elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.99k stars 506 forks source link

[Meta] Expand Okta Rule Coverage - SAMLjacking #3352

Closed terrancedejesus closed 3 months ago

terrancedejesus commented 11 months ago

Parent Epic (If Applicable)

Meta Summary

This meta will be used to track expanded Okta detection rule coverage specifically for SAML-related events. SAML is an authentication standard/protocol commonly used in SaaS platforms. SAML is web-based and implemented on both the service provider (SP) and identity provider (IdP) for authentication. SAML data visibility is reliant on URI patterns, HTTP(s) request and response bodies and more, however, Okta system logs include all most of this information. This research is likely to carry-over to other SaaS integrations (Google Workspace, GitHub, Slack) where similar detections can be created.

Plan:

Estimated Time to Complete

4-Weeks

Potential Blockers

Tasklist

### Meta Tasks
- [x] Provide Week 1 Update Comment
- [ ] Provide Week 2 Update or Closeout Comment
- [ ] SAML Enumeration (ACS endpoint identification)
- [ ] SAMLjacking
- [ ] SAMLbackdoor
- [ ] XML Signature Wrapping (SAML Raider)
- [ ] Certificate Faking (Self-Signed Certificate - Relies on trust between SP and IdP)
#### Detection Rules

Resources / References

terrancedejesus commented 10 months ago

Update 01-16-2023

This meta will be started today, starting with setting up SAML authentication with 1-2 third party integrations in Okta and ensure monitoring is still established. The following is tasked for this week. There may need to be separate meta's to tackle the other SAML abuse techniques originally listed. Therefore, I have renamed this to SAMLjacking and put the others as a stretch.

botelastic[bot] commented 8 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] commented 8 months ago

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

botelastic[bot] commented 6 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] commented 6 months ago

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

botelastic[bot] commented 3 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] commented 3 months ago

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.