Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Okta Password Health Report Query

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Okta Password Health Report Query

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Okta Password Health Report Query
id: 0d58814b-1660-4d31-8c93-d1086ed24cba
status: test
description: |
    Detects all activities against the endpoint "/reports/password-health/*" which should only be accessed via OKTA Admin Console UI.
    Use this rule to hunt for potential suspicious requests. Correlate this event with "admin console" login and alert on requests without any corresponding admin console login
references:
    - https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
author: Muhammad Faisal (@faisalusuf)
date: 2023-10-25
tags:
    - attack.credential-access
    - detection.threat-hunting
logsource:
    service: okta
    product: okta
detection:
    selection:
        debugContext.debugData.requestUri|contains: '/reports/password-health/'
    condition: selection
falsepositives:
    - OKTA Admin Activites via Web Console UI.
    - This rule is recommended to be used for threat hunting, especially in the context of OKTA support incident in OCT-2023.
    - This rule can be used to hunt the activity against endpoints like /reports/password-health/async_csv_download_schedule?, which are typically used from Okta Admin Console UI only, without any corresponding admin console login. See reference
level: low

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules-threat-hunting/cloud/okta/okta_password_health_report_query.yml