detection.wiki

Detection rules › YARA-L

Okta User Suspicious Activity Reported

Severity
medium
Type
Alert
Time window
1h
Match by
userid
Author
Google Cloud Security
Source
github.com/chronicle/detection-rules

An Okta user reports suspicious activity in response to an end user security notification.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1078 Valid Accounts
PersistenceT1078 Valid Accounts
Privilege EscalationT1078 Valid Accounts
StealthT1078 Valid Accounts

References

Event coverage

ProviderEvent
Okta-useruser.account.report_suspicious_activity_by_enduser

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

Rule body yaral

/*
 * Copyright 2023 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

rule okta_user_suspicious_activity_reported {

  meta:
    author = "Google Cloud Security"
    description = "An Okta user reports suspicious activity in response to an end user security notification."
    rule_id = "mr_09eaaa93-be5e-4b7f-9d6b-8675e63291a0"
    rule_name = "Okta User Suspicious Activity Reported"
    reference = "https://help.okta.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm"
    mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
    mitre_attack_technique = "Valid Accounts"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1078/"
    mitre_attack_version = "v13.1"
    type = "Alert"
    data_source = "Okta"
    severity = "Medium"
    priority = "Medium"

  events:
    $suspicious.metadata.product_name = "Okta"
    $suspicious.metadata.vendor_name = "Okta"
    $suspicious.metadata.event_type = "USER_UNCATEGORIZED"
    $suspicious.metadata.product_event_type = "user.account.report_suspicious_activity_by_enduser"
    $suspicious.security_result.summary = "User report suspicious activity"
    $suspicious.target.user.userid = $userid

  match:
    $userid over 1h

  outcome:
    $risk_score = max(
      35 +
      // Increase Risk based on suspiciousActivityEventType
      if($suspicious.security_result.detection_fields["suspiciousActivityEventType"] = "system.email.mfa_enroll_notification.sent_message", 30)
    )
    $mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
    $mitre_attack_technique = "Valid Accounts"
    $target_user_agent = array_distinct($suspicious.network.http.user_agent)
    $principal_ip = array_distinct($suspicious.principal.ip)
    $principal_ip_country = array_distinct($suspicious.principal.ip_geo_artifact.location.country_or_region)
    $principal_ip_state = array_distinct($suspicious.principal.ip_geo_artifact.location.state)
    $principal_ip_city = array_distinct($suspicious.principal.location.city)
    $principal_user_email_addresses = array_distinct ($suspicious.principal.user.email_addresses)
    $security_result_summary = array_distinct($suspicious.security_result.summary)
    $target_user_email_addresses = array_distinct($suspicious.target.user.email_addresses)
    $target_user_userid = array_distinct($suspicious.target.user.userid)

  condition:
    $suspicious
}

Detection logic

Fires when at least one $suspicious event in the 1h window.

Events

$suspicious USER_UNCATEGORIZED

  • metadata.product_event_type = "user.account.report_suspicious_activity_by_enduser"
  • security_result.summary = "User report suspicious activity"

Correlation

Match key
$userid (target.user.userid)
Within
1h

Outcome

Fields the detection emits on a match. $risk_score drives alerting; Chronicle surfaces the rest on the detection.

FieldExpression
risk_scoremax( 35 + if($suspicious.security_result.detection_fields["suspiciousActivityEventType"] = "system.email.mfa_enroll_notification.sent_message", 30) )
target_user_agentarray_distinct($suspicious.network.http.user_agent)
principal_iparray_distinct($suspicious.principal.ip)
principal_ip_countryarray_distinct($suspicious.principal.ip_geo_artifact.location.country_or_region)
principal_ip_statearray_distinct($suspicious.principal.ip_geo_artifact.location.state)
principal_ip_cityarray_distinct($suspicious.principal.location.city)
principal_user_email_addressesarray_distinct ($suspicious.principal.user.email_addresses)
security_result_summaryarray_distinct($suspicious.security_result.summary)
target_user_email_addressesarray_distinct($suspicious.target.user.email_addresses)
target_user_useridarray_distinct($suspicious.target.user.userid)