false positives should be minimal, given the high fidelity of this detection. marker.

t1078
t1078.001
okta tenant
splunk

Techniques

T1078
T1078.001

Sample rules

Okta Suspicious Activity Reported

source: splunk
technicques:
- T1078
- T1078.001

Description

This event is generated when an associate receives an email from Okta inquiring whether a login attempt was suspicious. If the associate deems it suspicious, an event is generated for review.

Detection logic

`okta` eventType=user.account.report_suspicious_activity_by_enduser 
| stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser client.geographicalContext.city  client.geographicalContext.country 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `okta_suspicious_activity_reported_filter`