security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

63 Commits

Author SHA1 Message Date
Terrance DeJesus 8b84c26286 [Rule Tuning] Okta Sign-In Events via Third-Party IdP - Convert to New Terms (#5544) 
* [Rule Tuning] Okta Sign-In Events via Third-Party IdP - Convert to New Terms
Fixes #5543

* fixed query optimization
 2026-01-12 09:40:09 -05:00
Terrance DeJesus 4e5b8be0de [Rule Tuning] New Okta Authentication Behavior Detected (#5542) 
* [Rule Tuning] New Okta Authentication Behavior Detected
Fixes #5541

* tuning New Okta Authentication Behavior Detected

* Update rules_building_block/initial_access_new_okta_authentication_behavior.toml

* updated tag, adjusted lookback window
 2026-01-12 09:01:32 -05:00
Terrance DeJesus 22a94c6e0b [New Rule] Okta Multiple OS Names Detected for a Single DT Hash (#5241) 
* [New Rule] Okta Multiple OS Names Detected for a Single DT Hash
Fixes #5240

* updated query logic

* Update rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml

* fixed verbiage

* updated query logic

* Update rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* added investigation guide tag

* Update rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* added license field

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2025-11-25 00:57:08 +05:30
Eric Forte 7410ec7db9 [Rule Tuning] Updated ESQL Rules Based on Validation Results (#5151) 
* Updated ESQL rules based on validation results

* Patch bump

* Updated regex patterns

* added missing azure fields to non-ecs-schema.json; adjusted okta query logic to use LIKE instead of RLIKE

* fixed incorrect field in non-ecs-schema.json; changed logs-azure.signinlogs* sightings to logs-azure.signinlogs-*

* Add and

* Additional non-ecs fields

* Add EOF

* Add kibana.alert.rule.name

* removed azure.platforlogs.identity.claim.objectid; updated query for 'c07f7898-5dc3-11f0-9f27-f661ea17fbcd'

* Field removed from query removing from keep

* Patch Bump

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-09-30 00:36:29 -04:00
Terrance DeJesus 02fcd43dbd [Rule Tuning] Potential Okta MFA Bombing via Push Notifications (#5073) 
* updated rule logic

* adjusted similar rule; added factor specification

* updated investigation guide

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-09-11 16:24:09 -04:00
Mika Ayenson, PhD 392e0253c3 [Rule Tuning] Beats & Endgame Indices (#5072) 2025-09-09 13:19:13 -05:00
Isai b7de4f5126 [Tuning] SDH - Investigating MFA Deactivation with no Re-Activation for Okta User Account (#4986) 
* [Tuning] SDH - Investigating MFA Deactivation with no Re-Activation for Okta User Account

This tuning addresses SDH ticket by:
- replacing sequence by `okta.actor.id` with `okta.target.id` in query. This will ensure the deactivation and activation attempts are measured against the target entity. To account for instances where separate users (okta.actor.id) perform deactivation and activation actions against the same target account (okta.target.id)
- Adjusts the investigation guide to use correct target vs. actor fields

* add actor and target id fields to investigation guide

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-08-15 18:02:15 -04:00
Terrance DeJesus b28338c680 [Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912) 
* adjusted Potential Widespread Malware Infection Across Multiple Hosts

* adjusted Microsoft Azure or Mail Sign-in from a Suspicious Source

* adjusted AWS EC2 Multi-Region DescribeInstances API Calls

* adjusted AWS Discovery API Calls via CLI from a Single Resource

* adjusted AWS Service Quotas Multi-Region  Requests

* adjusted AWS EC2 EBS Snapshot Shared or Made Public

* adjusted AWS S3 Bucket Enumeration or Brute Force

* adjusted AWS EC2 EBS Snapshot Access Removed

* adjusted Potential AWS S3 Bucket Ransomware Note Uploaded

* adjusted AWS S3 Object Encryption Using External KMS Key

* adjusted AWS S3 Static Site JavaScript File Uploaded

* adjusted AWS Access Token Used from Multiple Addresses

* adjusted AWS Signin Single Factor Console Login with Federated User

* adjusted AWS IAM AdministratorAccess Policy Attached to Group

* adjusted AWS IAM AdministratorAccess Policy Attached to Role

* adjusted AWS IAM AdministratorAccess Policy Attached to User

* adjusted AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session

* adjusted AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session

* adjusted AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request

* adjusted Unusual High Confidence Content Filter Blocks Detected

* adjusted Potential Abuse of Resources by High Token Count and Large Response Sizes

* AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User

* Unusual High Denied Sensitive Information Policy Blocks Detected

* adjusted Unusual High Denied Topic Blocks Detected

* adjusted AWS Bedrock Detected Multiple Validation Exception Errors by a Single User

* adjusted Unusual High Word Policy Blocks Detected

* adjusted Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties

* adjusted Azure Entra MFA TOTP Brute Force Attempts

* adjusted Microsoft Entra ID Sign-In Brute Force Activity

* adjusted Microsoft Entra ID Exccessive Account Lockouts Detected

* adjusted Microsoft 365 Brute Force via Entra ID Sign-Ins

* deprecated Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source

* adjusted Microsoft Entra ID Session Reuse with Suspicious Graph Access

* adjusted Suspicious Microsoft OAuth Flow via Auth Broker to DRS

* adjusted Potential Denial of Azure OpenAI ML Service

* adjusted Azure OpenAI Insecure Output Handling

* adjusted Potential Azure OpenAI Model Theft

* adjusted M365 OneDrive Excessive File Downloads with OAuth Token

* adjusted Multiple Microsoft 365 User Account Lockouts in Short Time Window

* adjusted Potential Microsoft 365 User Account Brute Force

* adjusted Suspicious Microsoft 365 UserLoggedIn via OAuth Code

* adjusted Multiple Device Token Hashes for Single Okta Session

* adjusted Multiple Okta User Authentication Events with Client Address

* adjusted Multiple Okta User Authentication Events with Same Device Token Hash

* adjusted High Number of Okta Device Token Cookies Generated for Authentication

* adjusted Okta User Sessions Started from Different Geolocations

* adjusted High Number of Egress Network Connections from Unusual Executable

* adjusted Unusual Base64 Encoding/Decoding Activity

* adjusted Potential Port Scanning Activity from Compromised Host

* adjusted Potential Subnet Scanning Activity from Compromised Host

* adjusted Unusual File Transfer Utility Launched

* adjusted Potential Malware-Driven SSH Brute Force Attempt

* adjusted Unusual Process Spawned from Web Server Parent

* adjusted Unusual Command Execution from Web Server Parent

* adjusted  Rare Connection to WebDAV Target

* adjusted Potential PowerShell Obfuscation via Invalid Escape Sequences

* adjusted Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion

* adjusted Unusual File Creation by Web Server

* adjusted Potential PowerShell Obfuscation via High Special Character Proportion

* adjusted Potential Malicious PowerShell Based on Alert Correlation

* adjusted Potential PowerShell Obfuscation via Character Array Reconstruction

* adjusted Potential PowerShell Obfuscation via String Reordering

* adjusted Potential PowerShell Obfuscation via String Concatenation

* adjusted Potential PowerShell Obfuscation via Reverse Keywords

* adjusted PowerShell Obfuscation via Negative Index String Reversal

* adjusted Dynamic IEX Reconstruction via Method String Access

* adjusted Potential Dynamic IEX Reconstruction via Environment Variables

* adjusted Potential PowerShell Obfuscation via High Numeric Character Proportion

* adjusted Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation

* adjusted Rare Connection to WebDAV Target

* adjusted Potential PowerShell Obfuscation via Invalid Escape Sequences

* adjusted Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion

* adjusted Potential PowerShell Obfuscation via Character Array Reconstruction

* adjusted Potential PowerShell Obfuscation via High Special Character Proportion

* adjusted Potential PowerShell Obfuscation via Special Character Overuse

* adjusted Potential PowerShell Obfuscation via String Reordering

* adjusted Suspicious Microsoft 365 UserLoggedIn via OAuth Code

* adjusted fields that were inconsistent

* adjusted additional fields

* adjusted esql to Esql

* adjusted several rules for common field names

* updating rules

* updated dates

* updated dates

* updated ESQL fields

* lowercase all functions and logical operators

* adjusted dates for unit tests

* Update Esql_priv to Esql_temp as these don't hold PII

* PowerShell adjustments

* Make query comments consistent

* update comment

* reverted 2856446a-34e6-435b-9fb5-f8f040bfa7ed

* Update rules/windows/discovery_command_system_account.toml

* removed dot notation

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-08-05 19:35:41 -04:00
shashank-elastic b70792082a Fix pipe characters in rule descriptions (#4893) 2025-07-10 15:11:20 +05:30
shashank-elastic 9b292b97ea Prep 8.19/9.1 (#4869) 
* Prep 8.19/9.1 Release

* Download Beats Schema

* Download API Schema

* Download 8.18.3 Beats Schema

* Download Latest Integrations manifest and schema

* Comment old schemas

* Update Patch version
 2025-07-07 11:27:48 -04:00
shashank-elastic 692a1382bf Fix spacing in Setup information (#4470) 2025-02-20 10:04:13 +05:30
shashank-elastic 818467f132 Replace master doc URLs with current (#4439) 2025-02-03 21:27:50 +05:30
Mika Ayenson fe8c81d762 [FR] Generate investigation guides (#4358) 2025-01-22 11:17:38 -06:00
Terrance DeJesus dad008ea34 [Rule Tuning] Lookback Times for Okta Multiple Session and AWS KMS Retrieval Rules (#4324) 
* rule tuning Okta and AWS lookback times

* adjusted Query Registry using Built-in Tools

* adjusted My First Rule

* Update rules/cross-platform/guided_onboarding_sample_rule.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-12-19 13:03:50 -05:00
Terrance DeJesus 052672b09f [Rule Tuning] Update Okta and Github Min-Stack Versions for Release (#4290) 2024-12-09 20:58:33 +05:30
shashank-elastic 5ab7565923 Minstack versions for Okta and Github Integration (#4273) 2024-11-27 18:39:41 +05:30
Terrance DeJesus 61b731c300 [Rule Tuning] Remove Salesforce Client User-Agent Whitelisting in MFA Deactivation with no Re-Activation for Okta User Account (#4145) 
* tuning

* added note about whitelisting user agent

* removed extra new line
 2024-10-16 11:41:50 -04:00
Terrance DeJesus 06319b7a13 [Rule Tuning] Add KEEP Command to all ES|QL Rules (#4146) 
* updating ES|QL rules to include KEEP command

* fixed some ES|QL rules with typos; added validation for KEEP command

* fixed ES|QL errors from missing fields

* fixed flake errors

* updated date

* added best practices to hunt docs
 2024-10-09 21:08:38 -04:00
Terrance DeJesus 7674229f49 [New Rule] Successful Application SSO from Rare Unknown Client Device (#4141) 
* new rule 'Successful Application SSO from Rare Unknown Client Device'

* removing extra newlines

* adjusted tags; adjusted risk
 2024-10-07 12:11:57 -04:00
Mika Ayenson b80d8342d6 [Docs | Rule Tuning] Add blog references to rules (#4097) 
* [Docs | Rule Tuning] Add blog references to rules

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestions from code review

* Update google_workspace blog references

* add okta blog references

* Update dates

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-09-25 15:19:20 -05:00
Terrance DeJesus bb9a772870 [New Rule] Okta Public Client App OAuth Token Request with Client Credentials (#4074) 
* adding new rule for Okta public client app OAuth token request with client credentials

* Update detection_rules/etc/non-ecs-schema.json

* changing new terms to okta.actor.display_name

* linted; added references
 2024-09-13 14:57:49 -04:00
shashank-elastic f3b0dc1954 Prep for next release 8.16 (#3919) 2024-07-24 11:19:56 -04:00
eric-forte-elastic baee89de9b Revert "Prep for next release 8.16 (#3914)" 
This reverts commit 4245a815d2.
 2024-07-23 14:06:04 -04:00
shashank-elastic 4245a815d2 Prep for next release 8.16 (#3914) 
* Prep for Release 8.16

* Add subscription

* Remove double subscription

* Formatting

* Formatting

* Revert Beaconing rules minstack and lock version
 2024-07-23 13:04:03 -04:00
Mika Ayenson 03c99d22d3 Revert "Prep for Release 8.16 (#3913)" 
This reverts commit 01135085f6.
 2024-07-23 09:50:04 -05:00
shashank-elastic 01135085f6 Prep for Release 8.16 (#3913) 2024-07-23 09:42:26 -05:00
Terrance DeJesus 2e3aca62f0 [Rule Tuning] Multiple Device Token Hashes for Single Okta Session (#3814) 
* tuning 'Multiple Device Token Hashes for Single Okta Session'

* adjusted file name

* updated tags

* updated file name extension

* updated min-stack comments
 2024-06-28 12:59:24 -04:00
Terrance DeJesus da8f3e4880 [New Rule] Okta Credential Stuffing and Password Spraying Identification via Source, Device Token and Actor (#3797) 
* adding new rule 'Multiple Okta User Authentication Events with Same Device Token Hash'

* adding new rule 'Multiple Okta User Authentication Events with Client Address'

* updating UUIDs

* removed indexes

* adding new rule 'High Number of Okta Device Token Cookies Generated for Authentication'

* added okta outcome reason 'INVALID_CREDENTIALS' to queries

* updated risk score

* made all rules low risk score

* added user session start to rule

* updated min-stack comments
 2024-06-21 13:11:23 -04:00
Terrance DeJesus 11aab028dc [Rule Tuning] Okta User Sessions Started from Different Geolocations (#3799) 
* tuning 'Okta User Sessions Started from Different Geolocations'

* TOML linting

* updated min-stack comments

* added setup

* Removed some blank spaces
 2024-06-20 16:52:26 -04:00
Jonhnathan 458e67918a [Security Content] Small tweaks on the setup guides (#3308) 
* [Security Content] Small tweaks on the setup guides

* Additional Fixes

* Avoid touching deprecated rules
 2024-03-11 09:09:40 -03:00
Terrance DeJesus 1c10c37468 [Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field (#3368) 
* updated timestamp override unit test; fixed rules missing this field

* fixed flake error

* simplified and consolidated logic

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* added comments

* updated logic; added comments; removed unused variables

* removed custom python script

* updated dates

* removed deprecated rule change

* updated dates

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-01-17 14:14:38 -05:00
Terrance DeJesus 203c228249 [Rule Tuning] Adjust Attempt to Deactivate MFA for an Okta User Account Okta Rule (#3345) 
* tuning 'MFA Deactivation with no Re-Activation for Okta User Account'

* adjusted query to include like function
 2023-12-18 09:14:10 -05:00
Terrance DeJesus 631f8841ad updating min-stack for Okta rule (#3318) 2023-12-12 12:27:18 -05:00
Terrance DeJesus 93d71acb91 [New Rule] Adding Detection for Stolen Credentials Used to Login to Okta Account After MFA Reset (#3265) 
* adding new rule 'Stolen Credentials Used to Login to Okta Account After MFA Reset'

* updated non-ecs; linted rule; updated description

* adjusted interval and maxspan

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-12-12 10:31:45 -05:00
Terrance DeJesus 5e1546c57c [Rule Tuning] Multiple Users with the Same Okta Device Token Hash (#3304) 
* tuning rule; adding investigation guide

* updated MITRE ATT&CK

* updated file name

* Updating description

* updated investigation guide

* fixed ATT&CK mappings; updated tags
 2023-12-06 10:35:46 -05:00
Austin Songer 1f47e3c1a9 [New Rule] Okta FastPass Phishing (#2782) 
* Create initial_access_fastpass_phishing.toml

* Rename initial_access_fastpass_phishing.toml to initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update initial_access_okta_fastpass_phishing.toml

* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml

* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml

* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml

* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml

* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-11-28 09:26:16 -05:00
Terrance DeJesus e6fef85899 [New Rule] Okta MFA Bombing Attempt (#3278) 
* new rule 'Potential Okta MFA Bombing via Push Notifications'

* updated naming

* TOML lint

* adjusted duplicate rule ID

* added event category override; added until sequence statement

* added verify authentication success

* moved setup to separate field

* enhanced query optimization
 2023-11-28 09:16:20 -05:00
Terrance DeJesus 69cb2f6fc6 [New Rule] Adding Detection for Multiple Okta Users with the Same Device Token Hash (#3267) 
* added new rule 'Multiple Okta Users with the Same Device Token Hash'

* moved rule to okta integration folder

* adjusted query to be optimized

* added false positive comment

* Update rules/integrations/okta/initial_access_multiple_active_users_from_single_device.toml
 2023-11-27 19:23:38 -05:00
Terrance DeJesus 0578bd4caa [New Rule] Threshold Detections for Okta User Sessions and Client Addresses (#3263) 
* new Okta threshold rules for client addresses and sessions

* adjusting references

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-11-27 19:03:06 -05:00
Terrance DeJesus 8eeb95f545 [New Rule] Detection for Okta Sign-In Events via Third-Party IdP (#3259) 
* adding new rule 'Okta Sign-In Events via Third-Party IdP'

* fix creation date

* fixed query efficiency

* added investigation guide

* Update rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-11-27 18:31:27 -05:00
Terrance DeJesus 73288af642 adding new rule 'New Okta Identity Provider (IdP) Added by Admin' (#3258) 2023-11-27 18:06:54 -05:00
Terrance DeJesus 8321cfe018 [New Rule] Adding Detection for First Occurrence of Okta User Session Started via Proxy (#3261) 
* new rule 'First Occurrence of Okta User Session Started via Proxy'

* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml

* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml

* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml

* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
 2023-11-27 17:50:13 -05:00
Terrance DeJesus f19506f3a2 [New Rule] Adding Detection for New Okta Authentication Behavior (#3260) 
* new rule 'New Okta Authentication Behavior Detected'

* Update rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-11-27 17:39:10 -05:00
Terrance DeJesus 832ee02aed [New Rule] Adding Detection Logic for Okta User Sessions Started from Different Geolocations (#3279) 
* new rule 'Okta User Sessions Started from Different Geolocations'

* Update rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml
 2023-11-21 17:32:09 -05:00
Terrance DeJesus 3d57209705 [Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221) 
* adding adjusted Okta rules

* adding adjusted AWS rules

* adding adjusted AWS rules
 2023-10-24 12:51:59 -04:00
Steve Ross 4f33a40f48 [Bug] Duplicate tag on Okta rule (#3020) 
* Fix double tag on rule

* fixed all rules; added unit test

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-08-21 10:42:47 -04:00
Terrance DeJesus 0f5b5a3551 [Rule Tuning] Add Okta Investigation Guides Part 1 (#2899) 
* adding investigation guides for Okta rules

* Update rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* added MFA to investigation guide for brute forcing

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-17 11:47:02 -04:00
Jonhnathan b4c84e8a40 [Security Content] Tags Reform (#2725) 
* Update Tags

* Bump updated date separately to be easy to revert if needed

* Update resource_development_ml_linux_anomalous_compiler_activity.toml

* Apply changes from the discussion

* Update persistence_init_d_file_creation.toml

* Update defense_evasion_timestomp_sysmon.toml

* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

* Update missing Tactic tags

* Update unit tests to match new tags

* Add missing IG tags

* Delete okta_threat_detected_by_okta_threatinsight.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update persistence_rc_script_creation.toml

* Mass bump

* Update persistence_shell_activity_by_web_server.toml

* .

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-22 18:38:56 -03:00
Terrance DeJesus 082e92c95c [Rule Tuning] Adjust Okta ThreatInsight Rule to Promotion (#2854) 
* adding new rule for Okta ThreatInsight threat suspected

* added promotion tag

* removed new rule and tuned existing

* added promotion tag

* Update rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-06-21 09:47:27 -04:00
Terrance DeJesus 71d12bdda4 [Bug] Unit Tests Passing for Rules with Integrations Not Reflected in Manifests (#2682) 
* add promotion to rulemeta schema class and updated promotion rules

* add promotion to rulemeta schema class and updated promotion rules

* adjusted test_integration_tag and okta rule missing dataset

* fixed flake errors

* updated manifests and schemas to include cloud defend
 2023-04-03 09:42:40 -04:00