security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dev-v1.5.13
sigma-rules/rules/integrations/okta
T
History
Eric Forte 7410ec7db9 [Rule Tuning] Updated ESQL Rules Based on Validation Results (#5151) 
* Updated ESQL rules based on validation results

* Patch bump

* Updated regex patterns

* added missing azure fields to non-ecs-schema.json; adjusted okta query logic to use LIKE instead of RLIKE

* fixed incorrect field in non-ecs-schema.json; changed logs-azure.signinlogs* sightings to logs-azure.signinlogs-*

* Add and

* Additional non-ecs fields

* Add EOF

* Add kibana.alert.rule.name

* removed azure.platforlogs.identity.claim.objectid; updated query for 'c07f7898-5dc3-11f0-9f27-f661ea17fbcd'

* Field removed from query removing from keep

* Patch Bump

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
2025-09-30 00:36:29 -04:00
..
credential_access_attempted_bypass_of_okta_mfa.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
credential_access_attempts_to_brute_force_okta_user_account.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
credential_access_multiple_auth_events_from_single_device_behind_proxy.toml
[Rule Tuning] Beats & Endgame Indices (#5072)
2025-09-09 13:19:13 -05:00
credential_access_multiple_device_token_hashes_for_single_okta_session.toml
[Rule Tuning] Updated ESQL Rules Based on Validation Results (#5151)
2025-09-30 00:36:29 -04:00
credential_access_okta_authentication_for_multiple_users_from_single_source.toml
[Rule Tuning] Updated ESQL Rules Based on Validation Results (#5151)
2025-09-30 00:36:29 -04:00
credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml
[Rule Tuning] Updated ESQL Rules Based on Validation Results (#5151)
2025-09-30 00:36:29 -04:00
credential_access_okta_brute_force_or_password_spraying.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
credential_access_okta_mfa_bombing_via_push_notifications.toml
[Rule Tuning] Potential Okta MFA Bombing via Push Notifications (#5073)
2025-09-11 16:24:09 -04:00
credential_access_okta_multiple_device_token_hashes_for_single_user.toml
[Rule Tuning] Updated ESQL Rules Based on Validation Results (#5151)
2025-09-30 00:36:29 -04:00
credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml
[Rule Tuning] Potential Okta MFA Bombing via Push Notifications (#5073)
2025-09-11 16:24:09 -04:00
credential_access_user_impersonation_access.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
defense_evasion_attempt_to_deactivate_okta_network_zone.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
defense_evasion_attempt_to_delete_okta_network_zone.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
defense_evasion_okta_attempt_to_deactivate_okta_policy.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
defense_evasion_okta_attempt_to_delete_okta_policy.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
defense_evasion_okta_attempt_to_modify_okta_network_zone.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
defense_evasion_okta_attempt_to_modify_okta_policy.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
impact_attempt_to_revoke_okta_api_token.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
impact_okta_attempt_to_deactivate_okta_application.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
impact_okta_attempt_to_delete_okta_application.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
impact_okta_attempt_to_modify_okta_application.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
impact_possible_okta_dos_attack.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
initial_access_first_occurrence_user_session_started_via_proxy.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
initial_access_new_authentication_behavior_detection.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
initial_access_okta_fastpass_phishing.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
initial_access_okta_user_attempted_unauthorized_access.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
initial_access_okta_user_sessions_started_from_different_geolocations.toml
[Rule Tuning] Updated ESQL Rules Based on Validation Results (#5151)
2025-09-30 00:36:29 -04:00
initial_access_sign_in_events_via_third_party_idp.toml
[Rule Tuning] Beats & Endgame Indices (#5072)
2025-09-09 13:19:13 -05:00
initial_access_successful_application_sso_from_unknown_client_device.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
initial_access_suspicious_activity_reported_by_okta_user.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
lateral_movement_multiple_sessions_for_single_user.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
okta_threatinsight_threat_suspected_promotion.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
persistence_administrator_privileges_assigned_to_okta_group.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
persistence_administrator_role_assigned_to_okta_user.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
persistence_attempt_to_create_okta_api_token.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
persistence_mfa_deactivation_with_no_reactivation.toml
[Rule Tuning] Beats & Endgame Indices (#5072)
2025-09-09 13:19:13 -05:00
persistence_new_idp_successfully_added_by_admin.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00