Closed terrancedejesus closed 3 months ago
This meta will be started today, starting with setting up SAML authentication with 1-2 third party integrations in Okta and ensure monitoring is still established. The following is tasked for this week. There may need to be separate meta's to tackle the other SAML abuse techniques originally listed. Therefore, I have renamed this to SAMLjacking and put the others as a stretch.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.
Parent Epic (If Applicable)
Meta Summary
This meta will be used to track expanded Okta detection rule coverage specifically for SAML-related events. SAML is an authentication standard/protocol commonly used in SaaS platforms. SAML is web-based and implemented on both the service provider (SP) and identity provider (IdP) for authentication. SAML data visibility is reliant on URI patterns, HTTP(s) request and response bodies and more, however, Okta system logs include all most of this information. This research is likely to carry-over to other SaaS integrations (Google Workspace, GitHub, Slack) where similar detections can be created.
Plan:
Estimated Time to Complete
4-Weeks
Potential Blockers
Tasklist
Resources / References