When testing the Okta rules against sample Okta log data, I identified issues with the rule that detects new behaviors on Admin Console accesses, due to the data being structured differently to my original assumptions. I also noted that my original description was not accurate and that the level of the rule was lower than (I think) it should be, based on the detection conditions.
Changelog
update: Okta New Admin Console Behaviours - update to reflect Okta log data structure
Example Log Event
This was causing false negatives, not false positives. An example behavior is structured as follows:
"behaviors":"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, Velocity=NEGATIVE, New City=NEGATIVE}"
Fixed Issues
SigmaHQ Rule Creation Conventions
If your PR adds new rules, please consider following and applying these conventions
Summary of the Pull Request
When testing the Okta rules against sample Okta log data, I identified issues with the rule that detects new behaviors on Admin Console accesses, due to the data being structured differently to my original assumptions. I also noted that my original description was not accurate and that the level of the rule was lower than (I think) it should be, based on the detection conditions.
Changelog
update: Okta New Admin Console Behaviours - update to reflect Okta log data structure
Example Log Event
This was causing false negatives, not false positives. An example behavior is structured as follows:
Fixed Issues
SigmaHQ Rule Creation Conventions