Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Potential Okta Password in AlternateID Field

Detects when a user has potentially entered their password into the username field, which will cause the password to be retained in log files.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
kelnageCreated Mon Apr 03Updated Wed Oct 2591b76b84-8589-47aa-9605-c837583b82a9identity
Log Source
Oktaokta
ProductOkta← raw: okta
Serviceokta← raw: okta
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        legacyeventtype: 'core.user_auth.login_failed'
    filter_main:
        # Okta service account names start with 0oa
        # Email addresses are the default format for Okta usernames, so attempt
        # to exclude alternateIds that look like valid emails
        # If your Okta configuration uses different character restrictions, you
        # will need to update this regular expression to reflect that or disable the rule for your environment
        # Possible false negatives are failed login attempts with a password that looks like a valid email address
        actor.alternateid|re: '(^0oa.*|[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,10})'
    condition: selection and not filter_main
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
developer.okta.com
2
Resolving title…
mitiga.io
3
Resolving title…
help.okta.com
MITRE ATT&CK
Rule Metadata
Rule ID
91b76b84-8589-47aa-9605-c837583b82a9
Status
test
Level
high
Type
Detection
Created
Mon Apr 03
Modified
Wed Oct 25
Author
kelnage
Path
rules/identity/okta/okta_password_in_alternateid_field.yml
Raw Tags
attack.credential-accessattack.t1552
View on GitHub