[Rule Tuning] Adjust Okta ThreatInsight Rule to Promotion (#2854)
* adding new rule for Okta ThreatInsight threat suspected * added promotion tag * removed new rule and tuned existing * added promotion tag * Update rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
This commit is contained in:
Terrance DeJesus
@@ -1,38 +0,0 @@
|
||||
[metadata]
|
||||
creation_date = "2020/05/21"
|
||||
integration = ["okta"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/12/14"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Detects when Okta ThreatInsight identifies a request from a malicious IP address. Investigating requests from IP
|
||||
addresses identified as malicious by Okta ThreatInsight can help security teams monitor for and respond to credential
|
||||
based attacks against their organization, such as brute force and password spraying attacks.
|
||||
"""
|
||||
index = ["filebeat-*", "logs-okta*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "Threat Detected by Okta ThreatInsight"
|
||||
note = """## Setup
|
||||
|
||||
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
|
||||
references = [
|
||||
"https://developer.okta.com/docs/reference/api/system-log/",
|
||||
"https://developer.okta.com/docs/reference/api/event-types/",
|
||||
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "6885d2ae-e008-4762-b98a-e8e1cd3a81e9"
|
||||
severity = "medium"
|
||||
tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset:okta.system and event.action:security.threat.detected
|
||||
'''
|
||||
|
||||
@@ -0,0 +1,67 @@
|
||||
[metadata]
|
||||
creation_date = "2020/05/21"
|
||||
integration = ["okta"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/06/13"
|
||||
promotion = true
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes,
|
||||
which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents
|
||||
Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests
|
||||
the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and
|
||||
other similar threats.
|
||||
"""
|
||||
index = ["filebeat-*", "logs-okta*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "Okta ThreatInsight Threat Suspected Promotion"
|
||||
note = """## Setup
|
||||
|
||||
## Triage and analysis
|
||||
|
||||
This is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor.
|
||||
Consult vendor documentation on interpreting specific events.
|
||||
"""
|
||||
references = [
|
||||
"https://developer.okta.com/docs/reference/api/system-log/",
|
||||
"https://developer.okta.com/docs/reference/api/event-types/",
|
||||
"https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html",
|
||||
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "6885d2ae-e008-4762-b98a-e8e1cd3a81e9"
|
||||
rule_name_override = "okta.display_message"
|
||||
severity = "medium"
|
||||
tags = ["Elastic", "Identity", "Identity and Access", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true)
|
||||
'''
|
||||
|
||||
|
||||
[[rule.severity_mapping]]
|
||||
field = "okta.debug_context.debug_data.risk_level"
|
||||
operator = "equals"
|
||||
severity = "low"
|
||||
value = "LOW"
|
||||
|
||||
[[rule.severity_mapping]]
|
||||
field = "okta.debug_context.debug_data.risk_level"
|
||||
operator = "equals"
|
||||
severity = "medium"
|
||||
value = "MEDIUM"
|
||||
|
||||
[[rule.severity_mapping]]
|
||||
field = "okta.debug_context.debug_data.risk_level"
|
||||
operator = "equals"
|
||||
severity = "high"
|
||||
value = "HIGH"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user