[New Rule] Threshold Detections for Okta User Sessions and Client Addresses (#3263)
* new Okta threshold rules for client addresses and sessions
* adjusting references
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
(cherry picked from commit 0578bd4caa)
This commit is contained in:
Terrance DeJesus
committed by
github-actions[bot]
github-actions[bot]
parent
bff1ce7e5d
commit
f3d55185c2
+67
@@ -0,0 +1,67 @@
|
||||
[metadata]
|
||||
creation_date = "2023/11/08"
|
||||
integration = ["okta"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
|
||||
min_stack_version = "8.10.0"
|
||||
updated_date = "2023/11/08"
|
||||
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate an attacker has compromised a user's Okta account and is using it to access the organization's resources.
|
||||
"""
|
||||
from = "now-30m"
|
||||
interval = "60m"
|
||||
index = ["filebeat-*", "logs-okta*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "Multiple Okta Client Addresses for a Single User Session"
|
||||
note = """## Setup
|
||||
|
||||
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
|
||||
references = [
|
||||
"https://developer.okta.com/docs/reference/api/system-log/",
|
||||
"https://developer.okta.com/docs/reference/api/event-types/",
|
||||
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
|
||||
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "cc382a2e-7e52-11ee-9aac-f661ea17fbcd"
|
||||
severity = "medium"
|
||||
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "threshold"
|
||||
query = '''
|
||||
event.dataset:okta.system
|
||||
and okta.authentication_context.external_session_id:* and okta.debug_context.debug_data.dt_hash:*
|
||||
and not (okta.actor.id: okta* or okta.actor.display_name: okta*)
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1078"
|
||||
name = "Valid Accounts"
|
||||
reference = "https://attack.mitre.org/techniques/T1078/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1078.004"
|
||||
name = "Cloud Accounts"
|
||||
reference = "https://attack.mitre.org/techniques/T1078/004/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0001"
|
||||
name = "Initial Access"
|
||||
reference = "https://attack.mitre.org/tactics/TA0001/"
|
||||
|
||||
[rule.threshold]
|
||||
field = ["okta.actor.id", "okta.authentication_context.external_session_id"]
|
||||
value = 1
|
||||
|
||||
[[rule.threshold.cardinality]]
|
||||
field = "okta.debug_context.debug_data.dt_hash"
|
||||
value = 2
|
||||
|
||||
@@ -0,0 +1,69 @@
|
||||
[metadata]
|
||||
creation_date = "2023/11/07"
|
||||
integration = ["okta"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
|
||||
min_stack_version = "8.10.0"
|
||||
updated_date = "2023/11/07"
|
||||
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location.
|
||||
"""
|
||||
false_positives = [
|
||||
"A user may have multiple sessions open at the same time, such as on a mobile device and a laptop.",
|
||||
]
|
||||
from = "now-30m"
|
||||
interval = "60m"
|
||||
index = ["filebeat-*", "logs-okta*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "Multiple Okta Sessions Detected for a Single User"
|
||||
note = """## Setup
|
||||
|
||||
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
|
||||
references = [
|
||||
"https://developer.okta.com/docs/reference/api/system-log/",
|
||||
"https://developer.okta.com/docs/reference/api/event-types/",
|
||||
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
|
||||
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "621e92b6-7e54-11ee-bdc0-f661ea17fbcd"
|
||||
severity = "medium"
|
||||
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Lateral Movement"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "threshold"
|
||||
query = '''
|
||||
event.dataset:okta.system and okta.event_type:user.session.start and okta.authentication_context.external_session_id:*
|
||||
and not (okta.actor.id: okta* or okta.actor.display_name: okta*)
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1550"
|
||||
name = "Use Alternate Authentication Material"
|
||||
reference = "https://attack.mitre.org/techniques/T1550/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1550.004"
|
||||
name = "Web Session Cookie"
|
||||
reference = "https://attack.mitre.org/techniques/T1550/004/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0008"
|
||||
name = "Lateral Movement"
|
||||
reference = "https://attack.mitre.org/tactics/TA0008/"
|
||||
|
||||
[rule.threshold]
|
||||
field = ["okta.actor.id"]
|
||||
value = 1
|
||||
|
||||
[[rule.threshold.cardinality]]
|
||||
field = "okta.authentication_context.external_session_id"
|
||||
value = 3
|
||||
|
||||
Reference in New Issue
Block a user