Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Okta New Admin Console Behaviours

Detects when Okta identifies new activity in the Admin Console.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
kelnageCreated Thu Sep 07Updated Wed Jun 26a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9identity
Log Source
Oktaokta
ProductOkta← raw: okta
Serviceokta← raw: okta
Detection Logic
Detection Logic2 selectors
detection:
    selection_event:
        eventtype: 'policy.evaluate_sign_on'
        target.displayname: 'Okta Admin Console'
    selection_positive:
        - debugcontext.debugdata.behaviors|contains: 'POSITIVE'
        - debugcontext.debugdata.logonlysecuritydata|contains: 'POSITIVE'
    condition: all of selection_*
False Positives

When an admin begins using the Admin Console and one of Okta's heuristics incorrectly identifies the behavior as being unusual.

References
1
Resolving title…
developer.okta.com
2
Resolving title…
sec.okta.com
MITRE ATT&CK
Rule Metadata
Rule ID
a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9
Status
test
Level
high
Type
Detection
Created
Thu Sep 07
Modified
Wed Jun 26
Author
kelnage
Path
rules/identity/okta/okta_new_behaviours_admin_console.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.defense-evasionattack.initial-accessattack.t1078.004
View on GitHub