detection.wiki

Detection rules › Elastic

New Okta Authentication Behavior Detected

Status
production
Kind
building block (feeds higher-level correlation rules; not a standalone alert)
Severity
low
Time window
9m
Author
Elastic
Source
github.com/elastic/detection-rules

Detects events where Okta behavior detection has identified a new authentication behavior.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1078.004 Valid Accounts: Cloud Accounts

Rule body elastic

[metadata]
bypass_bbr_timing = true
creation_date = "2023/11/07"
integration = ["okta"]
maturity = "production"
updated_date = "2026/03/24"

[rule]
author = ["Elastic"]
building_block_type = "default"
description = "Detects events where Okta behavior detection has identified a new authentication behavior."
from = "now-9m"
index = ["logs-okta.system-*"]
language = "kuery"
license = "Elastic License v2"
name = "New Okta Authentication Behavior Detected"
note = """## Triage and analysis

### Investigating New Okta Authentication Behavior Detected

This rule detects events where Okta behavior detection has identified a new authentication behavior such as a new device or location.

#### Possible investigation steps:
- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.
- Determine the authentication anomaly by examining the `okta.debug_context.debug_data.risk_behaviors` and `okta.debug_context.debug_data.flattened` fields.
- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.
- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.
- Review the past activities of the actor involved in this action by checking their previous actions.
- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.
- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.

### False positive analysis:
- A user may be using a new device or location to sign in.
- The Okta behavior detection may be incorrectly identifying a new authentication behavior and need adjusted.

### Response and remediation:
- If the user is legitimate and the authentication behavior is not suspicious, no action is required.
- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).
    - If MFA is already enabled, consider resetting MFA for the user.
- If the user is not legitimate, consider deactivating the user's account.
- If this is a false positive, consider adjusting the Okta behavior detection settings.
- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.
- Conduct a review of Okta policies and ensure they are in accordance with security best practices.

## Setup

The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
"""
references = [
    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
    "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
    "https://unit42.paloaltonetworks.com/muddled-libra/",
    "https://help.okta.com/oie/en-us/content/topics/security/behavior-detection/about-behavior-detection.htm",
    "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
    "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 21
rule_id = "260486ee-7d98-11ee-9599-f661ea17fbcd"
severity = "low"
tags = [
    "Use Case: Identity and Access Audit",
    "Tactic: Initial Access",
    "Data Source: Okta",
    "Resources: Investigation Guide",
    "Rule Type: BBR",
    "Domain: Identity"
]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:*
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"

[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"

[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"

Stages and Predicates

Stage 1: query

event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:*

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
event.dataseteq
  • okta.system
okta.debug_context.debug_data.risk_behaviorsis_not_null
  • (no value, null check)