Detectionhightest
Okta Suspicious Activity Reported by End-user
Detects when an Okta end-user reports activity by their account as being potentially suspicious.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Oktaokta
ProductOkta← raw: okta
Serviceokta← raw: okta
Detection Logic
Detection Logic1 selector
detection:
selection:
eventtype: 'user.account.report_suspicious_activity_by_enduser'
condition: selectionFalse Positives
If an end-user incorrectly identifies normal activity as suspicious.
MITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
07e97cc6-aed1-43ae-9081-b3470d2367f1
Status
test
Level
high
Type
Detection
Created
Thu Sep 07
Author
Path
rules/identity/okta/okta_suspicious_activity_enduser_report.yml
Raw Tags
attack.resource-developmentattack.t1586.003