From f11e9f8302be0fec925d199469b203db79cebc62 Mon Sep 17 00:00:00 2001 From: David French <56409778+threat-punter@users.noreply.github.com> Date: Wed, 18 Nov 2020 08:59:23 -0700 Subject: [PATCH] [New Rule] Administrator Role Assigned to Okta User (#489) * Create persistence_administrator_role_assigned_to_okta_user.toml * set maturity to production Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Reorder references to put the most relevant at the top * tweak rule name Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- ...inistrator_role_assigned_to_okta_user.toml | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 rules/okta/persistence_administrator_role_assigned_to_okta_user.toml diff --git a/rules/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/okta/persistence_administrator_role_assigned_to_okta_user.toml new file mode 100644 index 000000000..b2348db1b --- /dev/null +++ b/rules/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2020/11/06" +ecs_version = ["1.6.0"] +maturity = "production" +updated_date = "2020/11/06" + +[rule] +author = ["Elastic"] +description = """ +Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator +role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's +environment. +""" +false_positives = [ + """ + Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. + Exceptions can be added to this rule to filter expected behavior. + """, +] +index = ["filebeat-*", "logs-okta*"] +language = "kuery" +license = "Elastic License" +name = "Administrator Role Assigned to an Okta User" +note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +references = [ + "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", +] +risk_score = 47 +rule_id = "f06414a6-f2a4-466d-8eba-10f85e8abf71" +severity = "medium" +tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"] +type = "query" + +query = ''' +event.dataset:okta.system and event.action:user.account.privilege.grant +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/"