panther-labs · egibs · Dec 12, 2023 · Dec 12, 2023 · Dec 12, 2023 · Dec 12, 2023
@@ -4,6 +4,7 @@ DisplayName: "Okta App Unauthorized Access Attempt"
 Enabled: true
 Filename: okta_app_unauthorized_access_attempt.py
 Severity: Low
+Reference: https://support.okta.com/help/s/article/App-Sign-on-Error-403-User-attempted-unauthorized-access-to-app?language=en_US
 Tests:
     - ExpectedResult: true
       Log:

@@ -15,6 +15,7 @@ Reports:
 Severity: High
 Description: A user has subsequent logins from two geographic locations that are very far apart
 Runbook: Reach out to the user if needed to validate the activity, then lock the account
+Reference: https://www.blinkops.com/blog/how-to-detect-and-remediate-okta-impossible-traveler-alerts
 SummaryAttributes:
   - eventType
   - severity

@@ -3,6 +3,7 @@ Description: Detect when an admin role is assigned to a group
 DisplayName: "Okta Group Admin Role Assigned"
 Enabled: true
 Filename: okta_group_admin_role_assigned.py
+Reference: https://support.okta.com/help/s/article/How-to-assign-Administrator-roles-to-groups?language=en_US#:~:text=Log%20in%20to%20the%20Admin,user%20and%20click%20Save%20changes
 Severity: High
 Tests:
     - ExpectedResult: true

@@ -3,6 +3,7 @@ Description: An Okta user has locked their account.
 DisplayName: "Okta User Account Locked"
 Enabled: true
 Filename: okta_user_account_locked.py
+Reference: https://support.okta.com/help/s/article/How-to-Configure-the-Number-of-Failed-Login-Attempts-Before-User-Lockout?language=en_US
 Severity: Low
 Tests:
     - ExpectedResult: true

@@ -3,6 +3,7 @@ Description: Suspend factor or authenticator enrollment method for user.
 DisplayName: "Okta User MFA Factor Suspend"
 Enabled: true
 Filename: okta_user_mfa_factor_suspend.py
+Reference: https://help.okta.com/en-us/content/topics/security/mfa/mfa-factors.htm
 Severity: High
 Tests:
     - ExpectedResult: true

@@ -4,6 +4,7 @@ DisplayName: "Okta User MFA Own Reset"
 RuleID: "Okta.User.MFA.Reset.Single"
 Enabled: true
 Filename: okta_user_mfa_reset.py
+Reference: https://support.okta.com/help/s/article/How-to-avoid-lockouts-and-reset-your-Multifactor-Authentication-MFA-for-Okta-Admins?language=en_US
 Severity: Info
 Tests:
     - 

@@ -3,6 +3,7 @@ Description: 'All MFA factors have been reset for a user.'
 DisplayName: "Okta User MFA Reset All"
 Enabled: true
 Filename: okta_user_mfa_reset_all.py
+Reference: https://help.okta.com/en-us/content/topics/security/mfa/mfa-reset-users.htm#:~:text=the%20Admin%20Console%3A-,In%20the%20Admin%20Console%2C%20go%20to%20DirectoryPeople.,Selected%20Factors%20or%20Reset%20All
 Severity: Low
 Tests:
     - ExpectedResult: true