From 5bc3d1e2d5cecda0f5341605119c4f7cfb0ca4b8 Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Tue, 22 Mar 2022 16:11:29 -0800 Subject: [PATCH] [New Rule] Okta User Session Impersonation (#1867) * [New Rule] Okta User Session Impersonation Co-authored-by: Jonhnathan (cherry picked from commit 46c2383e5b1247ac6c7e41aea4f130beaf7ec57c) --- ...tial_access_user_impersonation_access.toml | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 rules/integrations/okta/credential_access_user_impersonation_access.toml diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml new file mode 100644 index 000000000..ac755ab0f --- /dev/null +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -0,0 +1,44 @@ +[metadata] +creation_date = "2022/03/22" +maturity = "production" +updated_date = "2022/03/22" +integration = "okta" + +[rule] +author = ["Elastic"] +description = """ +A user has initiated a session impersonation granting them access to the environment with the permissions of the user +they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested +and expected. +""" +from = "now-30m" +index = ["filebeat-*", "logs-okta*"] +interval = "15m" +language = "kuery" +license = "Elastic License v2" +name = "Okta User Session Impersonation" +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +references = [ + "https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/" +] +risk_score = 73 +rule_id = "cdbebdc1-dc97-43c6-a538-f26a20c0a911" +severity = "high" +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access", "Credential Access"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset:okta.system and event.action:user.session.impersonation.initiate +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/"