleCase
update: Okta Network Zone Deactivated or Deleted - Update field name to use CamleCase
update: Okta New Admin Console Behaviours - Update field name to use CamleCase
update: Potential Okta Password in AlternateID Field - Update field name to use CamleCase
update: Okta Policy Modified or Deleted - Update field name to use CamleCase
update: Okta Policy Rule Modified or Deleted - Update field name to use CamleCase
update: Okta Security Threat Detected - Update field name to use CamleCase
update: Okta Suspicious Activity Reported by End-user - Update field name to use CamleCase
update: Okta Unauthorized Access to App - Update field name to use CamleCase
update: Okta User Account Locked Out - Update field name to use CamleCase
update: New Okta User Created - Update field name to use CamleCase
update: Okta User Session Start Via An Anonymising Proxy Service - Update field name to use CamleCase

rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml

@@ -6,6 +6,7 @@ description: |
     This rule can be enhanced by filtering out known and legitimate username used in your environnement.
 author: Muhammad Faisal (@faisalusuf)
 date: 2023-10-25
+modified: 2026-04-27
 references:
     - https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
     - https://developer.okta.com/docs/reference/api/event-types/
@@ -17,10 +18,10 @@ logsource:
     product: okta
 detection:
     selection:
-        eventtype:
+        eventType:
             - 'user.lifecycle.create'
             - 'user.lifecycle.activate'
-        target.user.display.name|contains: 'svc_network_backup'
+        target.displayName|contains: 'svc_network_backup'
     condition: selection
 falsepositives:
     - Unknown

rules/identity/okta/okta_admin_role_assigned_to_user_or_group.yml

@@ -7,7 +7,7 @@ references:
     - https://developer.okta.com/docs/reference/api/event-types/
 author: Austin Songer @austinsonger
 date: 2021-09-12
-modified: 2022-10-09
+modified: 2026-04-27
 tags:
     - attack.privilege-escalation
     - attack.persistence
@@ -17,7 +17,7 @@ logsource:
     service: okta
 detection:
     selection:
-        eventtype:
+        eventType:
             - group.privilege.grant
             - user.account.privilege.grant
     condition: selection

rules/identity/okta/okta_admin_role_assignment_created.yml

@@ -7,6 +7,7 @@ references:
     - https://developer.okta.com/docs/reference/api/event-types/
 author: Nikita Khalimonenkov
 date: 2023-01-19
+modified: 2026-04-27
 tags:
     - attack.persistence
 logsource:
@@ -14,7 +15,7 @@ logsource:
     service: okta
 detection:
     selection:
-        eventtype: 'iam.resourceset.bindings.add'
+        eventType: 'iam.resourceset.bindings.add'
     condition: selection
 falsepositives:
     - Legitimate creation of a new admin role assignment

rules/identity/okta/okta_api_token_created.yml

@@ -7,7 +7,7 @@ references:
     - https://developer.okta.com/docs/reference/api/event-types/
 author: Austin Songer @austinsonger
 date: 2021-09-12
-modified: 2022-10-09
+modified: 2026-04-27
 tags:
     - attack.persistence
 logsource:
@@ -15,7 +15,7 @@ logsource:
     service: okta
 detection:
     selection:
-        eventtype: system.api_token.create
+        eventType: system.api_token.create
     condition: selection
 falsepositives:
     - Legitimate creation of an API token by authorized users

rules/identity/okta/okta_api_token_revoked.yml

@@ -7,7 +7,7 @@ references:
     - https://developer.okta.com/docs/reference/api/event-types/
 author: Austin Songer @austinsonger
 date: 2021-09-12
-modified: 2022-10-09
+modified: 2026-04-27
 tags:
     - attack.impact
 logsource:
@@ -15,7 +15,7 @@ logsource:
     service: okta
 detection:
     selection:
-        eventtype: system.api_token.revoke
+        eventType: system.api_token.revoke
     condition: selection
 falsepositives:
     - Unknown

rules/identity/okta/okta_application_modified_or_deleted.yml

@@ -7,7 +7,7 @@ references:
     - https://developer.okta.com/docs/reference/api/event-types/
 author: Austin Songer @austinsonger
 date: 2021-09-12
-modified: 2022-10-09
+modified: 2026-04-27
 tags:
     - attack.impact
 logsource:
@@ -15,7 +15,7 @@ logsource:
     service: okta
 detection:
     selection:
-        eventtype:
+        eventType:
             - application.lifecycle.update
             - application.lifecycle.delete
     condition: selection

rules/identity/okta/okta_application_sign_on_policy_modified_or_deleted.yml

@@ -7,7 +7,7 @@ references:
     - https://developer.okta.com/docs/reference/api/event-types/
 author: Austin Songer @austinsonger
 date: 2021-09-12
-modified: 2022-10-09
+modified: 2026-04-27
 tags:
     - attack.impact
 logsource:
@@ -15,7 +15,7 @@ logsource:
     service: okta
 detection:
     selection:
-        eventtype:
+        eventType:
             - application.policy.sign_on.update
             - application.policy.sign_on.rule.delete
     condition: selection

rules/identity/okta/okta_fastpass_phishing_detection.yml

@@ -8,6 +8,7 @@ references:
     - https://developer.okta.com/docs/reference/api/event-types/
 author: Austin Songer @austinsonger
 date: 2023-05-07
+modified: 2026-04-27
 tags:
     - attack.initial-access
     - attack.t1566
@@ -18,7 +19,7 @@ detection:
     selection:
         outcome.reason: 'FastPass declined phishing attempt'
         outcome.result: FAILURE
-        eventtype: user.authentication.auth_via_mfa
+        eventType: user.authentication.auth_via_mfa
     condition: selection
 falsepositives:
     - Unlikely

rules/identity/okta/okta_identity_provider_created.yml

@@ -7,6 +7,7 @@ references:
     - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
 author: kelnage
 date: 2023-09-07
+modified: 2026-04-27
 tags:
     - attack.privilege-escalation
     - attack.persistence
@@ -16,7 +17,7 @@ logsource:
     service: okta
 detection:
     selection:
-        eventtype: 'system.idp.lifecycle.create'
+        eventType: 'system.idp.lifecycle.create'
     condition: selection
 falsepositives:
     - When an admin creates a new, authorised identity provider.

rules/identity/okta/okta_mfa_reset_or_deactivated.yml

@@ -7,7 +7,7 @@ references:
     - https://developer.okta.com/docs/reference/api/event-types/
 author: Austin Songer @austinsonger
 date: 2021-09-21
-modified: 2022-10-09
+modified: 2026-04-27
 tags:
     - attack.persistence
     - attack.credential-access
@@ -18,7 +18,7 @@ logsource:
     service: okta
 detection:
     selection:
-        eventtype:
+        eventType:
             - user.mfa.factor.deactivate
             - user.mfa.factor.reset_all
     condition: selection

rules/identity/okta/okta_network_zone_deactivated_or_deleted.yml

@@ -7,7 +7,7 @@ references:
     - https://developer.okta.com/docs/reference/api/event-types/
 author: Austin Songer @austinsonger
 date: 2021-09-12
-modified: 2022-10-09
+modified: 2026-04-27
 tags:
     - attack.impact
 logsource:
@@ -15,7 +15,7 @@ logsource:
     service: okta
 detection:
     selection:
-        eventtype:
+        eventType:
             - zone.deactivate
             - zone.delete
     condition: selection

rules/identity/okta/okta_new_behaviours_admin_console.yml

@@ -7,7 +7,7 @@ references:
     - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
 author: kelnage
 date: 2023-09-07
-modified: 2024-06-26
+modified: 2026-04-27
 tags:
     - attack.privilege-escalation
     - attack.persistence
@@ -19,11 +19,11 @@ logsource:
     service: okta
 detection:
     selection_event:
-        eventtype: 'policy.evaluate_sign_on'
-        target.displayname: 'Okta Admin Console'
+        eventType: 'policy.evaluate_sign_on'
+        target.displayName: 'Okta Admin Console'
     selection_positive:
-        - debugcontext.debugdata.behaviors|contains: 'POSITIVE'
-        - debugcontext.debugdata.logonlysecuritydata|contains: 'POSITIVE'
+        - debugContext.debugData.behaviors|contains: 'POSITIVE'
+        - debugContext.debugData.logOnlySecurityData|contains: 'POSITIVE'
     condition: all of selection_*
 falsepositives:
     - When an admin begins using the Admin Console and one of Okta's heuristics incorrectly identifies the behavior as being unusual.

rules/identity/okta/okta_password_in_alternateid_field.yml

@@ -10,7 +10,7 @@ references:
     - https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm
 author: kelnage
 date: 2023-04-03
-modified: 2023-10-25
+modified: 2026-04-27
 tags:
     - attack.credential-access
     - attack.t1552
@@ -19,7 +19,7 @@ logsource:
     service: okta
 detection:
     selection:
-        legacyeventtype: 'core.user_auth.login_failed'
+        legacyEventType: 'core.user_auth.login_failed'
     filter_main:
         # Okta service account names start with 0oa
         # Email addresses are the default format for Okta usernames, so attempt
@@ -27,7 +27,7 @@ detection:
         # If your Okta configuration uses different character restrictions, you
         # will need to update this regular expression to reflect that or disable the rule for your environment
         # Possible false negatives are failed login attempts with a password that looks like a valid email address
-        actor.alternateid|re: '(^0oa.*|[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,10})'
+        actor.alternateId|re: '(^0oa.*|[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,10})'
     condition: selection and not filter_main
 falsepositives:
     - Unlikely

rules/identity/okta/okta_policy_modified_or_deleted.yml

@@ -7,7 +7,7 @@ references:
     - https://developer.okta.com/docs/reference/api/event-types/
 author: Austin Songer @austinsonger
 date: 2021-09-12
-modified: 2022-10-09
+modified: 2026-04-27
 tags:
     - attack.impact
 logsource:
@@ -15,7 +15,7 @@ logsource:
     service: okta
 detection:
     selection:
-        eventtype:
+        eventType:
             - policy.lifecycle.update
             - policy.lifecycle.delete
     condition: selection

rules/identity/okta/okta_policy_rule_modified_or_deleted.yml

@@ -7,7 +7,7 @@ references:
     - https://developer.okta.com/docs/reference/api/event-types/
 author: Austin Songer @austinsonger
 date: 2021-09-12
-modified: 2022-10-09
+modified: 2026-04-27
 tags:
     - attack.impact
 logsource:
@@ -15,7 +15,7 @@ logsource:
     service: okta
 detection:
     selection:
-        eventtype:
+        eventType:
             - policy.rule.update
             - policy.rule.delete
     condition: selection

rules/identity/okta/okta_security_threat_detected.yml

@@ -8,7 +8,7 @@ references:
     - https://developer.okta.com/docs/reference/api/event-types/
 author: Austin Songer @austinsonger
 date: 2021-09-12
-modified: 2022-10-09
+modified: 2026-04-27
 tags:
     - attack.command-and-control
 logsource:
@@ -16,7 +16,7 @@ logsource:
     service: okta
 detection:
     selection:
-        eventtype: security.threat.detected
+        eventType: security.threat.detected
     condition: selection
 falsepositives:
     - Unknown

rules/identity/okta/okta_suspicious_activity_enduser_report.yml

@@ -7,6 +7,7 @@ references:
     - https://github.com/okta/workflows-templates/blob/1164f0eb71ce47c9ddc7d850e9ab87b5a2b42333/workflows/suspicious_activity_reported/readme.md
 author: kelnage
 date: 2023-09-07
+modified: 2026-04-27
 tags:
     - attack.resource-development
     - attack.t1586.003
@@ -15,7 +16,7 @@ logsource:
     service: okta
 detection:
     selection:
-        eventtype: 'user.account.report_suspicious_activity_by_enduser'
+        eventType: 'user.account.report_suspicious_activity_by_enduser'
     condition: selection
 falsepositives:
     - If an end-user incorrectly identifies normal activity as suspicious.

rules/identity/okta/okta_unauthorized_access_to_app.yml

@@ -7,7 +7,7 @@ references:
     - https://developer.okta.com/docs/reference/api/event-types/
 author: Austin Songer @austinsonger
 date: 2021-09-12
-modified: 2022-10-09
+modified: 2026-04-27
 tags:
     - attack.impact
 logsource:
@@ -15,7 +15,7 @@ logsource:
     service: okta
 detection:
     selection:
-        displaymessage: User attempted unauthorized access to app
+        displayMessage: User attempted unauthorized access to app
     condition: selection
 falsepositives:
     - User might of believe that they had access.

rules/identity/okta/okta_user_account_locked_out.yml

@@ -7,7 +7,7 @@ references:
     - https://developer.okta.com/docs/reference/api/event-types/
 author: Austin Songer @austinsonger
 date: 2021-09-12
-modified: 2022-10-09
+modified: 2026-04-27
 tags:
     - attack.impact
     - attack.t1531
@@ -16,7 +16,7 @@ logsource:
     service: okta
 detection:
     selection:
-        displaymessage: Max sign in attempts exceeded
+        displayMessage: Max sign in attempts exceeded
     condition: selection
 falsepositives:
     - Unknown

rules/identity/okta/okta_user_created.yml

@@ -4,6 +4,7 @@ status: test
 description: Detects new user account creation
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-10-25
+modified: 2026-04-27
 references:
     - https://developer.okta.com/docs/reference/api/event-types/
 tags:
@@ -13,7 +14,7 @@ logsource:
     product: okta
 detection:
     selection:
-        eventtype: 'user.lifecycle.create'
+        eventType: 'user.lifecycle.create'
     condition: selection
 falsepositives:
     - Legitimate and authorized user creation

rules/identity/okta/okta_user_session_start_via_anonymised_proxy.yml

@@ -7,6 +7,7 @@ references:
     - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
 author: kelnage
 date: 2023-09-07
+modified: 2026-04-27
 tags:
     - attack.defense-evasion
     - attack.t1562.006
@@ -15,8 +16,8 @@ logsource:
     service: okta
 detection:
     selection:
-        eventtype: 'user.session.start'
-        securitycontext.isproxy: 'true'
+        eventType: 'user.session.start'
+        securityContext.isProxy: 'true'
     condition: selection
 falsepositives:
     - If a user requires an anonymising proxy due to valid justifications.