LoFP / when an admin begins using the admin console and one of okta's heuristics incorrectly identifies the behavior as being unusual.

Techniques

Sample rules

Okta New Admin Console Behaviours

source: sigma
technicques:
- t1078
- t1078.004

Description

Detects when Okta identifies new activity in the Admin Console.

Detection logic

condition: all of selection_*
selection_event:
  eventType: policy.evaluate_sign_on
  target.displayName: Okta Admin Console
selection_positive:
- debugContext.debugData.behaviors|contains: POSITIVE
- debugContext.debugData.logOnlySecurityData|contains: POSITIVE