Techniques
Sample rules
Okta Suspicious Activity Reported
- source: splunk
- technicques:
- T1078
- T1078.001
Description
This event is generated when an associate receives an email from Okta inquiring whether a login attempt was suspicious. If the associate deems it suspicious, an event is generated for review.
Detection logic
`okta` eventType=user.account.report_suspicious_activity_by_enduser
| stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser client.geographicalContext.city client.geographicalContext.country
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `okta_suspicious_activity_reported_filter`