Skip to content

Commit

Permalink
Okta new rules (#894)
Browse files Browse the repository at this point in the history 
* new okta detections based on recent threat actor activity in the wild

* 2 more rules based on "PassBleed"

* Update okta_anonymizing_vpn_login.yml

* Update okta_idp_create_modify.yaml

* Update okta_idp_signin.yaml

* Update okta_new_behavior_accessing_admin_console.yml

* Update okta_org2org_creation_modification.yml

* Update okta_password_extraction_via_scim.yaml

* Update okta_phishing_attempt_blocked_by_fastpass.yml

* format and linter fixes

* removed multi-line references

* title improvements, default strings, and deep_walk

* added new rules to okta pack

---------

Co-authored-by: Grant Joy <[email protected]>
  • Loading branch information
@arielkr256 @grantjoy
arielkr256 and grantjoy authored Oct 19, 2023
1 parent 3f3caed commit ea1d053
Show file tree
Hide file tree
Showing 15 changed files with 1,500 additions and 0 deletions.
7 changes: 7 additions & 0 deletions packs/okta.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,13 @@ PackDefinition:
- Okta.App.Unauthorized.Access.Attempt
- Okta.Group.Admin.Role.Assigned
- Okta.Rate.Limits
- Okta.Anonymizing.VPN.Login
- Okta.Identity.Provider.Created.Modified
- Okta.Identity.Provider.SignIn
- Okta.New.Behavior.Accessing.Admin.Console
- Okta.Org2org.Creation.Modification
- Okta.Password.Extraction.via.SCIM
- Okta.Phishing.Attempt.Blocked.FastPass
# Globals used in these detections
- panther_base_helpers
- panther_oss_helpers
Expand Down
20 changes: 20 additions & 0 deletions rules/okta_rules/okta_anonymizing_vpn_login.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
from panther_base_helpers import deep_get, okta_alert_context


def rule(event):
return event.get("eventType") == "user.session.start" and deep_get(
event, "securityContext", "isProxy", default=False
)


def title(event):
return (
f"{deep_get(event, 'actor', 'displayName', default='<displayName-not-found>')} "
f"<{deep_get(event, 'actor', 'alternateId', default='alternateId-not-found')}> "
f"attempted to sign-in from anonymizing VPN with domain "
f"[{deep_get(event, 'securityContext', 'domain', default='<domain-not-found>')}]"
)


def alert_context(event):
return okta_alert_context(event)
158 changes: 158 additions & 0 deletions rules/okta_rules/okta_anonymizing_vpn_login.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,158 @@
AnalysisType: rule
Filename: okta_anonymizing_vpn_login.py
RuleID: "Okta.Anonymizing.VPN.Login"
DisplayName: "Okta Sign-In from VPN Anonymizer"
Enabled: true
LogTypes:
- Okta.SystemLog
Reports:
MITRE ATT&CK:
- TA0006:T1556 # Modify Authentication Process
Severity: High
Description: >
A user is attempting to sign-in to Okta from a known VPN anonymizer. The threat actor would access the compromised account using anonymizing proxy services.
Runbook: >
Restrict this access to trusted Network Zones and deny access from anonymizing proxies in policy using a Dynamic Network Zone.
Reference: >
https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
DedupPeriodMinutes: 30
Threshold: 1
Tests:
- Name: Other Event
ExpectedResult: false
Log:
actor:
alternateId: [email protected]
displayName: Homer Simpson
id: 00abc123
type: User
authenticationcontext:
authenticationStep: 0
externalSessionId: 100-abc-9999
client:
device: Computer
geographicalContext:
city: Springfield
country: United States
geolocation:
lat: 20
lon: -25
postalCode: "12345"
state: Ohio
ipAddress: 1.3.2.4
userAgent:
browser: CHROME
os: Mac OS X
rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
zone: "null"
debugcontext:
debugData:
requestId: AbCdEf12G
requestUri: /api/v1/users/AbCdEfG/lifecycle/reset_factors
url: /api/v1/users/AbCdEfG/lifecycle/reset_factors?
displaymessage: Authentication of user via MFA
eventtype: user.session.start
legacyeventtype: core.user.factor.attempt_fail
outcome:
reason: INVALID_CREDENTIALS
result: FAILURE
published: "2022-06-22 18:18:29.015"
request:
ipChain:
- geographicalContext:
city: Springfield
country: United States
geolocation:
lat: 20
lon: -25
postalCode: "12345"
state: Ohio
ip: 1.3.2.4
version: V4
securitycontext:
asNumber: 701
asOrg: verizon
domain: verizon.net
isProxy: false
isp: verizon
severity: INFO
target:
- alternateId: [email protected]
displayName: Peter Griffin
id: 0002222AAAA
type: User
transaction:
detail: {}
id: ABcDeFgG
type: WEB
uuid: AbC-123-XyZ
version: "0"
- Name: Anonymizing Proxy Used
ExpectedResult: true
Log:
actor:
alternateId: [email protected]
displayName: Homer Simpson
id: 00abc123
type: User
authenticationcontext:
authenticationStep: 0
externalSessionId: 100-abc-9999
client:
device: Computer
geographicalContext:
city: Springfield
country: United States
geolocation:
lat: 20
lon: -25
postalCode: "12345"
state: Ohio
ipAddress: 1.3.2.4
userAgent:
browser: CHROME
os: Mac OS X
rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
zone: "null"
debugcontext:
debugData:
requestId: AbCdEf12G
requestUri: /api/v1/users/AbCdEfG/lifecycle/reset_factors
url: /api/v1/users/AbCdEfG/lifecycle/reset_factors?
displaymessage: Authentication of user via MFA
eventtype: user.session.start
legacyeventtype: core.user.factor.attempt_fail
outcome:
reason: FastPass declined phishing attempt
result: FAILURE
published: "2022-06-22 18:18:29.015"
request:
ipChain:
- geographicalContext:
city: Springfield
country: United States
geolocation:
lat: 20
lon: -25
postalCode: "12345"
state: Ohio
ip: 1.3.2.4
version: V4
securitycontext:
asNumber: 701
asOrg: verizon
domain: anonymous.org
isProxy: true
isp: verizon
severity: INFO
target:
- alternateId: [email protected]
displayName: Peter Griffin
id: 0002222AAAA
type: User
transaction:
detail: {}
id: ABcDeFgG
type: WEB
uuid: AbC-123-XyZ
version: "0"
27 changes: 27 additions & 0 deletions rules/okta_rules/okta_idp_create_modify.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
from panther_base_helpers import deep_get, deep_walk, okta_alert_context


def rule(event):
return "system.idp.lifecycle" in event.get("eventType")


def title(event):
action = event.get("eventType").split(".")[3]
target = deep_walk(
event, "target", "displayName", default="<displayName-not-found>", return_val="first"
)
return (
f"{deep_get(event, 'actor', 'displayName', default='<displayName-not-found>')} "
f"<{deep_get(event, 'actor', 'alternateId', default='alternateId-not-found')}> "
f"{action}d Identity Provider [{target}]"
)


def severity(event):
if "create" in event.get("eventType"):
return "HIGH"
return "MEDIUM"


def alert_context(event):
return okta_alert_context(event)
164 changes: 164 additions & 0 deletions rules/okta_rules/okta_idp_create_modify.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,164 @@
AnalysisType: rule
Filename: okta_idp_create_modify.py
RuleID: "Okta.Identity.Provider.Created.Modified"
DisplayName: "Okta Identity Provider Created or Modified"
Enabled: true
LogTypes:
- Okta.SystemLog
Reports:
MITRE ATT&CK:
- TA0006:T1556 # Modify Authentication Process
- TA0001:T1199 # Trusted Relationship
- TA0003:T1098 # Account Manipulation
Severity: High
Description: >
A new 3rd party Identity Provider has been created or modified.
Attackers have been observed configuring a second Identity Provider to act as an "impersonation app"
to access applications within the compromised Org on behalf of other users. This second Identity Provider,
also controlled by the attacker, would act as a “source” IdP in an inbound federation relationship
(sometimes called “Org2Org”) with the target.
Runbook: >
Delegate access to this feature to a Custom Admin Role with the minimum required permissions.
Constrain these roles to groups that exclude highly privileged administrators.
Reference: >
https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
DedupPeriodMinutes: 30
Threshold: 1
Tests:
- ExpectedResult: false
Log:
actor:
alternateId: [email protected]
displayName: Homer Simpson
id: 00abc123
type: User
authenticationcontext:
authenticationStep: 0
externalSessionId: 100-abc-9999
client:
device: Computer
geographicalContext:
city: Springfield
country: United States
geolocation:
lat: 20
lon: -25
postalCode: "12345"
state: Ohio
ipAddress: 1.3.2.4
userAgent:
browser: CHROME
os: Mac OS X
rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
zone: "null"
debugcontext:
debugData:
requestId: AbCdEf12G
requestUri: /api/v1/users/AbCdEfG/lifecycle/reset_factors
url: /api/v1/users/AbCdEfG/lifecycle/reset_factors?
displaymessage: Authentication of user via MFA
eventtype: user.authentication.auth_via_mfa
legacyeventtype: core.user.factor.attempt_fail
outcome:
result: SUCCESS
published: "2022-06-22 18:18:29.015"
request:
ipChain:
- geographicalContext:
city: Springfield
country: United States
geolocation:
lat: 20
lon: -25
postalCode: "12345"
state: Ohio
ip: 1.3.2.4
version: V4
securitycontext:
asNumber: 701
asOrg: verizon
domain: verizon.net
isProxy: false
isp: verizon
severity: INFO
target:
- alternateId: [email protected]
displayName: Peter Griffin
id: 0002222AAAA
type: User
transaction:
detail: {}
id: ABcDeFgG
type: WEB
uuid: AbC-123-XyZ
version: "0"
Name: Other Event
- ExpectedResult: true
Log:
actor:
alternateId: [email protected]
displayName: Homer Simpson
id: 00abc123
type: User
authenticationcontext:
authenticationStep: 0
externalSessionId: 100-abc-9999
client:
device: Computer
geographicalContext:
city: Springfield
country: United States
geolocation:
lat: 20
lon: -25
postalCode: "12345"
state: Ohio
ipAddress: 1.3.2.4
userAgent:
browser: CHROME
os: Mac OS X
rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
zone: "null"
debugcontext:
debugData:
requestId: AbCdEf12G
requestUri: /api/v1/users/AbCdEfG/lifecycle/reset_factors
url: /api/v1/users/AbCdEfG/lifecycle/reset_factors?
displaymessage: Authentication of user via MFA
eventtype: system.idp.lifecycle.create
legacyeventtype: core.user.factor.attempt_fail
outcome:
result: SUCCESS
published: "2022-06-22 18:18:29.015"
request:
ipChain:
- geographicalContext:
city: Springfield
country: United States
geolocation:
lat: 20
lon: -25
postalCode: "12345"
state: Ohio
ip: 1.3.2.4
version: V4
securitycontext:
asNumber: 701
asOrg: verizon
domain: verizon.net
isProxy: false
isp: verizon
severity: INFO
target:
- alternateId: [email protected]
displayName: Peter Griffin
id: 0002222AAAA
type: User
transaction:
detail: {}
id: ABcDeFgG
type: WEB
uuid: AbC-123-XyZ
version: "0"
Name: FastPass Phishing Block Event

Loading

0 comments on commit ea1d053

Please sign in to comment.