Okta coverage
179 Okta detection rules across 6 vendors covering 79 eventTypes.
Okta records administrative and authentication activity in the System Log. Every entry carries an eventType, a dotted string whose first segment is a namespace prefix (for example user.session.start, policy.rule.update, system.api_token.create). That string is the value every corpus filters on, so this page groups the combined Sigma, Elastic, Sentinel, and Chronicle rules by eventType, organized under the prefix categories. Each eventType maps to a catalog entry under the Okta catalog.
Some eventTypes are emitted only by Okta Identity Engine (OIE) orgs and never by Classic Engine orgs; those entries are flagged on their event pages. Rules that pivot only on a wildcard eventType or on secondary fields (outcome.result, displayMessage) cannot resolve to a single eventType and are grouped under (unattributed).
authentication
user.authentication.auth_via_IDP 2 rules
user.authentication.auth_via_inbound_SAML 1 rule
user.authentication.auth_via_mfa 18 rules
- First Occurrence of Okta User Session Started via Proxy
- MFA Fatigue (OKTA)
- Okta AiTM Phishing Attempt Blocked by FastPass
- Okta Fast Pass phishing Detection
- Okta FastPass Phishing Detection
- Okta FastPass Phishing Detection
- Okta MFA Bruteforce Attack
- Okta Mismatch Between Source And Response For Verify Push Request
- Okta Mismatch Between Source and Response for Verify Push Request
- Okta Multiple Failed MFA Requests For User
- Okta Multiple OS Names Detected for a Single DT Hash
- Okta Phishing Detection With Fastpass Origin Check
- Okta Phishing Detection with FastPass Origin Check
- Okta Successful Single Factor Authentication
- Okta User Failed Number Challenge During Push Notification
- Okta User Rejected Multiple Push Notifications
- Potential Okta MFA Bombing via Push Notifications
- Potentially Successful Okta MFA Bombing via Push Notifications
user.authentication.auth_via_social 1 rule
user.authentication.sso 8 rules
- First Occurrence of Okta User Session Started via Proxy
- Okta AiTM Session Cookie Replay
- Okta Multiple Failed Requests To Access Applications
- Okta Multiple Failed Requests to Access Applications
- Okta Potentially Stolen Session
- Potentially Successful Okta MFA Bombing via Push Notifications
- SIGNAL - Okta SSO to AWS
- Successful Application SSO from Rare Unknown Client Device
user.authentication.verify 4 rules
user.session.access_admin_app 1 rule
user.session.impersonation.grant 3 rules
user.session.impersonation.initiate 4 rules
user.session.start 24 rules
- Failed Logins from Unknown or Invalid User
- First Occurrence of Okta User Session Started via Proxy
- High-Risk Admin Activity
- Multiple Okta Sessions Detected for a Single User
- Multiple Okta User Authentication Events with Same Device Token Hash
- New Device/Location sign-in along with critical operation
- Okta AiTM Session Cookie Replay
- Okta Login Signal
- Okta Potentially Stolen Session
- Okta Sign-In from VPN Anonymizer
- Okta Successful High Risk User Logins
- Okta Successful Login After Credential Attack
- Okta User Logins From Multiple Cities
- Okta User Session Start Via An Anonymising Proxy Service
- Okta User Sessions Started from Different Geolocations
- Okta Username Above 52 Characters Security Advisory
- Potential Okta Brute Force (Device Token Rotation)
- Potential Okta Brute Force (Multi-Source)
- Potential Okta Credential Stuffing (Single Source)
- Potential Okta Password Spray (Multi-Source)
- Potential Okta Password Spray (Single Source)
- Potential Password Spray Attack
- Potentially Successful Okta MFA Bombing via Push Notifications
- User Login from Different Countries within 3 hours
mfa
user.mfa.attempt_bypass 3 rules
user.mfa.factor.activate 1 rule
user.mfa.factor.deactivate 5 rules
user.mfa.factor.reset_all 6 rules
user.mfa.factor.suspend 2 rules
user.mfa.factor.update 3 rules
lifecycle
user.account.lock 2 rules
user.account.lock.limit 1 rule
user.account.privilege.grant 5 rules
user.account.report_suspicious_activity_by_enduser 4 rules
user.account.reset_password 3 rules
user.account.unlock_token 1 rule
user.account.update_password 1 rule
user.lifecycle.activate 1 rule
user.lifecycle.create 2 rules
policy
policy.evaluate_sign_on 7 rules
policy.lifecycle.create 1 rule
policy.lifecycle.deactivate 2 rules
policy.lifecycle.delete 3 rules
policy.lifecycle.modify 1 rule
policy.lifecycle.update 3 rules
policy.rule.create 1 rule
policy.rule.deactivate 2 rules
policy.rule.delete 3 rules
policy.rule.modify 1 rule
admin
application.lifecycle.activate 1 rule
application.lifecycle.create 1 rule
application.lifecycle.deactivate 1 rule
application.lifecycle.delete 2 rules
application.lifecycle.update 4 rules
application.user_membership.show_password 1 rule
group.privilege.grant 5 rules
system.api_token.create 6 rules
system.api_token.revoke 4 rules
system.email.account_unlock.sent_message 1 rule
system.email.password_reset.sent_message 1 rule
system.idp.lifecycle.activate 1 rule
system.idp.lifecycle.create 3 rules
system.idp.lifecycle.deactivate 1 rule
system.idp.lifecycle.delete 1 rule
system.mfa.factor.deactivate 2 rules
system.org.rate_limit.violation 1 rule
system.org.rate_limit.warning 1 rule
system.push.send_factor_verify_push 5 rules
system.sms.send_account_unlock_message 1 rule
system.sms.send_password_reset_message 1 rule
system.voice.send_account_unlock_call 1 rule
system.voice.send_password_reset_call 1 rule
threat
security.attack.end 1 rule
security.attack.start 2 rules
security.threat.detected 7 rules
- Device Registration from Malicious IP
- Okta Security Threat Detected
- Okta ThreatInsight Login Failure With High Unknown Users
- Okta ThreatInsight Suspected Bruteforce Attack
- Okta ThreatInsight Suspected Password Spray Attack
- Okta ThreatInsight Threat Detected
- Okta ThreatInsight Threat Suspected Promotion
other
app.generic.unauth_app_access_attempt 1 rule
app.oauth2.as.token.grant 1 rule
application.integration.rate_limit_exceeded 1 rule
application.policy.sign_on.rule.delete 3 rules
application.policy.sign_on.update 3 rules
core.concurrency.org.limit.violation 1 rule
Events 1 rule
iam.resourceset.bindings.add 1 rule
iam.role.create 1 rule
iam.role.permissions.add 1 rule
network_zone.rule.disabled 2 rules
zone.deactivate 2 rules
zone.delete 2 rules
zone.remove_blacklist 1 rule
zone.update 1 rule
(unattributed)
(any event) 60 rules
- Brute Force By IP
- Brute Force By User
- Geographic Improbable Location
- GreyNoise V3 Malicious IP Activity
- Impossible Travel for Login Action
- MFA Disabled
- Multiple Device Token Hashes for Single Okta Session
- Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy
- New Okta Authentication Behavior Detected
- Okta AD Agent Authentication Anomaly - Z-Score Detection
- Okta AD Agent Token Abuse - Behavioral
- Okta Admin Console Login Failure
- Okta Admin Functions Access Through Proxy
- Okta Alerts Following Unusual Proxy Authentication
- Okta App Refresh Access Token Reuse
- Okta App Unauthorized Access Attempt
- Okta Authentication Bypass via Skeleton Key Injection - Behavioral
- Okta Authentication Failed During MFA Challenge
- Okta Group Admin Role Assigned
- Okta HAR File IOCs
- Okta Identity Provider Created or Modified
- Okta Investigate Session ID Activity
- Okta Investigate User Activity
- Okta Login From CrowdStrike Unmanaged Device
- Okta Login From CrowdStrike Unmanaged Device (crowdstrike_fdrevent table)
- Okta Login Without Push
- Okta Login Without Push Marker
- Okta MFA Globally Disabled
- Okta Multi-Factor Authentication Disabled
- Okta Multiple Accounts Locked Out
- Okta Multiple User's Logins With Invalid Credentials From The Same IP
- Okta Multiple Users Failing To Authenticate From Ip
- Okta New API Token Created
- Okta New Behaviors Acessing Admin Console
- Okta New Device Enrolled on Account
- Okta Non-Standard VPN Usage
- Okta Password Health Report Query
- Okta Rate Limits
- Okta Risk Threshold Exceeded
- Okta SWA Bulk Access, New Source, and Credential Extraction - Behavioral
- Okta SWA Off-Hours Credential Access - Behavioral
- Okta ThreatInsight Security Threat Detected
- Okta Unauthorized Access to App
- Okta Unauthorized Access to Application
- Okta User Account Locked
- Okta User Account Locked Out
- Okta User Login Out Of Hours
- Okta User Logins from Multiple Cities
- Okta User MFA Factor Suspend
- Okta User MFA Own Reset
- Okta User MFA Reset All
- Okta User Reported Suspicious Activity
- OTX Threat Intelligence Indicator Match
- Potential Okta Password in AlternateID Field
- Query.Okta.ADAgentAuthZScoreAnomaly
- Query.Okta.ADAgentTokenAbuseBehavioral
- Query.Okta.SkeletonKeyBypassBehavioral
- Query.Okta.SWABulkAccessBehavioral
- Query.Okta.SWAOffHoursAccessBehavioral
- Sign In from Rogue State