Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

23 rules found

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest

Okta Admin Functions Access Through Proxy

Detects access to Okta admin functions through proxy.

Oktaokta
TA0006 · Credential Access
Muhammad FaisalWed Oct 25identity
Detectionmediumtest

Okta Admin Role Assigned to an User or Group

Detects when an the Administrator role is assigned to an user or group.

Oktaokta
TA0004 · Privilege EscalationTA0003 · PersistenceT1098.003 · Additional Cloud Roles
Austin SongerSun Sep 12identity
Detectionmediumtest

Okta Admin Role Assignment Created

Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence

Oktaokta
TA0003 · Persistence
Nikita KhalimonenkovThu Jan 19identity
Detectionmediumtest

Okta API Token Created

Detects when a API token is created

Oktaokta
TA0003 · Persistence
Austin SongerSun Sep 12identity
Detectionmediumtest

Okta API Token Revoked

Detects when a API Token is revoked.

Oktaokta
TA0040 · Impact
Austin SongerSun Sep 12identity
Detectionmediumtest

Okta Application Modified or Deleted

Detects when an application is modified or deleted.

Oktaokta
TA0040 · Impact
Austin SongerSun Sep 12identity
Detectionmediumtest

Okta Application Sign-On Policy Modified or Deleted

Detects when an application Sign-on Policy is modified or deleted.

Oktaokta
TA0040 · Impact
Austin SongerSun Sep 12identity
Detectionhightest

Okta FastPass Phishing Detection

Detects when Okta FastPass prevents a known phishing site.

Oktaokta
TA0001 · Initial AccessT1566 · Phishing
Austin SongerSun May 07identity
Detectionmediumtest

Okta Identity Provider Created

Detects when a new identity provider is created for Okta.

Oktaokta
TA0004 · Privilege EscalationTA0003 · PersistenceT1098.001 · Additional Cloud Credentials
kelnageThu Sep 07identity
Detectionmediumtest

Okta MFA Reset or Deactivated

Detects when an attempt at deactivating or resetting MFA.

Oktaokta
TA0003 · PersistenceTA0006 · Credential AccessTA0005 · Defense EvasionT1556.006 · Multi-Factor Authentication
Austin SongerTue Sep 21identity
Detectionmediumtest

Okta Network Zone Deactivated or Deleted

Detects when an Network Zone is Deactivated or Deleted.

Oktaokta
TA0040 · Impact
Austin SongerSun Sep 12identity
Detectionhightest

Okta New Admin Console Behaviours

Detects when Okta identifies new activity in the Admin Console.

Oktaokta
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionTA0001 · Initial Access+1
kelnageThu Sep 07identity
Detectionhightest

Potential Okta Password in AlternateID Field

Detects when a user has potentially entered their password into the username field, which will cause the password to be retained in log files.

Oktaokta
TA0006 · Credential AccessT1552 · Unsecured Credentials
kelnageMon Apr 03identity
Detectionlowtest

Okta Policy Modified or Deleted

Detects when an Okta policy is modified or deleted.

Oktaokta
TA0040 · Impact
Austin SongerSun Sep 12identity
Detectionmediumtest

Okta Policy Rule Modified or Deleted

Detects when an Policy Rule is Modified or Deleted.

Oktaokta
TA0040 · Impact
Austin SongerSun Sep 12identity
Detectionmediumtest

Okta Security Threat Detected

Detects when an security threat is detected in Okta.

Oktaokta
TA0011 · Command and Control
Austin SongerSun Sep 12identity
Detectionhightest

Okta Suspicious Activity Reported by End-user

Detects when an Okta end-user reports activity by their account as being potentially suspicious.

Oktaokta
TA0042 · Resource DevelopmentT1586.003 · Cloud Accounts
kelnageThu Sep 07identity
Detectionmediumtest

Okta Unauthorized Access to App

Detects when unauthorized access to app occurs.

Oktaokta
TA0040 · Impact
Austin SongerSun Sep 12identity
Detectionmediumtest

Okta User Account Locked Out

Detects when an user account is locked out.

Oktaokta
TA0040 · ImpactT1531 · Account Access Removal
Austin SongerSun Sep 12identity
Detectioninformationaltest

New Okta User Created

Detects new user account creation

Oktaokta
TA0006 · Credential Access
Nasreddine Bencherchali (Nextron Systems)Wed Oct 25identity
Detectionhightest

Okta User Session Start Via An Anonymising Proxy Service

Detects when an Okta user session starts where the user is behind an anonymising proxy service.

Oktaokta
TA0005 · Defense EvasionT1562.006 · Indicator Blocking
kelnageThu Sep 07identity
Emerging Threatmediumtest

Okta 2023 Breach Indicator Of Compromise

Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach. This rule can be enhanced by filtering out known and legitimate username used in your environnement.

Oktaokta
TA0006 · Credential Accessdetection.emerging-threats
Muhammad FaisalWed Oct 252023
Threat Huntlowtest

Okta Password Health Report Query

Detects all activities against the endpoint "/reports/password-health/*" which should only be accessed via OKTA Admin Console UI. Use this rule to hunt for potential suspicious requests. Correlate this event with "admin console" login and alert on requests without any corresponding admin console login

Oktaokta
TA0006 · Credential Accessdetection.threat-hunting
Muhammad FaisalWed Oct 25cloud