Phoenix
Sigma IntelligenceBeta
Back to Rules
Emerging Threatmediumtest

Okta 2023 Breach Indicator Of Compromise

Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach. This rule can be enhanced by filtering out known and legitimate username used in your environnement.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Muhammad FaisalCreated Wed Oct 2500a8e92a-776b-425f-80f2-82d8f8fab2e52023
Emerging Threat
Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source
Oktaokta
ProductOkta← raw: okta
Serviceokta← raw: okta
Detection Logic
Detection Logic1 selector
detection:
    selection:
        eventtype:
            - 'user.lifecycle.create'
            - 'user.lifecycle.activate'
        target.user.display.name|contains: 'svc_network_backup'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
beyondtrust.com
2
Resolving title…
developer.okta.com
MITRE ATT&CK

Other

detection.emerging-threats
Rule Metadata
Rule ID
00a8e92a-776b-425f-80f2-82d8f8fab2e5
Status
test
Level
medium
Type
Emerging Threat
Created
Wed Oct 25
Author
Muhammad Faisal
Path
rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml
Raw Tags
attack.credential-accessdetection.emerging-threats
View on GitHub