[Rule Tuning] New Okta Authentication Behavior Detected (#5542)

* [Rule Tuning] New Okta Authentication Behavior Detected Fixes #5541 * tuning New Okta Authentication Behavior Detected * Update rules_building_block/initial_access_new_okta_authentication_behavior.toml * updated tag, adjusted lookback window
2026-01-12 09:01:32 -05:00
parent de42a5aabd
commit 4e5b8be0de
1 changed files with 9 additions and 6 deletions
@@ -1,15 +1,16 @@
 [metadata]
+bypass_bbr_timing = true
 creation_date = "2023/11/07"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2025/07/02"
+updated_date = "2026/01/08"

 [rule]
 author = ["Elastic"]
+building_block_type = "default"
 description = "Detects events where Okta behavior detection has identified a new authentication behavior."
-from = "now-30m"
-index = ["filebeat-*", "logs-okta*"]
-interval = "15m"
+from = "now-9m"
+index = ["logs-okta.system-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "New Okta Authentication Behavior Detected"
@@ -53,14 +54,16 @@ references = [
    "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
    "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
 ]
-risk_score = 47
+risk_score = 21
 rule_id = "260486ee-7d98-11ee-9599-f661ea17fbcd"
-severity = "medium"
+severity = "low"
 tags = [
    "Use Case: Identity and Access Audit",
    "Tactic: Initial Access",
    "Data Source: Okta",
    "Resources: Investigation Guide",
+    "Rule Type: BBR",
+    "Domain: Identity"
 ]
 timestamp_override = "event.ingested"
 type = "query"