From a98eca06d042eb4f2a57c2c455fad2e906ceb101 Mon Sep 17 00:00:00 2001 From: David French <56409778+threat-punter@users.noreply.github.com> Date: Mon, 6 Jul 2020 14:26:18 -0600 Subject: [PATCH] Add event.module value to Okta rules (#19) --- rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml | 3 +-- rules/okta/impact_attempt_to_revoke_okta_api_token.toml | 3 +-- rules/okta/impact_possible_okta_dos_attack.toml | 3 +-- ...itial_access_suspicious_activity_reported_by_okta_user.toml | 3 +-- rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml | 3 +-- rules/okta/okta_attempt_to_delete_okta_policy.toml | 3 +-- rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml | 3 +-- rules/okta/okta_attempt_to_modify_okta_network_zone.toml | 3 +-- rules/okta/okta_attempt_to_modify_okta_policy.toml | 3 +-- rules/okta/okta_threat_detected_by_okta_threatinsight.toml | 3 +-- ...stence_administrator_privileges_assigned_to_okta_group.toml | 3 +-- rules/okta/persistence_attempt_to_create_okta_api_token.toml | 3 +-- ...stence_attempt_to_deactivate_mfa_for_okta_user_account.toml | 3 +-- rules/okta/persistence_attempt_to_deactivate_okta_policy.toml | 3 +-- ...nce_attempt_to_reset_mfa_factors_for_okta_user_account.toml | 3 +-- 15 files changed, 15 insertions(+), 30 deletions(-) diff --git a/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml index 64e361f82..03050c704 100644 --- a/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -25,7 +25,7 @@ tags = ["Elastic", "Okta"] type = "query" query = ''' -event.dataset:okta.system and event.action:user.mfa.attempt_bypass +event.module:okta and event.dataset:okta.system and event.action:user.mfa.attempt_bypass ''' @@ -41,4 +41,3 @@ reference = "https://attack.mitre.org/techniques/T1111/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/okta/impact_attempt_to_revoke_okta_api_token.toml index 359d66826..766f7fa2b 100644 --- a/rules/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -31,7 +31,7 @@ tags = ["Elastic", "Okta"] type = "query" query = ''' -event.dataset:okta.system and event.action:system.api_token.revoke +event.module:okta and event.dataset:okta.system and event.action:system.api_token.revoke ''' @@ -47,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1531/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/okta/impact_possible_okta_dos_attack.toml b/rules/okta/impact_possible_okta_dos_attack.toml index a72537ab7..de7e1f464 100644 --- a/rules/okta/impact_possible_okta_dos_attack.toml +++ b/rules/okta/impact_possible_okta_dos_attack.toml @@ -25,7 +25,7 @@ tags = ["Elastic", "Okta"] type = "query" query = ''' -event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) +event.module:okta and event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) ''' @@ -46,4 +46,3 @@ reference = "https://attack.mitre.org/techniques/T1499/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index 5b9e2cc50..b39d71f04 100644 --- a/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -26,7 +26,7 @@ tags = ["Elastic", "Okta"] type = "query" query = ''' -event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser +event.module:okta and event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser ''' @@ -78,4 +78,3 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml b/rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml index 02b13d1c2..1610fe347 100644 --- a/rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml +++ b/rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml @@ -31,6 +31,5 @@ tags = ["Elastic", "Okta"] type = "query" query = ''' -event.dataset:okta.system and event.action:policy.rule.deactivate +event.module:okta and event.dataset:okta.system and event.action:policy.rule.deactivate ''' - diff --git a/rules/okta/okta_attempt_to_delete_okta_policy.toml b/rules/okta/okta_attempt_to_delete_okta_policy.toml index 9c9c279c3..39156648f 100644 --- a/rules/okta/okta_attempt_to_delete_okta_policy.toml +++ b/rules/okta/okta_attempt_to_delete_okta_policy.toml @@ -32,6 +32,5 @@ tags = ["Elastic", "Okta"] type = "query" query = ''' -event.dataset:okta.system and event.action:policy.lifecycle.delete +event.module:okta and event.dataset:okta.system and event.action:policy.lifecycle.delete ''' - diff --git a/rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml b/rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml index 1bdc17a3d..4608ebc87 100644 --- a/rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml +++ b/rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml @@ -31,6 +31,5 @@ tags = ["Elastic", "Okta"] type = "query" query = ''' -event.dataset:okta.system and event.action:(policy.rule.update or policy.rule.delete) +event.module:okta and event.dataset:okta.system and event.action:(policy.rule.update or policy.rule.delete) ''' - diff --git a/rules/okta/okta_attempt_to_modify_okta_network_zone.toml b/rules/okta/okta_attempt_to_modify_okta_network_zone.toml index fad921eaa..896946c84 100644 --- a/rules/okta/okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/okta/okta_attempt_to_modify_okta_network_zone.toml @@ -32,6 +32,5 @@ tags = ["Elastic", "Okta"] type = "query" query = ''' -event.dataset:okta.system and event.action:(zone.update or zone.deactivate or zone.delete or network_zone.rule.disabled or zone.remove_blacklist) +event.module:okta and event.dataset:okta.system and event.action:(zone.update or zone.deactivate or zone.delete or network_zone.rule.disabled or zone.remove_blacklist) ''' - diff --git a/rules/okta/okta_attempt_to_modify_okta_policy.toml b/rules/okta/okta_attempt_to_modify_okta_policy.toml index 639e8c337..0b9c9bb7d 100644 --- a/rules/okta/okta_attempt_to_modify_okta_policy.toml +++ b/rules/okta/okta_attempt_to_modify_okta_policy.toml @@ -32,6 +32,5 @@ tags = ["Elastic", "Okta"] type = "query" query = ''' -event.dataset:okta.system and event.action:policy.lifecycle.update +event.module:okta and event.dataset:okta.system and event.action:policy.lifecycle.update ''' - diff --git a/rules/okta/okta_threat_detected_by_okta_threatinsight.toml b/rules/okta/okta_threat_detected_by_okta_threatinsight.toml index 6acf3f031..048cdf0d9 100644 --- a/rules/okta/okta_threat_detected_by_okta_threatinsight.toml +++ b/rules/okta/okta_threat_detected_by_okta_threatinsight.toml @@ -26,6 +26,5 @@ tags = ["Elastic", "Okta"] type = "query" query = ''' -event.dataset:okta.system and event.action:security.threat.detected +event.module:okta and event.dataset:okta.system and event.action:security.threat.detected ''' - diff --git a/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index d648597f8..7b5a556fb 100644 --- a/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -31,7 +31,7 @@ tags = ["Elastic", "Okta"] type = "query" query = ''' -event.dataset:okta.system and event.action:group.privilege.grant +event.module:okta and event.dataset:okta.system and event.action:group.privilege.grant ''' @@ -47,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1098/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/okta/persistence_attempt_to_create_okta_api_token.toml index b1678bea8..d8bc193a8 100644 --- a/rules/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/okta/persistence_attempt_to_create_okta_api_token.toml @@ -32,7 +32,7 @@ tags = ["Elastic", "Okta"] type = "query" query = ''' -event.dataset:okta.system and event.action:system.api_token.create +event.module:okta and event.dataset:okta.system and event.action:system.api_token.create ''' @@ -48,4 +48,3 @@ reference = "https://attack.mitre.org/techniques/T1136/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml b/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml index 35f7ea74f..28e7408ef 100644 --- a/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml +++ b/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml @@ -31,7 +31,7 @@ tags = ["Elastic", "Okta"] type = "query" query = ''' -event.dataset:okta.system and event.action:user.mfa.factor.deactivate +event.module:okta and event.dataset:okta.system and event.action:user.mfa.factor.deactivate ''' @@ -47,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1098/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/okta/persistence_attempt_to_deactivate_okta_policy.toml b/rules/okta/persistence_attempt_to_deactivate_okta_policy.toml index 0cc09633b..8500b070d 100644 --- a/rules/okta/persistence_attempt_to_deactivate_okta_policy.toml +++ b/rules/okta/persistence_attempt_to_deactivate_okta_policy.toml @@ -32,7 +32,7 @@ tags = ["Elastic", "Okta"] type = "query" query = ''' -event.dataset:okta.system and event.action:policy.lifecycle.deactivate +event.module:okta and event.dataset:okta.system and event.action:policy.lifecycle.deactivate ''' @@ -48,4 +48,3 @@ reference = "https://attack.mitre.org/techniques/T1098/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index 852b1cafe..757b1af65 100644 --- a/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -31,7 +31,7 @@ tags = ["Elastic", "Okta"] type = "query" query = ''' -event.dataset:okta.system and event.action:user.mfa.factor.reset_all +event.module:okta and event.dataset:okta.system and event.action:user.mfa.factor.reset_all ''' @@ -47,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1098/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -