LoFP / if an end-user incorrectly identifies normal activity as suspicious.

Techniques

• t1586
• t1586.003

Sample rules

Okta Suspicious Activity Reported by End-user

• source: sigma
• technicques:
  • t1586
  • t1586.003

Description

Detects when an Okta end-user reports activity by their account as being potentially suspicious.

Detection logic

condition: selection
selection:
  eventtype: user.account.report_suspicious_activity_by_enduser