detection.wiki

Detection rules › Panther

Okta Login From CrowdStrike Unmanaged Device

Severity
medium
Tags
Multi-Table Query
Reference
https://www.crowdstrike.com/wp-content/uploads/2023/05/crowdstrike-falcon-device-control-data-sheet.pdf
Source
github.com/panther-labs/panther-analysis

Detects Okta Logins from IP addresses not found in CrowdStrike''s AIP list. May indicate unmanaged device being used, or faulty CrowdStrike Sensor.

Rule body yaml

AnalysisType: scheduled_rule
Description: Detects Okta Logins from IP addresses not found in CrowdStrike''s AIP list. May indicate unmanaged device being used, or faulty CrowdStrike Sensor.
DisplayName: "Okta Login From CrowdStrike Unmanaged Device"
Enabled: false
Filename: okta_login_from_crowdstrike_unmanaged_device.py
Reference: https://www.crowdstrike.com/wp-content/uploads/2023/05/crowdstrike-falcon-device-control-data-sheet.pdf
Severity: Medium
Tests:
  - ExpectedResult: true
    Log:
      actor:
        alternateId: homer.simpson@springfield.com
        displayName: Homer Simpson
        id: AbcdEfghIjklmno
        type: User
      authenticationcontext:
        authenticationStep: 0
        externalSessionId: AbcDefgiH
      client:
        device: Computer
        geographicalContext:
          city: San Francisco
          country: United States
          geolocation:
            lat: 30
            lon: -100
          postalCode: "9000"
          state: California
        ipAddress: 1.2.3.4
        userAgent:
          browser: CHROME
          os: Mac OS X
          rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
        zone: "null"
      debugcontext:
        debugData:
          authnRequestId: abcdefg
          deviceFingerprint: abcdefg
          dtHash: abcdefgc
          logOnlySecurityData: '{"risk":{"level":"LOW"},"behaviors":{"New Geo-Location":"NEGATIVE","New Device":"NEGATIVE","New IP":"NEGATIVE","New State":"NEGATIVE","New Country":"NEGATIVE","Velocity":"NEGATIVE","New City":"NEGATIVE"}}'
          origin: https://springfield.okta.com
          requestId: abcdefg
          requestUri: /idp/idx/identify
          threatSuspected: "false"
          url: /idp/idx/identify?
      displaymessage: User login to Okta
      eventtype: user.session.start
      legacyeventtype: core.user_auth.login_success
      outcome:
        result: SUCCESS
      published: "2023-01-10 17:39:40.526"
      request:
        ipChain:
          - geographicalContext:
              city: San Francisco
              country: United States
              geolocation:
                lat: 30
                lon: -100
              postalCode: "90000"
              state: California
            ip: 1.2.3.4
            version: V4
      securitycontext:
        asNumber: 1337
        asOrg: springfield
        domain: .
        isProxy: false
        isp: duff inc
      severity: INFO
      target:
        - alternateId: unknown
          displayName: Password
          id: abcdefg
          type: AuthenticatorEnrollment
        - alternateId: Okta Dashboard
          displayName: Okta Dashboard
          id: abcdefg
          type: AppInstance
      transaction:
        detail: {}
        id: abcdefg
        type: WEB
      uuid: abcdefg
      version: "0"
    Name: Event
  - ExpectedResult: true
    Log:
      authenticationcontext:
        authenticationStep: 0
        externalSessionId: AbcDefgiH
      client:
        device: Computer
        geographicalContext:
          city: San Francisco
          country: United States
          geolocation:
            lat: 30
            lon: -100
          postalCode: "9000"
          state: California
        ipAddress: 1.2.3.4
        userAgent:
          browser: CHROME
          os: Mac OS X
          rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
        zone: "null"
      debugcontext:
        debugData:
          authnRequestId: abcdefg
          deviceFingerprint: abcdefg
          dtHash: abcdefgc
          logOnlySecurityData: '{"risk":{"level":"LOW"},"behaviors":{"New Geo-Location":"NEGATIVE","New Device":"NEGATIVE","New IP":"NEGATIVE","New State":"NEGATIVE","New Country":"NEGATIVE","Velocity":"NEGATIVE","New City":"NEGATIVE"}}'
          origin: https://springfield.okta.com
          requestId: abcdefg
          requestUri: /idp/idx/identify
          threatSuspected: "false"
          url: /idp/idx/identify?
      displaymessage: User login to Okta
      eventtype: user.session.start
      legacyeventtype: core.user_auth.login_success
      outcome:
        result: SUCCESS
      published: "2023-01-10 17:39:40.526"
      request:
        ipChain:
          - geographicalContext:
              city: San Francisco
              country: United States
              geolocation:
                lat: 30
                lon: -100
              postalCode: "90000"
              state: California
            ip: 1.2.3.4
            version: V4
      securitycontext:
        asNumber: 1337
        asOrg: springfield
        domain: .
        isProxy: false
        isp: duff inc
      severity: INFO
      target:
        - alternateId: unknown
          displayName: Password
          id: abcdefg
          type: AuthenticatorEnrollment
        - alternateId: Okta Dashboard
          displayName: Okta Dashboard
          id: abcdefg
          type: AppInstance
      transaction:
        detail: {}
        id: abcdefg
        type: WEB
      uuid: abcdefg
      version: "0"
    Name: No Email
DedupPeriodMinutes: 60
RuleID: "Okta.Login.From.CrowdStrike.Unmanaged.Device"
Threshold: 1
ScheduledQueries:
  - Okta Login From CrowdStrike Unmanaged Device
Tags:
  - Multi-Table Query

Detection logic

Filter

def rule(_):
    return True


def title(event):
    return (
        "Okta Login for "
        f"[{event.deep_get('actor', 'alternateId', default = '<email_not_found>')}]"
        " from unmanaged IP Address."
    )

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
alternateIdactor.alternateId