Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntlowtest

Okta Password Health Report Query

Detects all activities against the endpoint "/reports/password-health/*" which should only be accessed via OKTA Admin Console UI. Use this rule to hunt for potential suspicious requests. Correlate this event with "admin console" login and alert on requests without any corresponding admin console login

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Muhammad FaisalCreated Wed Oct 250d58814b-1660-4d31-8c93-d1086ed24cbacloud
Hunting Hypothesis
Log Source
Oktaokta
ProductOkta← raw: okta
Serviceokta← raw: okta
Detection Logic
Detection Logic1 selector
detection:
    selection:
        debugContext.debugData.requestUri|contains: '/reports/password-health/'
    condition: selection
False Positives

OKTA Admin Activites via Web Console UI.

This rule is recommended to be used for threat hunting, especially in the context of OKTA support incident in OCT-2023.

This rule can be used to hunt the activity against endpoints like /reports/password-health/async_csv_download_schedule?, which are typically used from Okta Admin Console UI only, without any corresponding admin console login. See reference

References
1
Resolving title…
beyondtrust.com
MITRE ATT&CK

Other

detection.threat-hunting
Rule Metadata
Rule ID
0d58814b-1660-4d31-8c93-d1086ed24cba
Status
test
Level
low
Type
Threat Hunt
Created
Wed Oct 25
Author
Muhammad Faisal
Path
rules-threat-hunting/cloud/okta/okta_password_health_report_query.yml
Raw Tags
attack.credential-accessdetection.threat-hunting
View on GitHub