From 69cb2f6fc608cfa159aa2f8597d451f600f08405 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Mon, 27 Nov 2023 19:23:38 -0500 Subject: [PATCH] [New Rule] Adding Detection for Multiple Okta Users with the Same Device Token Hash (#3267) * added new rule 'Multiple Okta Users with the Same Device Token Hash' * moved rule to okta integration folder * adjusted query to be optimized * added false positive comment * Update rules/integrations/okta/initial_access_multiple_active_users_from_single_device.toml --- ...tiple_active_users_from_single_device.toml | 67 +++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 rules/integrations/okta/initial_access_multiple_active_users_from_single_device.toml diff --git a/rules/integrations/okta/initial_access_multiple_active_users_from_single_device.toml b/rules/integrations/okta/initial_access_multiple_active_users_from_single_device.toml new file mode 100644 index 000000000..ed19fc01f --- /dev/null +++ b/rules/integrations/okta/initial_access_multiple_active_users_from_single_device.toml @@ -0,0 +1,67 @@ +[metadata] +creation_date = "2023/11/10" +integration = ["okta"] +maturity = "production" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/11/10" + +[rule] +author = ["Elastic"] +description = "Detects when Okta user or system events are reported for multiple users with the same device token hash." +false_positives = [ + "An Okta admnistrator may be logged into multiple accounts from the same host for legitimate reasons.", + "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", + "Shared systems such as Kiosks and conference room computers may be used by multiple users." +] +from = "now-9m" +index = ["filebeat-*", "logs-okta*"] +language = "kuery" +license = "Elastic License v2" +name = "Multiple Okta Users with the Same Device Token Hash" +note = """## Setup +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +references = [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", +] +risk_score = 47 +rule_id = "50887ba8-7ff7-11ee-a038-f661ea17fbcd" +severity = "medium" +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"] +timestamp_override = "event.ingested" +type = "threshold" + +query = ''' +event.dataset:okta.system and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:* and okta.event_type:(system* or user*) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[rule.threshold] +field = ["okta.debug_context.debug_data.dt_hash"] +value = 1 +[[rule.threshold.cardinality]] +field = "okta.actor.id" +value = 2 + +