detection-rules
detection-rules copied to clipboard
Published
20 hours ago •
elastic
elastic
[New Rule][BBR] Detect authentication to a new Okta app over the last 30 days
Description
Detect users authenticating to a newly seen Okta app over the last 30 days. This is meant to detect Discovery or Lateral Movement attempts.
An ES|QL hunt version is being tracked here: #4102
Target Ruleset
okta
Target Rule Type
New Terms
Tested ECS Version
No response
Query
event.action:"user.authentication.sso"
New terms
user.email, okta.target_app.display_name
New fields required in ECS/data sources for this rule?
No response
Related issues or PRs
No response
References
No response
Redacted Example Data
No response
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![botelastic[bot] avatar](https://avatars.githubusercontent.com/u/6764390?v=4 "Published by a pub.dev verified publisher"){kind=small}
This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.