Detection rules › Panther
AWS Console Sign-In NOT PRECEDED BY Okta Redirect
A user has logged into the AWS console without authenticating via Okta. This rule requires AWS SSO via Okta and both log sources configured.
Rule body yaml
AnalysisType: correlation_rule
RuleID: "AWS.Console.Sign-In.NOT.PRECEDED.BY.Okta"
DisplayName: "AWS Console Sign-In NOT PRECEDED BY Okta Redirect"
Enabled: false
Tags:
- AWS
- Configuration Required
- Okta
- Actor Profiles
Severity: High
Description: A user has logged into the AWS console without authenticating via Okta. This rule requires AWS SSO via Okta and both log sources configured.
Detection:
- Sequence:
- ID: Okta SSO to AWS
RuleID: Okta.SSO.to.AWS
Absence: true
- ID: AWS Console Sign-In
RuleID: AWS.Console.Sign-In
Transitions:
- ID: Okta SSO to AWS TO AWS Console Sign-In ON username
From: Okta SSO to AWS
To: AWS Console Sign-In
Match:
- From: p_alert_context.actor
To: userIdentity.userName
WithinTimeFrameMinutes: 15
Schedule:
RateMinutes: 1440
TimeoutMinutes: 5
LookbackWindowMinutes: 2160
Tests:
- Name: AWS Console Sign-In PRECEDED BY Okta Redirect
ExpectedResult: false
RuleOutputs:
- ID: Okta SSO to AWS
Matches:
p_alert_context.actor:
igor.stravinsky:
- 0
- ID: AWS Console Sign-In
Matches:
userIdentity.userName:
igor.stravinsky:
- 2
- Name: AWS Console Sign-In NOT PRECEDED BY Okta Redirect
ExpectedResult: true
RuleOutputs:
- ID: AWS Console Sign-In
Matches:
userIdentity.userName:
igor.stravinsky:
- 2
Detection logic
Stage 1: step Okta SSO to AWS (negated) ordered before $AWS Console Sign-In
References detection Okta.SSO.to.AWS.
Stage 2: step AWS Console Sign-In ordered after $Okta SSO to AWS
References detection AWS.Console.Sign-In.