security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7693d785aad70787971432c9d7511e7166312921
sigma-rules/rules/integrations/okta
T
History
Terrance DeJesus da8f3e4880 [New Rule] Okta Credential Stuffing and Password Spraying Identification via Source, Device Token and Actor (#3797) 
* adding new rule 'Multiple Okta User Authentication Events with Same Device Token Hash'

* adding new rule 'Multiple Okta User Authentication Events with Client Address'

* updating UUIDs

* removed indexes

* adding new rule 'High Number of Okta Device Token Cookies Generated for Authentication'

* added okta outcome reason 'INVALID_CREDENTIALS' to queries

* updated risk score

* made all rules low risk score

* added user session start to rule

* updated min-stack comments
2024-06-21 13:11:23 -04:00
..
credential_access_attempted_bypass_of_okta_mfa.toml
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221)
2023-10-24 12:51:59 -04:00
credential_access_attempts_to_brute_force_okta_user_account.toml
[Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field (#3368)
2024-01-17 14:14:38 -05:00
credential_access_multiple_auth_events_from_single_device_behind_proxy.toml
[Rule Tuning] Multiple Users with the Same Okta Device Token Hash (#3304)
2023-12-06 10:35:46 -05:00
credential_access_okta_authentication_for_multiple_users_from_single_source.toml
[New Rule] Okta Credential Stuffing and Password Spraying Identification via Source, Device Token and Actor (#3797)
2024-06-21 13:11:23 -04:00
credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml
[New Rule] Okta Credential Stuffing and Password Spraying Identification via Source, Device Token and Actor (#3797)
2024-06-21 13:11:23 -04:00
credential_access_okta_brute_force_or_password_spraying.toml
[Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field (#3368)
2024-01-17 14:14:38 -05:00
credential_access_okta_mfa_bombing_via_push_notifications.toml
[Security Content] Small tweaks on the setup guides (#3308)
2024-03-11 09:09:40 -03:00
credential_access_okta_multiple_device_token_hashes_for_single_user.toml
[New Rule] Okta Credential Stuffing and Password Spraying Identification via Source, Device Token and Actor (#3797)
2024-06-21 13:11:23 -04:00
credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml
[New Rule] Okta MFA Bombing Attempt (#3278)
2023-11-28 09:16:20 -05:00
credential_access_user_impersonation_access.toml
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221)
2023-10-24 12:51:59 -04:00
defense_evasion_attempt_to_deactivate_okta_network_zone.toml
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221)
2023-10-24 12:51:59 -04:00
defense_evasion_attempt_to_delete_okta_network_zone.toml
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221)
2023-10-24 12:51:59 -04:00
defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221)
2023-10-24 12:51:59 -04:00
defense_evasion_okta_attempt_to_deactivate_okta_policy.toml
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221)
2023-10-24 12:51:59 -04:00
defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221)
2023-10-24 12:51:59 -04:00
defense_evasion_okta_attempt_to_delete_okta_policy.toml
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221)
2023-10-24 12:51:59 -04:00
defense_evasion_okta_attempt_to_modify_okta_network_zone.toml
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221)
2023-10-24 12:51:59 -04:00
defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221)
2023-10-24 12:51:59 -04:00
defense_evasion_okta_attempt_to_modify_okta_policy.toml
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221)
2023-10-24 12:51:59 -04:00
defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
[Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field (#3368)
2024-01-17 14:14:38 -05:00
impact_attempt_to_revoke_okta_api_token.toml
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221)
2023-10-24 12:51:59 -04:00
impact_okta_attempt_to_deactivate_okta_application.toml
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221)
2023-10-24 12:51:59 -04:00
impact_okta_attempt_to_delete_okta_application.toml
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221)
2023-10-24 12:51:59 -04:00
impact_okta_attempt_to_modify_okta_application.toml
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221)
2023-10-24 12:51:59 -04:00
impact_possible_okta_dos_attack.toml
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221)
2023-10-24 12:51:59 -04:00
initial_access_first_occurrence_user_session_started_via_proxy.toml
[New Rule] Adding Detection for First Occurrence of Okta User Session Started via Proxy (#3261)
2023-11-27 17:50:13 -05:00
initial_access_multiple_client_addresses_with_single_okta_session.toml
[New Rule] Threshold Detections for Okta User Sessions and Client Addresses (#3263)
2023-11-27 19:03:06 -05:00
initial_access_new_authentication_behavior_detection.toml
[New Rule] Adding Detection for New Okta Authentication Behavior (#3260)
2023-11-27 17:39:10 -05:00
initial_access_okta_fastpass_phishing.toml
updating min-stack for Okta rule (#3318)
2023-12-12 12:27:18 -05:00
initial_access_okta_user_attempted_unauthorized_access.toml
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221)
2023-10-24 12:51:59 -04:00
initial_access_okta_user_sessions_started_from_different_geolocations.toml
[Rule Tuning] Okta User Sessions Started from Different Geolocations (#3799)
2024-06-20 16:52:26 -04:00
initial_access_sign_in_events_via_third_party_idp.toml
[New Rule] Detection for Okta Sign-In Events via Third-Party IdP (#3259)
2023-11-27 18:31:27 -05:00
initial_access_suspicious_activity_reported_by_okta_user.toml
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221)
2023-10-24 12:51:59 -04:00
lateral_movement_multiple_sessions_for_single_user.toml
[New Rule] Threshold Detections for Okta User Sessions and Client Addresses (#3263)
2023-11-27 19:03:06 -05:00
okta_threatinsight_threat_suspected_promotion.toml
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221)
2023-10-24 12:51:59 -04:00
persistence_administrator_privileges_assigned_to_okta_group.toml
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221)
2023-10-24 12:51:59 -04:00
persistence_administrator_role_assigned_to_okta_user.toml
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221)
2023-10-24 12:51:59 -04:00
persistence_attempt_to_create_okta_api_token.toml
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221)
2023-10-24 12:51:59 -04:00
persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221)
2023-10-24 12:51:59 -04:00
persistence_mfa_deactivation_with_no_reactivation.toml
[Rule Tuning] Adjust Attempt to Deactivate MFA for an Okta User Account Okta Rule (#3345)
2023-12-18 09:14:10 -05:00
persistence_new_idp_successfully_added_by_admin.toml
adding new rule 'New Okta Identity Provider (IdP) Added by Admin' (#3258)
2023-11-27 18:06:54 -05:00
persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml
[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221)
2023-10-24 12:51:59 -04:00
persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml
[New Rule] Adding Detection for Stolen Credentials Used to Login to Okta Account After MFA Reset (#3265)
2023-12-12 10:31:45 -05:00