Detect users authenticating with Okta to more than 10 unique apps within a 5 minute period. This is meant to detect Discovery or Lateral Movement attempts.
This approach will be done with count_distinct, but at the cost of losing app details. A version with app details will be created as a hunt (#4100) until values is performant enough to create a prod rule with. This can also be done with a threshold rule, since values is still beta and considered risky for performance. (This could also be a threshold rule)
Related rules
4edd3e1a-3aa0-499b-8147-4d2ea43b1613 okta Unauthorized Access to an Okta Application
Target Ruleset
okta
Target Rule Type
ES|QL
Tested ECS Version
No response
Query
from logs-okta*
| where event.action == "user.authentication.sso"
| stats total_apps = count_distinct(okta.target_app.display_name) by user.email
| where total_apps > 10
| sort total_apps desc
New fields required in ECS/data sources for this rule?
Description
Detect users authenticating with Okta to more than 10 unique apps within a 5 minute period. This is meant to detect Discovery or Lateral Movement attempts.
This approach will be done with
count_distinct
, but at the cost of losing app details. A version with app details will be created as a hunt (#4100) untilvalues
is performant enough to create a prod rule with. This can also be done with a threshold rule, sincevalues
is still beta and considered risky for performance. (This could also be a threshold rule)Related rules
Target Ruleset
okta
Target Rule Type
ES|QL
Tested ECS Version
No response
Query
New fields required in ECS/data sources for this rule?
No response
Related issues or PRs
No response
References
No response
Redacted Example Data
No response