[Rule Tuning] Okta Sign-In Events via Third-Party IdP - Convert to New Terms (#5544)

* [Rule Tuning] Okta Sign-In Events via Third-Party IdP - Convert to New Terms Fixes #5543 * fixed query optimization
2026-01-12 09:40:09 -05:00
parent 7c36743ce6
commit 8b84c26286
1 changed files with 38 additions and 18 deletions
@@ -2,14 +2,18 @@
 creation_date = "2023/11/06"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2025/09/08"
+updated_date = "2026/01/09"

 [rule]
 author = ["Elastic"]
-description = "Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP)."
-from = "now-30m"
-index = ["logs-okta*"]
-interval = "15m"
+description = """
+Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP) that has not been
+seen before. Adversaries may add an unauthorized IdP to an Okta tenant to gain persistent access. This rule uses New
+Terms detection to only alert when a previously unseen IdP is used for authentication, reducing noise from legitimate
+federated identity providers while highlighting potentially rogue IdP additions.
+"""
+from = "now-9m"
+index = ["logs-okta.system-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Okta Sign-In Events via Third-Party IdP"
@@ -65,29 +69,45 @@ risk_score = 47
 rule_id = "1ceb05c4-7d25-11ee-9562-f661ea17fbcd"
 severity = "medium"
 tags = [
+    "Domain: Identity",
    "Use Case: Identity and Access Audit",
    "Tactic: Initial Access",
    "Data Source: Okta",
    "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
-type = "query"
+type = "new_terms"

 query = '''
-event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and
-    (not okta.authentication_context.issuer.id:Okta and event.action:(user.authentication.auth_via_IDP
-        or user.authentication.auth_via_inbound_SAML
-        or user.authentication.auth_via_mfa
-        or user.authentication.auth_via_social)
-        or event.action:user.session.start) or
-    (event.action:user.authentication.auth_via_IDP and okta.outcome.result:FAILURE
-        and okta.outcome.reason:("A SAML assert with the same ID has already been processed by Okta for a previous request"
-            or "Unable to match transformed username"
-            or "Unable to resolve IdP endpoint"
-            or "Unable to validate SAML Response"
-            or "Unable to validate incoming SAML Assertion"))
+event.dataset: "okta.system"
+    and okta.authentication_context.issuer.id: (* and not "Okta")
+    and (
+        event.action: (
+            "user.authentication.auth_via_IDP"
+            or "user.authentication.auth_via_inbound_SAML"
+            or "user.authentication.auth_via_social"
+        )
+        or (
+            event.action: "user.authentication.auth_via_IDP"
+            and okta.outcome.result: "FAILURE"
+            and okta.outcome.reason: (
+                "A SAML assert with the same ID has already been processed by Okta for a previous request"
+                or "Unable to match transformed username"
+                or "Unable to resolve IdP endpoint"
+                or "Unable to validate SAML Response"
+                or "Unable to validate incoming SAML Assertion"
+            )
+        )
+    )
 '''

+[rule.new_terms]
+field = "new_terms_fields"
+value = ["okta.authentication_context.issuer.id"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-5d"

 [[rule.threat]]
 framework = "MITRE ATT&CK"