Closed BCall-BT closed 4 months ago
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
@BCall-BT - Thanks for another recommendation! I've adjusted this rule via #3799. Please feel free to review and add any additional recommendations.
Link to rule
https://github.com/elastic/detection-rules/blob/298d1bce0d6d295a390cf68e5e4983ad48760f5a/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml#
Description
This generates a high number of False Positives as there is no validation for it being a successful sign-in. There are many actions that will generate a okta.event_type:user.session.start without a session starting. You will need to add either an "and okta.outcome.result:SUCCESS" or exclude unknown okta.actor.id's "not okta.actor.id:unknown"
Example Data
event.dataset:okta.system and okta.event_type:user.session.start and okta.outcome.result:SUCCESS and not okta.security_context.is_proxy:true and okta.actor.id: and client.geo.country_name: