[Rule Tuning] Multiple Device Token Hashes for Single Okta Session

[terrancedejesus]

Issues

• https://github.com/elastic/ia-trade-team/issues/271
• https://github.com/elastic/detection-rules/issues/3506

Summary

This pull request tunes the Multiple Device Token Hashes for Single Okta Session rule by doing the following:

• Converts to ES|QL for aggregating functionality
• Ignores Okta log-in/authentication event actions that would skew aggregations
• Filters out Okta system account and any registered account that is not an email
• Ignores events where the session ID is unknown
• Aggregates on DT Hash cookie in Okta, by Okta actor and session

[Mikaayenson]

I saw the other rule Multiple Okta Client Addresses for a Single User Session was deleted. Was the tuning two step? 1) delete old rule and 2) create a new rule? I'm wondering if we should deprecate the old rule using the normal processes. Since the file names changed, im wondering how it impact things upstream.

[terrancedejesus]

I saw the other rule Multiple Okta Client Addresses for a Single User Session was deleted. Was the tuning two step? 1) delete old rule and 2) create a new rule? I'm wondering if we should deprecate the old rule using the normal processes. Since the file names changed, im wondering how it impact things upstream.

I just renamed the file, so it looks like it has been deleted.

[terrancedejesus]

@imays11

I thought that when we want to rename a file we have to deprecate it? If not then this looks good

I don't recall this being the case. Do we have it documented anywhere on why that would be? The UUID stays the same, only the rule name may change. Also, file names may change if the tactic changes as well because they need to match.