Okta ThreatInsight Threat Suspected Promotion
editOkta ThreatInsight Threat Suspected Promotion
editOkta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes, which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents Okta’s internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and other similar threats.
Rule type: query
Rule indices:
- filebeat-*
- logs-okta*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: None (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
- https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html
- https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy
- https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security
- https://www.elastic.co/security-labs/starter-guide-to-understanding-okta
Tags:
- Use Case: Identity and Access Audit
- Data Source: Okta
Version: 309
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
This is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor. Consult vendor documentation on interpreting specific events.
Setup
editRule query
editevent.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true)