LoFP LoFP / false positives may occur. it is recommended to fine-tune okta settings and the analytic to ensure high fidelity. adjust the risk score as necessary.

Techniques

Sample rules

Okta ThreatInsight Threat Detected

Description

This anomaly is based on the identification of threats by Okta ThreatInsight. It allows for the escalation of risk based on src_ip or the addition of fields for further tracking. Possible identifications include password spraying, login failures, and login failures with a high count of unknown users.

Detection logic

`okta` eventType = security.threat.detected 
| rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city 
| stats count min(_time) as firstTime max(_time) as lastTime by app src_ip signature eventType displayMessage client.device city state country user_agent outcome.reason outcome.result severity 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `okta_threatinsight_threat_detected_filter`