LoFP / when an admin begins using the admin console and one of okta's heuristics incorrectly identifies the behavior as being unusual.

Techniques

Sample rules

Okta New Admin Console Behaviours

source: sigma
technicques:
- t1078
- t1078.004

Description

Detects when Okta identifies new activity in the Admin Console.

Detection logic

condition: all of selection_*
selection_event:
  eventtype: policy.evaluate_sign_on
  target.displayname: Okta Admin Console
selection_positive:
- debugcontext.debugdata.behaviors|contains: POSITIVE
- debugcontext.debugdata.logonlysecuritydata|contains: POSITIVE