Techniques
Sample rules
Okta ThreatInsight Threat Detected
- source: splunk
- technicques:
- T1078
- T1078.004
Description
This anomaly is based on the identification of threats by Okta ThreatInsight. It allows for the escalation of risk based on src_ip or the addition of fields for further tracking. Possible identifications include password spraying, login failures, and login failures with a high count of unknown users.
Detection logic
`okta` eventType = security.threat.detected
| rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city
| stats count min(_time) as firstTime max(_time) as lastTime by app src_ip signature eventType displayMessage client.device city state country user_agent outcome.reason outcome.result severity
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `okta_threatinsight_threat_detected_filter`