detection.wiki

Detection rules › YARA-L

Okta User Login Out Of Hours

Severity
low
Type
Alert
Time window
1h
Match by
user
Author
Google Cloud Security
Source
github.com/chronicle/detection-rules

Detects out of hours successful authentication.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1078 Valid Accounts
PersistenceT1078 Valid Accounts
Privilege EscalationT1078 Valid Accounts
StealthT1078 Valid Accounts

References

Rule body yaral

/*
 * Copyright 2023 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

rule okta_user_login_out_of_hours {

  meta:
    author = "Google Cloud Security"
    description = "Detects out of hours successful authentication."
    rule_id = "mr_36840037-a41c-47d0-b0eb-4096f28855e1"
    rule_name = "Okta User Login Out Of Hours"
    reference = "https://support.okta.com/help/s/article/User-Signin-and-Recovery-Events-in-the-Okta-System-Log"
    mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
    mitre_attack_technique = "Valid Accounts"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1078/"
    mitre_attack_version = "v13.1"
    type = "Alert"
    data_source = "Okta"
    severity = "Low"
    priority = "Low"

  events:
    $login.metadata.product_name = "Okta"
    $login.metadata.vendor_name = "Okta"
    $login.metadata.event_type = "USER_LOGIN"
    $login.target.user.email_addresses = $user
    $login.security_result.action = "ALLOW"
    $login.metadata.event_timestamp.seconds = $timestamp

    (
        01 = timestamp.get_day_of_week($timestamp, "UTC") or //Sunday
        07 = timestamp.get_day_of_week($timestamp, "UTC")  //Saturday
    )

  match:
    $user over 1h

  outcome:
    $risk_score = max(
        if (01 = timestamp.get_day_of_week($timestamp, "UTC"), 10) +
        if (07 = timestamp.get_day_of_week($timestamp, "UTC"), 15) +
        if ( ( timestamp.get_hour($timestamp, "UTC") >= 0 and timestamp.get_hour($timestamp,"UTC")<= 7) or timestamp.get_hour($timestamp,"UTC") > 20, 50)
    )
    $mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
    $mitre_attack_technique = "Valid Accounts"
    $principal_ip = array_distinct($login.principal.ip)
    $principal_ip_country = array_distinct($login.principal.ip_geo_artifact.location.country_or_region)
    $principal_ip_state = array_distinct($login.principal.ip_geo_artifact.location.state)
    $principal_ip_city = array_distinct($login.principal.location.city)
    $security_result_summary = array_distinct($login.security_result.summary)
    $principal_user_managers_email_addresses = array_distinct($login.principal.user.managers.email_addresses)
    $principal_user_userid = array_distinct($login.principal.user.userid)
    $dc_principal_user_userid = count_distinct($login.principal.user.userid)
    $target_user_email_addresses = array_distinct($login.target.user.email_addresses)
    $target_user_userid = array_distinct($login.target.user.userid)
    $target_user_agent = array_distinct($login.network.http.user_agent)
    $security_result_description = array_distinct($login.security_result.description)

  condition:
    $login
}

Detection logic

Fires when at least one $login event in the 1h window.

Events

$login USER_LOGIN

  • security_result.action = "ALLOW"

Correlation

Match key
$user (target.user.email_addresses)
Within
1h

Outcome

Fields the detection emits on a match. $risk_score drives alerting; Chronicle surfaces the rest on the detection.

FieldExpression
risk_scoremax( if (01 = timestamp.get_day_of_week($timestamp, "UTC"), 10) + if (07 = timestamp.get_day_of_week($timestamp, "UTC"), 15) + if ( ( timestamp.get_hour($timestamp, "UTC") >= 0 and timestamp.get_hour($timestamp,"UTC")<= 7) or timestamp.get_hour($timestamp,"UTC") > 20, 50) )
principal_iparray_distinct($login.principal.ip)
principal_ip_countryarray_distinct($login.principal.ip_geo_artifact.location.country_or_region)
principal_ip_statearray_distinct($login.principal.ip_geo_artifact.location.state)
principal_ip_cityarray_distinct($login.principal.location.city)
security_result_summaryarray_distinct($login.security_result.summary)
principal_user_managers_email_addressesarray_distinct($login.principal.user.managers.email_addresses)
principal_user_useridarray_distinct($login.principal.user.userid)
dc_principal_user_useridcount_distinct($login.principal.user.userid)
target_user_email_addressesarray_distinct($login.target.user.email_addresses)
target_user_useridarray_distinct($login.target.user.userid)
target_user_agentarray_distinct($login.network.http.user_agent)
security_result_descriptionarray_distinct($login.security_result.description)