Open brokensound77 opened 2 weeks ago
Detect users authenticating to a newly seen Okta app over the last 30 days. This is meant to detect Discovery or Lateral Movement attempts.
An ES|QL hunt version is being tracked here: #4102
okta
New Terms
No response
event.action:"user.authentication.sso"
New terms user.email, okta.target_app.display_name
user.email, okta.target_app.display_name
Description
Detect users authenticating to a newly seen Okta app over the last 30 days. This is meant to detect Discovery or Lateral Movement attempts.
An ES|QL hunt version is being tracked here: #4102
Target Ruleset
okta
Target Rule Type
New Terms
Tested ECS Version
No response
Query
New terms
user.email, okta.target_app.display_name
New fields required in ECS/data sources for this rule?
No response
Related issues or PRs
No response
References
No response
Redacted Example Data
No response