forked from falcosecurity/falco
/
okta_rules.yaml
177 lines (156 loc) · 6.99 KB
/
okta_rules.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
#Example Rule on login in to OKTA. Disabled by default since it might be noisy
#- rule: User logged in to OKTA
# desc: Detect the user login in to OKTA
# condition: okta.evt.type = "user.session.start"
# output: "A user has logged in toOKTA (user=%okta.actor.name, ip=%okta.client.ip)"
# priority: NOTICE
# source: okta
# tags: [okta]
- rule: User Changing password in to OKTA
desc: Detect a user change password in OKTA
condition: okta.evt.type = "user.account.update_password"
output: "A user has changed password from OKTA (user=%okta.actor.name, ip=%okta.client.ip)"
priority: NOTICE
source: okta
tags: [okta]
enabled: false
- rule: Creating a new OKTA user account
desc: Detect a new OKTA user account created in the OKTA environment
condition: okta.evt.type = "user.lifecycle.create"
output: "A new OKTA user account created (user=%okta.actor.name, target user=%okta.target.user.name)"
priority: NOTICE
source: okta
tags: [okta]
enabled: false
- rule: User accessing app via single sign on OKTA
desc: Detect a user accessing an app via OKTA
condition: okta.evt.type = "user.authentication.sso"
output: "A user has accessed an app using OKTA (user=%okta.actor.name, app=%okta.app)"
priority: NOTICE
source: okta
tags: [okta]
enabled: false
- rule: User has been locked out in OKTA
desc: Detect a user who has been locked out in OKTA
condition: okta.evt.type = "user.account.lock"
output: "A user has been locked out in OKTA (user=%okta.actor.name, ip=%okta.client.ip)"
priority: NOTICE
source: okta
tags: [okta]
- rule: User has been moved from suspended status in OKTA.
desc: Detect a user who has been moved from suspended status in OKTA
condition: okta.evt.type = "user.lifecycle.unsuspend"
output: "A user has been moved from suspended status in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)"
priority: NOTICE
source: okta
tags: [okta]
enabled: false
- rule: User has been activated in OKTA
desc: Detect a user who has been activated in OKTA
condition: okta.evt.type = "user.lifecycle.activate"
output: "A user has been activated in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)"
priority: NOTICE
source: okta
tags: [okta]
enabled: false
- rule: User has been deactivated in OKTA
desc: Detect a user who has been deactivated in OKTA
condition: okta.evt.type = "user.lifecycle.deactivate"
output: "A user has been deactivated in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)"
priority: NOTICE
source: okta
tags: [okta]
enabled: false
- rule: User has been suspended in OKTA
desc: Detect a user who has been suspended in OKTA
condition: okta.evt.type = "user.lifecycle.suspended"
output: "A user has been suspended in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)"
priority: NOTICE
source: okta
tags: [okta]
- rule: Admin permission has been assigned to a user in OKTA
desc: Detect an admin permission assigned to a user in OKTA
condition: okta.evt.type = "user.account.privilege.grant"
output: "A user has been locked out in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)"
priority: NOTICE
source: okta
tags: [okta]
- rule: Creating a new OKTA API token
desc: Detect a new OKTA API token created in the OKTA environment
condition: okta.evt.type = "system.api_token.create"
output: "A new OKTA API token has been created in OKTA (user=%okta.actor.name, ip=%okta.client.ip)"
priority: NOTICE
source: okta
tags: [okta]
- rule: User accessing OKTA admin section
desc: Detect a user accessing OKTA admin section of your OKTA instance
condition: okta.evt.type = "user.session.access_admin_app"
output: "A user accessed the OKTA admin section of your OKTA instance (user=%okta.actor.name, ip=%okta.client.ip)"
priority: NOTICE
source: okta
tags: [okta]
- rule: Adding user in OKTA group
desc: Detect a new user added to an OKTA group
condition: okta.evt.type = "group.user_membership.add"
output: "A user has been added in an OKTA group (user=%okta.actor.name, target group=%okta.target.group.name, target user=%okta.target.user.name)"
priority: NOTICE
source: okta
tags: [okta]
enabled: false
- rule: removing MFA factor from user in OKTA
desc: Detect a removing MFA activity on a user in OKTA
condition: okta.evt.type = "user.mfa.factor.deactivate"
output: "A user has removed MFA factor in the OKTA account (user=%okta.actor.name, ip=%okta.client.ip)"
priority: NOTICE
source: okta
tags: [okta]
- rule: removing all MFA factor from user in OKTA
desc: Detect a removing MFA activity on a user in OKTA
condition: okta.evt.type = "user.mfa.factor.reset_all"
output: "A user has removed all MFA factor in the OKTA account (user=%okta.actor.name, ip=%okta.client.ip)"
priority: NOTICE
source: okta
tags: [okta]
- rule: User password reset by OKTA admin
desc: Detect a password reset on a user done by OKTA Admin Account
condition: okta.evt.type = "user.account.reset_password"
output: "A user password has been reset by an OKTA Admin account (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)"
priority: NOTICE
source: okta
tags: [okta]
- rule: User hitting the rate limit on requests in OKTA
desc: Detect a user who hit the rate limit on requests in OKTA
condition: okta.evt.type = "system.org.rate_limit.violation"
output: "A user has hitted the rate limit on requests in OKTA (user=%okta.actor.name, ip=%okta.client.ip)"
priority: NOTICE
source: okta
tags: [okta]
- rule: Adding user to application membership in OKTA
desc: Detect a user who has been added o application membership in OKTA
condition: okta.evt.type = "application.user_membership.add"
output: "A user has been added to an application membership in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name, app=%okta.app)"
priority: NOTICE
source: okta
tags: [okta]
enabled: false
- rule: User initiating impersonation session in OKTA
desc: Detect a user who initiate an impersonation session in OKTA
condition: okta.evt.type = "user.session.impersonation.initiate"
output: "A user has initiated an impersonation session in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)"
priority: NOTICE
source: okta
tags: [okta]
# This list allows easily whitelisting countries that are
# expected to see OKTA logins from.
- list: allowed_countries_list
items: []
- macro: user_known_countries
condition: (okta.client.geo.country in (allowed_countries_list))
- rule: Detecting unknwon logins using geolocation
desc: Detect a logins event based on user geolocation
condition: okta.evt.type = "user.session.start" and not user_known_countries
output: "A user logged in OKTA from a suspicious country (user=%okta.actor.name, ip=%okta.client.ip, country=%okta.client.geo.country)"
priority: NOTICE
source: okta
tags: [okta]
enabled: false