detection-rules
detection-rules copied to clipboard
elastic
[New Hunt] Detect users authenticating with Okta to more than 10 unique apps within a 5 minute period (with app details)
Description
Detect users authenticating with Okta to more than 10 unique apps within a 5 minute period. This is meant to detect Discovery or Lateral Movement attempts.
This is being submitted as a hunt since values is still beta and considered risky for performance. A rule version using count_distinct (which loses app details) is being tracked under: #4099
Related rules
- 4edd3e1a-3aa0-499b-8147-4d2ea43b1613 okta Unauthorized Access to an Okta Application
Target Ruleset
okta
Target Rule Type
ES|QL
Query
from logs-okta*
| where event.action == "user.authentication.sso"
| stats unique_apps = mv_dedupe(values(okta.target_app.display_name)) by user.email
| eval total_apps = mv_count(unique_apps)
| where total_apps > 10
| sort total_apps desc
New fields required in ECS/data sources for this rule?
No response
Related issues or PRs
No response
References
No response
Redacted Example Data
No response
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![botelastic[bot] avatar](https://avatars.githubusercontent.com/u/6764390?v=4 "Published by a pub.dev verified publisher"){kind=small}
This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.