From 58ea49b092dbebaf5c6eb343c983d2de13856408 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 14 May 2021 19:52:02 +0000 Subject: [PATCH] [Rule Tuning] High Number of Okta User Password Reset or Unlock Attempts (#1200) * Update impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> --- ...s_okta_user_password_reset_or_unlock_attempts.toml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index fc883bca4..3a04c2170 100644 --- a/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/05/12" [rule] -author = ["Elastic"] +author = ["Elastic", "@BenB196", "Austin Songer"] description = """ -Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain -unauthorized access to an Okta user account using these methods and attempt to blend in with normal activity in their +Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain +unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection. """ false_positives = [ @@ -82,6 +82,7 @@ name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" [rule.threshold] -field = ["okta.actor.id"] +field = ["okta.actor.alternate_id"] value = 5 +