security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8f8ce06ffb8d8fd3433dbffebccd33ec9d23e51a
blue-team-tools/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml
T
z00t 284730b966 Merge PR #4509 from @faisalusuf - Add New Rules Related to Okta Breach 
new: Okta 2023 Breach Indicator Of Compromise
new: Okta Password Health Report Query
new: Okta Admin Functions Access Through Proxy
new: New Okta User Created
update: Okta New Admin Console Behaviours - Field notation
update: Potential Okta Password in AlternateID Field - Field notation

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
2023-10-28 12:50:04 +02:00

24 lines
864 B
YAML
Raw Blame History

title: Okta Admin Functions Access Through Proxy
id: 9058ca8b-f397-4fd1-a9fa-2b7aad4d6309
status: experimental
description: Detects access to Okta admin functions through proxy.
references:
- https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
- https://dataconomy.com/2023/10/23/okta-data-breach/
- https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/
author: Muhammad Faisal @faisalusuf
date: 2023/10/25
tags:
- attack.credential_access
logsource:
service: okta
product: okta
detection:
selection:
debugContext.debugData.requestUri|contains: 'admin'
securityContext.isProxy: 'true'
condition: selection
falsepositives:
- False positives are expected if administrators access these function through proxy legitimatly. Apply additional filters if necessary
level: medium
Reference in New Issue View Git Blame Copy Permalink