security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
main
sigma-rules/hunting/okta/docs/persistence_rare_domain_with_user_authentication.md
T
Terrance DeJesus 50e23ba242 [Hunting] Re-factor Hunting Library Code (#4085) 
* updating python code for hunting library

* fixed okta queries; added MITRE search capability

* fixed hunting unit test imports

* fixed duplicate UUID; fixed duplicate index entry bug

* fixed technique finding sub-technique in search

* added more unit tests

* linted

* flake errors addressed; fixed unit test import; fixed markdown generate bug

* added description for generate-markdown command

* updated README

* adjusted YAML index, adjusted code for index changes

* adjusted relative imports; updated CODEOWNERS

* adding updates; moving to different branch for main dependencies

* finished run-query command; made some code adjustments

* removed some comments

* revised makefile; fixed unit tests; adjusted detection rules pyproject

* updated README

* updated README

* adjusted unit tests; adjusted hunt guidelines; updated makefile; adjusted several commands

* adjusted package to be more object-oriented

* removed unused variable

* Add simple breakdown stats

* addressed feedback; added keyword option for search

* Update hunting/README.md

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update detection_rules/etc/test_hunting_cli.bash

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

* addressing feedback

* addressed feedback

* added message for unknown index; fixed function call

* fixed search command

* fixed flake error

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
2024-10-03 12:47:40 -04:00

1.9 KiB
Raw Permalink Blame History

Rare Occurrence of Domain with User Authentication Events

Metadata

  • Author: Elastic

  • Description: This hunting query identifies rare occurrences of user authentication events for an Okta user whose registered user account email address has a domain that is not commonly seen in the organization. Adversaries may use compromised credentials or tokens to create a new user account with a domain that is not commonly seen in the organization because they do not have access to a valid email address within that domain.

  • UUID: f3bc68f4-71e9-11ef-952e-f661ea17fbcc

  • Integration: okta

  • Language: [ES|QL]

  • Source File: Rare Occurrence of Domain with User Authentication Events

Query

from logs-okta*
| where @timestamp > NOW() - 7 day
| where
    // Filter for user authentication events
    okta.actor.alternate_id is not null
    and event.action LIKE "user.authentication*"

// Extract the top-level domain (TLD) from the user's email address
| dissect okta.actor.alternate_id "%{}@%{tld}"

// Count the number of user authentication events for each TLD
| stats tld_auth_counts = count(*) by tld

// Filter for TLDs with less than or equal to 5 user authentication events
| where tld_auth_counts <= 5

// Sort the results by the number of user authentication events in ascending order
| sort tld_auth_counts asc

Notes

  • Pivot into potential compromised accounts by searching for the okta.actor.alternate_id in okta.target where event.action is user.lifecycle.create. This would identify when the user account was created. The okta.actor.alternate_id of this event will also be the potential compromised account.

MITRE ATT&CK Techniques

License

  • Elastic License v2
Reference in New Issue View Git Blame Copy Permalink