search

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.92k stars 492 forks source link

[New Hunt] Detect authentication to a new Okta app over the last 30 days #4102

Open brokensound77 opened 2 weeks ago

brokensound77 commented 2 weeks ago

Description

Detect users authenticating to a newly seen Okta app over the last 30 days. This is meant to detect Discovery or Lateral Movement attempts.

A new terms BBR version is being tracked here: #4101

Note: the query logic below emulates new terms but with more control

Target Ruleset

okta

Target Rule Type

ES|QL

Tested ECS Version

No response

Query

from logs-okta*
| where event.action == "user.authentication.sso"
| stats by user.email, okta.target_app.display_name, day=bucket(@timestamp, 1 day)
| eval today=to_datetime(concat(substring(to_string(now()), 0, 10), "T00:00:00.000Z"))
| eval seen_today=day == today
| stats seen=values(seen_today), total=count(okta.target_app.display_name) by user.email, okta.target_app.display_name
| where mv_count(seen) == 1 and seen
| sort user.email, okta.target_app.display_name

New fields required in ECS/data sources for this rule?

No response

Related issues or PRs

No response

References

No response

Redacted Example Data

No response

terrancedejesus commented 1 week ago

🚀 Note - Check all fields in queries as okta.target_app.display_name is not a native field in the Okta system logs integration OOTB.