diff --git a/rules/okta/attempt_to_deactivate_okta_network_zone.toml b/rules/okta/attempt_to_deactivate_okta_network_zone.toml new file mode 100644 index 000000000..c5a743fde --- /dev/null +++ b/rules/okta/attempt_to_deactivate_okta_network_zone.toml @@ -0,0 +1,38 @@ +[metadata] +creation_date = "2020/11/06" +ecs_version = ["1.6.0"] +maturity = "production" +updated_date = "2020/11/06" + +[rule] +author = ["Elastic"] +description = """ +Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to +a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta +network zone in order to remove or weaken an organization's security controls. +""" +false_positives = [ + """ + Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are + regularly modified. + """, +] +index = ["filebeat-*", "logs-okta*"] +language = "kuery" +license = "Elastic License" +name = "Attempt to Deactivate an Okta Network Zone" +note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +references = [ + "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", +] +risk_score = 47 +rule_id = "8a5c1e5f-ad63-481e-b53a-ef959230f7f1" +severity = "medium" +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Network Security"] +type = "query" + +query = ''' +event.dataset:okta.system and event.action:zone.deactivate +''' diff --git a/rules/okta/attempt_to_delete_okta_network_zone.toml b/rules/okta/attempt_to_delete_okta_network_zone.toml new file mode 100644 index 000000000..1bb738851 --- /dev/null +++ b/rules/okta/attempt_to_delete_okta_network_zone.toml @@ -0,0 +1,39 @@ +[metadata] +creation_date = "2020/11/06" +ecs_version = ["1.6.0"] +maturity = "production" +updated_date = "2020/11/06" + +[rule] +author = ["Elastic"] +description = """ +Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a +network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network +zone in order to remove or weaken an organization's security controls. +""" +false_positives = [ + """ + Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are + regularly deleted. + """, +] +index = ["filebeat-*", "logs-okta*"] +language = "kuery" +license = "Elastic License" +name = "Attempt to Delete an Okta Network Zone" +note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +references = [ + "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", +] +risk_score = 47 +rule_id = "c749e367-a069-4a73-b1f2-43a3798153ad" +severity = "medium" +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Network Security"] +type = "query" + +query = ''' +event.dataset:okta.system and event.action:zone.delete +''' + diff --git a/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml index ee2500013..d593c50ba 100644 --- a/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -7,14 +7,14 @@ updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -An adversary may attempt to bypass the Okta multi-factor authentication (MFA) policies configured for an organization in -order to obtain unauthorized access to an application. This rule detects when an Okta MFA bypass attempt occurs. +Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA +policies configured for an organization in order to obtain unauthorized access to an application. """ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License" name = "Attempted Bypass of Okta MFA" -note = "The Okta Filebeat module must be enabled to use this rule." +note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", @@ -42,4 +42,3 @@ reference = "https://attack.mitre.org/techniques/T1111/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index cbf415f35..645ddd3af 100644 --- a/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -16,7 +16,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License" name = "Attempts to Brute Force an Okta User Account" -note = "The Okta Filebeat module must be enabled to use this rule." +note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml index 9ccc03f10..9b74df456 100644 --- a/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License" name = "Okta Brute Force or Password Spraying Attack" -note = "The Okta Filebeat module must be enabled to use this rule." +note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 4d2b4ab17..4e0452012 100644 --- a/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -23,7 +23,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License" name = "High Number of Okta User Password Reset or Unlock Attempts" -note = "The Okta Filebeat module must be enabled to use this rule." +note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/okta/impact_attempt_to_revoke_okta_api_token.toml index a0ece548e..6f3ac73cf 100644 --- a/rules/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -20,7 +20,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License" name = "Attempt to Revoke Okta API Token" -note = "The Okta Filebeat module must be enabled to use this rule." +note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/impact_possible_okta_dos_attack.toml b/rules/okta/impact_possible_okta_dos_attack.toml index 9f1bae1ca..99da82ad7 100644 --- a/rules/okta/impact_possible_okta_dos_attack.toml +++ b/rules/okta/impact_possible_okta_dos_attack.toml @@ -7,14 +7,14 @@ updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -An adversary may attempt to disrupt an organization's business operations by performing a denial of service (DoS) attack -against its Okta infrastructure. +Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an +organization's business operations by performing a DoS attack against its Okta service. """ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License" name = "Possible Okta DoS Attack" -note = "The Okta Filebeat module must be enabled to use this rule." +note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", @@ -47,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1499/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index 88910f1f2..036565f90 100644 --- a/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -7,15 +7,15 @@ updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -This rule detects when a user reports suspicious activity for their Okta account. These events should be investigated, -as they can help security teams identify when an adversary is attempting to gain access to their network. +Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can +help security teams identify when an adversary is attempting to gain access to their network. """ false_positives = ["A user may report suspicious activity on their Okta account in error."] index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License" name = "Suspicious Activity Reported by Okta User" -note = "The Okta Filebeat module must be enabled to use this rule." +note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/persistence_attempt_to_deactivate_okta_policy.toml b/rules/okta/okta_attempt_to_deactivate_okta_policy.toml similarity index 55% rename from rules/okta/persistence_attempt_to_deactivate_okta_policy.toml rename to rules/okta/okta_attempt_to_deactivate_okta_policy.toml index f3fd61764..c241308b6 100644 --- a/rules/okta/persistence_attempt_to_deactivate_okta_policy.toml +++ b/rules/okta/okta_attempt_to_deactivate_okta_policy.toml @@ -7,9 +7,9 @@ updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For -example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the -authentication requirements for user accounts. +Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken +an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor +authentication (MFA) policy in order to weaken the authentication requirements for user accounts. """ false_positives = [ """ @@ -20,9 +20,10 @@ false_positives = [ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License" -name = "Attempt to Deactivate Okta Policy" -note = "The Okta Filebeat module must be enabled to use this rule." +name = "Attempt to Deactivate an Okta Policy" +note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", ] @@ -36,17 +37,3 @@ query = ''' event.dataset:okta.system and event.action:policy.lifecycle.deactivate ''' - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml b/rules/okta/okta_attempt_to_deactivate_okta_policy_rule.toml similarity index 64% rename from rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml rename to rules/okta/okta_attempt_to_deactivate_okta_policy_rule.toml index 70a438c74..9d9358709 100644 --- a/rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml +++ b/rules/okta/okta_attempt_to_deactivate_okta_policy_rule.toml @@ -7,8 +7,8 @@ updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -An adversary may attempt to deactivate an Okta multi-factor authentication (MFA) rule in order to remove or weaken an -organization's security controls. +Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an +Okta policy in order to remove or weaken an organization's security controls. """ false_positives = [ """ @@ -19,15 +19,16 @@ false_positives = [ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License" -name = "Attempt to Deactivate Okta MFA Rule" -note = "The Okta Filebeat module must be enabled to use this rule." +name = "Attempt to Deactivate an Okta Policy Rule" +note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", ] -risk_score = 21 +risk_score = 47 rule_id = "cc92c835-da92-45c9-9f29-b4992ad621a0" -severity = "low" +severity = "medium" tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" diff --git a/rules/okta/okta_attempt_to_delete_okta_policy.toml b/rules/okta/okta_attempt_to_delete_okta_policy.toml index bd6886992..aabe478a5 100644 --- a/rules/okta/okta_attempt_to_delete_okta_policy.toml +++ b/rules/okta/okta_attempt_to_delete_okta_policy.toml @@ -7,9 +7,9 @@ updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, -an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the -authentication requirements for user accounts. +Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an +organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication +(MFA) policy in order to weaken the authentication requirements for user accounts. """ false_positives = [ """ @@ -20,15 +20,16 @@ false_positives = [ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License" -name = "Attempt to Delete Okta Policy" -note = "The Okta Filebeat module must be enabled to use this rule." +name = "Attempt to Delete an Okta Policy" +note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", ] -risk_score = 21 +risk_score = 47 rule_id = "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9" -severity = "low" +severity = "medium" tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"] type = "query" diff --git a/rules/okta/okta_attempt_to_delete_okta_policy_rule.toml b/rules/okta/okta_attempt_to_delete_okta_policy_rule.toml new file mode 100644 index 000000000..1998cba66 --- /dev/null +++ b/rules/okta/okta_attempt_to_delete_okta_policy_rule.toml @@ -0,0 +1,38 @@ +[metadata] +creation_date = "2020/11/06" +ecs_version = ["1.6.0"] +maturity = "production" +updated_date = "2020/11/06" + +[rule] +author = ["Elastic"] +description = """ +Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order +to weaken an organization's security controls. +""" +false_positives = [ + """ + Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your + organization. + """, +] +index = ["filebeat-*", "logs-okta*"] +language = "kuery" +license = "Elastic License" +name = "Attempt to Delete an Okta Policy Rule" +note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +references = [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", +] +risk_score = 21 +rule_id = "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd" +severity = "low" +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"] +type = "query" + +query = ''' +event.dataset:okta.system and event.action:policy.rule.delete +''' + diff --git a/rules/okta/okta_attempt_to_modify_okta_network_zone.toml b/rules/okta/okta_attempt_to_modify_okta_network_zone.toml index 3ec00a4f0..208b030ff 100644 --- a/rules/okta/okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/okta/okta_attempt_to_modify_okta_network_zone.toml @@ -7,9 +7,9 @@ updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An -adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an -organization's security controls. +Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a +network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network +zone in order to remove or weaken an organization's security controls. """ false_positives = [ """ @@ -20,9 +20,10 @@ false_positives = [ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License" -name = "Attempt to Modify Okta Network Zone" -note = "The Okta Filebeat module must be enabled to use this rule." +name = "Attempt to Modify an Okta Network Zone" +note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ + "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", ] @@ -33,6 +34,6 @@ tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Netwo type = "query" query = ''' -event.dataset:okta.system and event.action:(zone.update or zone.deactivate or zone.delete or network_zone.rule.disabled or zone.remove_blacklist) +event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist) ''' diff --git a/rules/okta/okta_attempt_to_modify_okta_policy.toml b/rules/okta/okta_attempt_to_modify_okta_policy.toml index 952759653..016fb1c2d 100644 --- a/rules/okta/okta_attempt_to_modify_okta_policy.toml +++ b/rules/okta/okta_attempt_to_modify_okta_policy.toml @@ -7,9 +7,9 @@ updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, -an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the -authentication requirements for user accounts. +Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an +organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication +(MFA) policy in order to weaken the authentication requirements for user accounts. """ false_positives = [ """ @@ -20,8 +20,8 @@ false_positives = [ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License" -name = "Attempt to Modify Okta Policy" -note = "The Okta Filebeat module must be enabled to use this rule." +name = "Attempt to Modify an Okta Policy" +note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", @@ -35,4 +35,3 @@ type = "query" query = ''' event.dataset:okta.system and event.action:policy.lifecycle.update ''' - diff --git a/rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml b/rules/okta/okta_attempt_to_modify_okta_policy_rule.toml similarity index 63% rename from rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml rename to rules/okta/okta_attempt_to_modify_okta_policy_rule.toml index c96852292..78c061941 100644 --- a/rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml +++ b/rules/okta/okta_attempt_to_modify_okta_policy_rule.toml @@ -7,8 +7,8 @@ updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -An adversary may attempt to modify an Okta multi-factor authentication (MFA) rule in order to remove or weaken an -organization's security controls. +Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order +to weaken an organization's security controls. """ false_positives = [ """ @@ -19,9 +19,10 @@ false_positives = [ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License" -name = "Attempt to Modify Okta MFA Rule" -note = "The Okta Filebeat module must be enabled to use this rule." +name = "Attempt to Modify an Okta Policy Rule" +note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", ] @@ -32,6 +33,6 @@ tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Ident type = "query" query = ''' -event.dataset:okta.system and event.action:(policy.rule.update or policy.rule.delete) +event.dataset:okta.system and event.action:policy.rule.update ''' diff --git a/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index cdd8511b5..0723c332d 100644 --- a/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -7,8 +7,8 @@ updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an -organization's security controls. +Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or +delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls. """ false_positives = [ """ @@ -20,8 +20,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License" name = "Modification or Removal of an Okta Application Sign-On Policy" -note = "The Okta Filebeat module must be enabled to use this rule." +note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ + "https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", ] diff --git a/rules/okta/okta_threat_detected_by_okta_threatinsight.toml b/rules/okta/okta_threat_detected_by_okta_threatinsight.toml index e40e8d570..2e00d5fe8 100644 --- a/rules/okta/okta_threat_detected_by_okta_threatinsight.toml +++ b/rules/okta/okta_threat_detected_by_okta_threatinsight.toml @@ -7,15 +7,15 @@ updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -This rule detects when Okta ThreatInsight identifies a request from a malicious IP address. Investigating requests from -IP addresses identified as malicious by Okta ThreatInsight can help security teams monitor for and respond to credential +Detects when Okta ThreatInsight identifies a request from a malicious IP address. Investigating requests from IP +addresses identified as malicious by Okta ThreatInsight can help security teams monitor for and respond to credential based attacks against their organization, such as brute force and password spraying attacks. """ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License" name = "Threat Detected by Okta ThreatInsight" -note = "The Okta Filebeat module must be enabled to use this rule." +note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 88decc731..c9d672bc7 100644 --- a/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -7,27 +7,29 @@ updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions -to compromised user accounts. +Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator +privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access +to their target organization. """ false_positives = [ """ - Consider adding exceptions to this rule to filter false positives if administrator privileges are regularly assigned - to Okta groups in your organization. + Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. + Exceptions can be added to this rule to filter expected behavior. """, ] index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License" -name = "Administrator Privileges Assigned to Okta Group" -note = "The Okta Filebeat module must be enabled to use this rule." +name = "Administrator Privileges Assigned to an Okta Group" +note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ + "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", ] -risk_score = 21 +risk_score = 47 rule_id = "b8075894-0b62-46e5-977c-31275da34419" -severity = "low" +severity = "medium" tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"] type = "query" diff --git a/rules/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/okta/persistence_attempt_to_create_okta_api_token.toml index 68dfcc859..6dd01b521 100644 --- a/rules/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/okta/persistence_attempt_to_create_okta_api_token.toml @@ -7,9 +7,9 @@ updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve -their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling -security rules or policies. +Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an +organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute +techniques such as creating user accounts or disabling security rules or policies. """ false_positives = [ """ @@ -21,14 +21,14 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License" name = "Attempt to Create Okta API Token" -note = "The Okta Filebeat module must be enabled to use this rule." +note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", ] -risk_score = 21 +risk_score = 47 rule_id = "96b9f4ea-0e8c-435b-8d53-2096e75fcac5" -severity = "low" +severity = "medium" tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"] type = "query" diff --git a/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml b/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml index 3d88fd685..fe0de5b29 100644 --- a/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml +++ b/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml @@ -7,8 +7,8 @@ updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -An adversary may deactivate multi-factor authentication (MFA) for an Okta user account in order to weaken the -authentication requirements for the account. +Detects attempts to deactivate multi-factor authentication (MFA) for an Okta user. An adversary may deactivate MFA for +an Okta user account in order to weaken the authentication requirements for the account. """ false_positives = [ """ @@ -19,8 +19,8 @@ false_positives = [ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License" -name = "Attempt to Deactivate MFA for Okta User Account" -note = "The Okta Filebeat module must be enabled to use this rule." +name = "Attempt to Deactivate MFA for an Okta User Account" +note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index 73e96aa55..ae7172fa5 100644 --- a/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -7,8 +7,9 @@ updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -An adversary may attempt to remove the multi-factor authentication (MFA) factors registered on an Okta user's account in -order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment. +Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt +to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend +in with normal activity in the victim's environment. """ false_positives = [ """ @@ -19,8 +20,8 @@ false_positives = [ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License" -name = "Attempt to Reset MFA Factors for Okta User Account" -note = "The Okta Filebeat module must be enabled to use this rule." +name = "Attempt to Reset MFA Factors for an Okta User Account" +note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", @@ -48,4 +49,3 @@ reference = "https://attack.mitre.org/techniques/T1098/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -