Open brokensound77 opened 2 weeks ago
Detect users authenticating to a newly seen Okta app over the last 30 days. This is meant to detect Discovery or Lateral Movement attempts.
A new terms BBR version is being tracked here: #4101
Note: the query logic below emulates new terms but with more control
okta
ES|QL
No response
from logs-okta* | where event.action == "user.authentication.sso" | stats by user.email, okta.target_app.display_name, day=bucket(@timestamp, 1 day) | eval today=to_datetime(concat(substring(to_string(now()), 0, 10), "T00:00:00.000Z")) | eval seen_today=day == today | stats seen=values(seen_today), total=count(okta.target_app.display_name) by user.email, okta.target_app.display_name | where mv_count(seen) == 1 and seen | sort user.email, okta.target_app.display_name
🚀 Note - Check all fields in queries as okta.target_app.display_name is not a native field in the Okta system logs integration OOTB.
okta.target_app.display_name
Description
Detect users authenticating to a newly seen Okta app over the last 30 days. This is meant to detect Discovery or Lateral Movement attempts.
A new terms BBR version is being tracked here: #4101
Note: the query logic below emulates new terms but with more control
Target Ruleset
okta
Target Rule Type
ES|QL
Tested ECS Version
No response
Query
New fields required in ECS/data sources for this rule?
No response
Related issues or PRs
No response
References
No response
Redacted Example Data
No response