[New Hunt] Detect authentication to a new Okta app over the last 30 days

[brokensound77]

Description

Detect users authenticating to a newly seen Okta app over the last 30 days. This is meant to detect Discovery or Lateral Movement attempts.

A new terms BBR version is being tracked here: #4101

Note: the query logic below emulates new terms but with more control

Target Ruleset

okta

Target Rule Type

ES|QL

Tested ECS Version

No response

Query

from logs-okta*
| where event.action == "user.authentication.sso"
| stats by user.email, okta.target_app.display_name, day=bucket(@timestamp, 1 day)
| eval today=to_datetime(concat(substring(to_string(now()), 0, 10), "T00:00:00.000Z"))
| eval seen_today=day == today
| stats seen=values(seen_today), total=count(okta.target_app.display_name) by user.email, okta.target_app.display_name
| where mv_count(seen) == 1 and seen
| sort user.email, okta.target_app.display_name

New fields required in ECS/data sources for this rule?

No response

Related issues or PRs

No response

References

No response

Redacted Example Data

No response

[terrancedejesus]

🚀 Note - Check all fields in queries as okta.target_app.display_name is not a native field in the Okta system logs integration OOTB.

[botelastic[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[botelastic[bot]]

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.