Add event.module value to Okta rules (#19)

2020-07-06 14:26:18 -06:00
parent 0ba6d187ba
commit a98eca06d0
15 changed files with 15 additions and 30 deletions
@@ -25,7 +25,7 @@ tags = ["Elastic", "Okta"]
 type = "query"

 query = '''
-event.dataset:okta.system and event.action:user.mfa.attempt_bypass
+event.module:okta and event.dataset:okta.system and event.action:user.mfa.attempt_bypass
 '''


@@ -41,4 +41,3 @@ reference = "https://attack.mitre.org/techniques/T1111/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
-
@@ -31,7 +31,7 @@ tags = ["Elastic", "Okta"]
 type = "query"

 query = '''
-event.dataset:okta.system and event.action:system.api_token.revoke
+event.module:okta and event.dataset:okta.system and event.action:system.api_token.revoke
 '''


@@ -47,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1531/"
 id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
-
@@ -25,7 +25,7 @@ tags = ["Elastic", "Okta"]
 type = "query"

 query = '''
-event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)
+event.module:okta and event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)
 '''


@@ -46,4 +46,3 @@ reference = "https://attack.mitre.org/techniques/T1499/"
 id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
-
@@ -26,7 +26,7 @@ tags = ["Elastic", "Okta"]
 type = "query"

 query = '''
-event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser
+event.module:okta and event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser
 '''


@@ -78,4 +78,3 @@ reference = "https://attack.mitre.org/techniques/T1078/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-
@@ -31,6 +31,5 @@ tags = ["Elastic", "Okta"]
 type = "query"

 query = '''
-event.dataset:okta.system and event.action:policy.rule.deactivate
+event.module:okta and event.dataset:okta.system and event.action:policy.rule.deactivate
 '''
-
@@ -32,6 +32,5 @@ tags = ["Elastic", "Okta"]
 type = "query"

 query = '''
-event.dataset:okta.system and event.action:policy.lifecycle.delete
+event.module:okta and event.dataset:okta.system and event.action:policy.lifecycle.delete
 '''
-
@@ -31,6 +31,5 @@ tags = ["Elastic", "Okta"]
 type = "query"

 query = '''
-event.dataset:okta.system and event.action:(policy.rule.update or policy.rule.delete)
+event.module:okta and event.dataset:okta.system and event.action:(policy.rule.update or policy.rule.delete)
 '''
-
@@ -32,6 +32,5 @@ tags = ["Elastic", "Okta"]
 type = "query"

 query = '''
-event.dataset:okta.system and event.action:(zone.update or zone.deactivate or zone.delete or network_zone.rule.disabled or zone.remove_blacklist)
+event.module:okta and event.dataset:okta.system and event.action:(zone.update or zone.deactivate or zone.delete or network_zone.rule.disabled or zone.remove_blacklist)
 '''
-
@@ -32,6 +32,5 @@ tags = ["Elastic", "Okta"]
 type = "query"

 query = '''
-event.dataset:okta.system and event.action:policy.lifecycle.update
+event.module:okta and event.dataset:okta.system and event.action:policy.lifecycle.update
 '''
-
@@ -26,6 +26,5 @@ tags = ["Elastic", "Okta"]
 type = "query"

 query = '''
-event.dataset:okta.system and event.action:security.threat.detected
+event.module:okta and event.dataset:okta.system and event.action:security.threat.detected
 '''
-
@@ -31,7 +31,7 @@ tags = ["Elastic", "Okta"]
 type = "query"

 query = '''
-event.dataset:okta.system and event.action:group.privilege.grant
+event.module:okta and event.dataset:okta.system and event.action:group.privilege.grant
 '''


@@ -47,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1098/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
-
@@ -32,7 +32,7 @@ tags = ["Elastic", "Okta"]
 type = "query"

 query = '''
-event.dataset:okta.system and event.action:system.api_token.create
+event.module:okta and event.dataset:okta.system and event.action:system.api_token.create
 '''


@@ -48,4 +48,3 @@ reference = "https://attack.mitre.org/techniques/T1136/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
-
@@ -31,7 +31,7 @@ tags = ["Elastic", "Okta"]
 type = "query"

 query = '''
-event.dataset:okta.system and event.action:user.mfa.factor.deactivate
+event.module:okta and event.dataset:okta.system and event.action:user.mfa.factor.deactivate
 '''


@@ -47,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1098/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
-
@@ -32,7 +32,7 @@ tags = ["Elastic", "Okta"]
 type = "query"

 query = '''
-event.dataset:okta.system and event.action:policy.lifecycle.deactivate
+event.module:okta and event.dataset:okta.system and event.action:policy.lifecycle.deactivate
 '''


@@ -48,4 +48,3 @@ reference = "https://attack.mitre.org/techniques/T1098/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
-
@@ -31,7 +31,7 @@ tags = ["Elastic", "Okta"]
 type = "query"

 query = '''
-event.dataset:okta.system and event.action:user.mfa.factor.reset_all
+event.module:okta and event.dataset:okta.system and event.action:user.mfa.factor.reset_all
 '''


@@ -47,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1098/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
-