elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.96k stars 500 forks source link

[Rule Tuning] Okta User Sessions Started from Different Geolocations #3438

Closed BCall-BT closed 4 months ago

BCall-BT commented 9 months ago

Link to rule

https://github.com/elastic/detection-rules/blob/298d1bce0d6d295a390cf68e5e4983ad48760f5a/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml#

Description

This generates a high number of False Positives as there is no validation for it being a successful sign-in. There are many actions that will generate a okta.event_type:user.session.start without a session starting. You will need to add either an "and okta.outcome.result:SUCCESS" or exclude unknown okta.actor.id's "not okta.actor.id:unknown"

Example Data

event.dataset:okta.system and okta.event_type:user.session.start and okta.outcome.result:SUCCESS and not okta.security_context.is_proxy:true and okta.actor.id: and client.geo.country_name:

botelastic[bot] commented 7 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

terrancedejesus commented 4 months ago

@BCall-BT - Thanks for another recommendation! I've adjusted this rule via #3799. Please feel free to review and add any additional recommendations.