From 8b84c2628649ea3741e8db28fa2e760bfa8ca9c9 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Mon, 12 Jan 2026 09:40:09 -0500 Subject: [PATCH] [Rule Tuning] Okta Sign-In Events via Third-Party IdP - Convert to New Terms (#5544) * [Rule Tuning] Okta Sign-In Events via Third-Party IdP - Convert to New Terms Fixes #5543 * fixed query optimization --- ...ss_sign_in_events_via_third_party_idp.toml | 56 +++++++++++++------ 1 file changed, 38 insertions(+), 18 deletions(-) diff --git a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml index d4d4fecc7..3980b66a6 100644 --- a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml +++ b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml @@ -2,14 +2,18 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2026/01/09" [rule] author = ["Elastic"] -description = "Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP)." -from = "now-30m" -index = ["logs-okta*"] -interval = "15m" +description = """ +Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP) that has not been +seen before. Adversaries may add an unauthorized IdP to an Okta tenant to gain persistent access. This rule uses New +Terms detection to only alert when a previously unseen IdP is used for authentication, reducing noise from legitimate +federated identity providers while highlighting potentially rogue IdP additions. +""" +from = "now-9m" +index = ["logs-okta.system-*"] language = "kuery" license = "Elastic License v2" name = "Okta Sign-In Events via Third-Party IdP" @@ -65,29 +69,45 @@ risk_score = 47 rule_id = "1ceb05c4-7d25-11ee-9562-f661ea17fbcd" severity = "medium" tags = [ + "Domain: Identity", "Use Case: Identity and Access Audit", "Tactic: Initial Access", "Data Source: Okta", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" -type = "query" +type = "new_terms" query = ''' -event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and - (not okta.authentication_context.issuer.id:Okta and event.action:(user.authentication.auth_via_IDP - or user.authentication.auth_via_inbound_SAML - or user.authentication.auth_via_mfa - or user.authentication.auth_via_social) - or event.action:user.session.start) or - (event.action:user.authentication.auth_via_IDP and okta.outcome.result:FAILURE - and okta.outcome.reason:("A SAML assert with the same ID has already been processed by Okta for a previous request" - or "Unable to match transformed username" - or "Unable to resolve IdP endpoint" - or "Unable to validate SAML Response" - or "Unable to validate incoming SAML Assertion")) +event.dataset: "okta.system" + and okta.authentication_context.issuer.id: (* and not "Okta") + and ( + event.action: ( + "user.authentication.auth_via_IDP" + or "user.authentication.auth_via_inbound_SAML" + or "user.authentication.auth_via_social" + ) + or ( + event.action: "user.authentication.auth_via_IDP" + and okta.outcome.result: "FAILURE" + and okta.outcome.reason: ( + "A SAML assert with the same ID has already been processed by Okta for a previous request" + or "Unable to match transformed username" + or "Unable to resolve IdP endpoint" + or "Unable to validate SAML Response" + or "Unable to validate incoming SAML Assertion" + ) + ) + ) ''' +[rule.new_terms] +field = "new_terms_fields" +value = ["okta.authentication_context.issuer.id"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-5d" [[rule.threat]] framework = "MITRE ATT&CK"