security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5d3e17eaffbb65ad13df6959e278a2c9fe64fd72
sigma-rules/rules/integrations/okta
T
History
Terrance DeJesus 8593116f58 [New Rule] Okta User Authentication via Proxy Followed by Security Alert (#5752) 
* [New Rule] Okta User Authentication via Proxy Followed by Security Alert
Fixes #5751

* adjusted to EQL

* fixed syntax

* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* removed defense evasion; adjusted maxspan to 30m

* removed Okta tag

* adding Okta back as integration tag

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
2026-02-26 11:32:25 -05:00
..
credential_access_attempted_bypass_of_okta_mfa.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
credential_access_attempts_to_brute_force_okta_user_account.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
credential_access_multiple_auth_events_from_single_device_behind_proxy.toml
[Rule Tuning] Beats & Endgame Indices (#5072)
2025-09-09 13:19:13 -05:00
credential_access_multiple_device_token_hashes_for_single_okta_session.toml
[Rule Tuning] Updated ESQL Rules Based on Validation Results (#5151)
2025-09-30 00:36:29 -04:00
credential_access_multiple_user_agent_os_authentication.toml
[New Rule] Okta Multiple OS Names Detected for a Single DT Hash (#5241)
2025-11-25 00:57:08 +05:30
credential_access_okta_aitm_session_cookie_replay.toml
[New Rule] Okta AiTM Session Cookie Replay Detection (#5627)
2026-01-29 08:58:59 -05:00
credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml
[Rule Tuning] Updated ESQL Rules Based on Validation Results (#5151)
2025-09-30 00:36:29 -04:00
credential_access_okta_brute_force_device_token_rotation.toml
[Rule Tuning] Okta Credential Stuffing, Password Spraying, and Brute Force Detection Improvements (#5723)
2026-02-20 13:36:25 -05:00
credential_access_okta_brute_force_multi_source.toml
[Rule Tuning] Okta Credential Stuffing, Password Spraying, and Brute Force Detection Improvements (#5723)
2026-02-20 13:36:25 -05:00
credential_access_okta_credential_stuffing_single_source.toml
[Rule Tuning] Okta Credential Stuffing, Password Spraying, and Brute Force Detection Improvements (#5723)
2026-02-20 13:36:25 -05:00
credential_access_okta_mfa_bombing_via_push_notifications.toml
[Rule Tuning] Potential Okta MFA Bombing via Push Notifications (#5073)
2025-09-11 16:24:09 -04:00
credential_access_okta_password_spray_multi_source.toml
[Rule Tuning] Okta Credential Stuffing, Password Spraying, and Brute Force Detection Improvements (#5723)
2026-02-20 13:36:25 -05:00
credential_access_okta_password_spray_single_source.toml
[Rule Tuning] Okta Credential Stuffing, Password Spraying, and Brute Force Detection Improvements (#5723)
2026-02-20 13:36:25 -05:00
credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml
[Rule Tuning] Potential Okta MFA Bombing via Push Notifications (#5073)
2025-09-11 16:24:09 -04:00
credential_access_okta_successful_login_after_credential_attack.toml
[Rule Tuning] Okta Credential Stuffing, Password Spraying, and Brute Force Detection Improvements (#5723)
2026-02-20 13:36:25 -05:00
credential_access_user_impersonation_access.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
defense_evasion_attempt_to_deactivate_okta_network_zone.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
defense_evasion_attempt_to_delete_okta_network_zone.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
defense_evasion_okta_attempt_to_deactivate_okta_policy.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
defense_evasion_okta_attempt_to_delete_okta_policy.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
defense_evasion_okta_attempt_to_modify_okta_network_zone.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
defense_evasion_okta_attempt_to_modify_okta_policy.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
impact_attempt_to_revoke_okta_api_token.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
impact_okta_attempt_to_deactivate_okta_application.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
impact_okta_attempt_to_delete_okta_application.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
impact_okta_attempt_to_modify_okta_application.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
impact_possible_okta_dos_attack.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
initial_access_first_occurrence_user_session_started_via_proxy.toml
[New Rule] Okta User Authentication via Proxy Followed by Security Alert (#5752)
2026-02-26 11:32:25 -05:00
initial_access_okta_fastpass_phishing.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
initial_access_okta_suspicious_activity_after_proxy_authentication.toml
[New Rule] Okta User Authentication via Proxy Followed by Security Alert (#5752)
2026-02-26 11:32:25 -05:00
initial_access_okta_user_attempted_unauthorized_access.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
initial_access_okta_user_sessions_started_from_different_geolocations.toml
[Rule Tuning] Updated ESQL Rules Based on Validation Results (#5151)
2025-09-30 00:36:29 -04:00
initial_access_sign_in_events_via_third_party_idp.toml
[Rule Tuning] Okta Sign-In Events via Third-Party IdP - Convert to New Terms (#5544)
2026-01-12 09:40:09 -05:00
initial_access_successful_application_sso_from_unknown_client_device.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
initial_access_suspicious_activity_reported_by_okta_user.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
lateral_movement_multiple_sessions_for_single_user.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
okta_threatinsight_threat_suspected_promotion.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
persistence_administrator_privileges_assigned_to_okta_group.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
persistence_administrator_role_assigned_to_okta_user.toml
[Rule Tuning] Okta User Assigned Administrator Role (#5671)
2026-02-12 09:33:25 -05:00
persistence_attempt_to_create_okta_api_token.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
persistence_mfa_deactivation_with_no_reactivation.toml
[Rule Tuning] Beats & Endgame Indices (#5072)
2025-09-09 13:19:13 -05:00
persistence_new_idp_successfully_added_by_admin.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00