security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Adding Detection for Multiple Okta Users with the Same Device Token Hash (#3267)

Browse Source 
* added new rule 'Multiple Okta Users with the Same Device Token Hash'

* moved rule to okta integration folder

* adjusted query to be optimized

* added false positive comment

* Update rules/integrations/okta/initial_access_multiple_active_users_from_single_device.toml
This commit is contained in:
Terrance DeJesus
2023-11-27 19:23:38 -05:00
committed by GitHub
parent 0578bd4caa
commit 69cb2f6fc6
1 changed files with 67 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/okta/initial_access_multiple_active_users_from_single_device.toml
+67
View File
@@ -0,0 +1,67 @@
[metadata]
creation_date = "2023/11/10"
integration = ["okta"]
maturity = "production"
min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
min_stack_version = "8.10.0"
updated_date = "2023/11/10"
[rule]
author = ["Elastic"]
description = "Detects when Okta user or system events are reported for multiple users with the same device token hash."
false_positives = [
"An Okta admnistrator may be logged into multiple accounts from the same host for legitimate reasons.",
"Users may share an endpoint related to work or personal use in which separate Okta accounts are used.",
"Shared systems such as Kiosks and conference room computers may be used by multiple users."
]
from = "now-9m"
index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Multiple Okta Users with the Same Device Token Hash"
note = """## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
]
risk_score = 47
rule_id = "50887ba8-7ff7-11ee-a038-f661ea17fbcd"
severity = "medium"
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
event.dataset:okta.system and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:* and okta.event_type:(system* or user*)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[rule.threshold]
field = ["okta.debug_context.debug_data.dt_hash"]
value = 1
[[rule.threshold.cardinality]]
field = "okta.actor.id"
value = 2