security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Administrator Role Assigned to Okta User (#489)

Browse Source 
* Create persistence_administrator_role_assigned_to_okta_user.toml

* set maturity to production

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Reorder references to put the most relevant at the top

* tweak rule name

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
This commit is contained in:
David French
2020-11-18 08:59:23 -07:00
committed by GitHub
parent eb487f9433
commit f11e9f8302
1 changed files with 52 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/okta/persistence_administrator_role_assigned_to_okta_user.toml
+52
View File
@@ -0,0 +1,52 @@
[metadata]
creation_date = "2020/11/06"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/06"
[rule]
author = ["Elastic"]
description = """
Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator
role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's
environment.
"""
false_positives = [
"""
Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected.
Exceptions can be added to this rule to filter expected behavior.
""",
]
index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License"
name = "Administrator Role Assigned to an Okta User"
note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule."
references = [
"https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm",
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
]
risk_score = 47
rule_id = "f06414a6-f2a4-466d-8eba-10f85e8abf71"
severity = "medium"
tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"]
type = "query"
query = '''
event.dataset:okta.system and event.action:user.account.privilege.grant
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"