Okta Login Signal

Severity: informational
Log types: Okta.SystemLog
Source: github.com/panther-labs/panther-analysis

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

Failed Logins from Unknown or Invalid User (Kusto)
First Occurrence of Okta User Session Started via Proxy (Elastic)
High-Risk Admin Activity (Kusto)
Multiple Okta Sessions Detected for a Single User (Elastic)
Multiple Okta User Authentication Events with Same Device Token Hash (Elastic)
New Device/Location sign-in along with critical operation (Kusto)
Okta AiTM Session Cookie Replay (Elastic)
Okta Potentially Stolen Session (Panther)

Rule body yaml

AnalysisType: rule
Filename: okta_login_signal.py
RuleID: "Okta.Login.Success"
DisplayName: "Okta Login Signal"
Enabled: false
CreateAlert: false
LogTypes:
  - Okta.SystemLog
Severity: Info
DedupPeriodMinutes: 60
Threshold: 1
Tests:
  - Name: Non-Login Event
    ExpectedResult: false
    Log:
      actor:
        alternateId: jim.kalafut@panther.com
        displayName: Jim Kalafut
        id: 00u99ped55av2JpGs5d7
        type: User
      authenticationContext:
        authenticationStep: 0
        externalSessionId: trsxcsf59kYRG-GwAbWjw-PZA
      client:
        device: Unknown
        ipAddress: 11.22.33.44
        userAgent:
          browser: UNKNOWN
          os: Unknown
          rawUserAgent: Go-http-client/2.0
        zone: "null"
      debugContext:
        debugData:
          dtHash: 53dd1a7513e0256eb13b9a47bb07ed61e8ca3d35fbdc36c909567a21a65a2b19
          rateLimitBucketUuid: b192d91c-b242-36da-9332-d97a5579f865
          rateLimitScopeType: ORG
          rateLimitSecondsToReset: "6"
          requestId: 234cf34e0081e025e1fe14224464bbd6
          requestUri: /api/v1/logs
          threshold: "20"
          timeSpan: "1"
          timeUnit: MINUTES
          url: /api/v1/logs?since=2023-09-21T17%3A04%3A22Z&limit=1000&after=1714675441520_1
          userId: 00u99ped55av2JpGs5d7
          warningPercent: "60"
      displayMessage: Rate limit warning
      eventType: system.org.rate_limit.warning
      legacyEventType: core.framework.ratelimit.warning
      outcome:
        result: SUCCESS
      published: "2024-05-02 18:46:21.121000000"
      request:
        ipChain:
          - ip: 11.22.33.44
            version: V4
      securityContext: {}
      severity: WARN
      target:
        - id: /api/v1/logs
          type: URL Pattern
        - id: b192d91c-b242-36da-9332-d97a5579f865
          type: Bucket Uuid
      transaction:
        detail:
          requestApiTokenId: 00T1bjatrp6Nl1dOc5d7
        id: 234cf34e0081e025e1fe14224464bbd6
        type: WEB
      uuid: 44aeb388-08b4-11ef-9cec-73ffcb6f9fdd
      version: "0"
  - Name: Successful Login
    ExpectedResult: true
    Log:
      actor:
        alternateId: casey.hill@hey.com
        displayName: Casey Hill
        id: 00ubewfku1EX0WCFk697
        type: User
      authenticationContext:
        authenticationStep: 0
        externalSessionId: idxvF50v_5sT2-GOA7_K0Amyw
      client:
        device: Computer
        geographicalContext:
          city: Atlanta
          country: United States
          geolocation:
            lat: 33.9794
            lon: -84.3459
          postalCode: "30350"
          state: Georgia
        ipAddress: 99.108.5.25
        userAgent:
          browser: CHROME
          os: Mac OS 14.4.1 (Sonoma)
          rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
        zone: "null"
      debugContext:
        debugData:
          authnRequestId: 5167029d2c8308348d651c0be650230f
          dtHash: f23be3b6d8bfd69c14e0d1b33e790b84fa5358eab0a09a1058816ad65d633da4
          oktaUserAgentExtended: okta-auth-js/7.0.1 okta-signin-widget-7.16.1
          origin: https://trial-2340039.okta.com
          requestId: 601b158a3b3e23be5bbf74d0fe63cd78
          requestUri: /idp/idx/challenge/answer
          threatSuspected: "false"
          url: /idp/idx/challenge/answer?
      displayMessage: User login to Okta
      eventType: user.session.start
      legacyEventType: core.user_auth.login_success
      outcome:
        result: SUCCESS
      published: "2024-04-02 19:17:37.621000000"
      request:
        ipChain:
          - geographicalContext:
              city: Atlanta
              country: United States
              geolocation:
                lat: 33.9794
                lon: -84.3459
              postalCode: "30350"
              state: Georgia
            ip: 99.108.5.25
            version: V4
      securityContext:
        asNumber: 7018
        asOrg: at&t corp.
        domain: sbcglobal.net
        isProxy: false
        isp: att services inc
      severity: INFO
      target:
        - alternateId: unknown
          displayName: Password
          id: lae1at5k3ir9bV1gr697
          type: AuthenticatorEnrollment
        - alternateId: Okta Dashboard
          displayName: Okta Dashboard
          id: 0oabewfkt83T8ve1o697
          type: AppInstance
      transaction:
        detail: {}
        id: 601b158a3b3e23be5bbf74d0fe63cd78
        type: WEB
      uuid: aac560bd-f125-11ee-9caa-cd5d09945def
      version: "0"
  - Name: Failed Login
    ExpectedResult: false
    Log:
      actor:
        alternateId: casey.hill@hey.com
        displayName: Casey Hill
        id: 00ubewfku1EX0WCFk697
        type: User
      authenticationContext:
        authenticationStep: 0
        externalSessionId: idxvF50v_5sT2-GOA7_K0Amyw
      client:
        device: Computer
        geographicalContext:
          city: Atlanta
          country: United States
          geolocation:
            lat: 33.9794
            lon: -84.3459
          postalCode: "30350"
          state: Georgia
        ipAddress: 99.108.5.25
        userAgent:
          browser: CHROME
          os: Mac OS 14.4.1 (Sonoma)
          rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
        zone: "null"
      debugContext:
        debugData:
          authnRequestId: 5167029d2c8308348d651c0be650230f
          dtHash: f23be3b6d8bfd69c14e0d1b33e790b84fa5358eab0a09a1058816ad65d633da4
          oktaUserAgentExtended: okta-auth-js/7.0.1 okta-signin-widget-7.16.1
          origin: https://trial-2340039.okta.com
          requestId: 601b158a3b3e23be5bbf74d0fe63cd78
          requestUri: /idp/idx/challenge/answer
          threatSuspected: "false"
          url: /idp/idx/challenge/answer?
      displayMessage: User login to Okta
      eventType: user.session.start
      legacyEventType: core.user_auth.login_success
      outcome:
        result: FAILURE
      published: "2024-04-02 19:17:37.621000000"
      request:
        ipChain:
          - geographicalContext:
              city: Atlanta
              country: United States
              geolocation:
                lat: 33.9794
                lon: -84.3459
              postalCode: "30350"
              state: Georgia
            ip: 99.108.5.25
            version: V4
      securityContext:
        asNumber: 7018
        asOrg: at&t corp.
        domain: sbcglobal.net
        isProxy: false
        isp: att services inc
      severity: INFO
      target:
        - alternateId: unknown
          displayName: Password
          id: lae1at5k3ir9bV1gr697
          type: AuthenticatorEnrollment
        - alternateId: Okta Dashboard
          displayName: Okta Dashboard
          id: 0oabewfkt83T8ve1o697
          type: AppInstance
      transaction:
        detail: {}
        id: 601b158a3b3e23be5bbf74d0fe63cd78
        type: WEB
      uuid: aac560bd-f125-11ee-9caa-cd5d09945def
      version: "0"

Detection logic

Condition

eventType eq "user.session.start"
outcome.result eq "SUCCESS"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`eventType`	eq	`user.session.start`
`outcome.result`	eq	`SUCCESS`

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

Field	Source
`displayName`	`actor.displayName`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)