-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrules
85 lines (84 loc) · 3.37 KB
/
rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
<group name="Okta">
<rule id="789007" level="5">
<decoded_as>json</decoded_as>
<field name="Log_type">Okta</field>
<description>Okta Log</description>
</rule>
<rule id="789008" level="7">
<if_sid>789007</if_sid>
<field name="displayMessage">User login to Okta</field>
<field name="outcome.result">SUCCESS</field>
<description>User Successful login </description>
</rule>
<rule id="789009" level="7">
<if_sid>789007</if_sid>
<field name="displayMessage">User login to Okta</field>
<field name="outcome.result">FAILURE</field>
<description>User Failed login</description>
</rule>
<rule id="789010" level="3">
<if_sid>789007</if_sid>
<field name="displayMessage">Evaluation of sign-on policy</field>
<description>Evaluation of sign-on policy</description>
</rule>
<rule id="789011" level="3">
<if_sid>789007</if_sid>
<field name="displayMessage">Verify user identity</field>
<description>Verify user identity</description>
</rule>
<rule id="789012" level="3">
<if_sid>789007</if_sid>
<field name="displayMessage">User single sign on to app</field>
<description>User single sign on to app</description>
</rule>
<rule id="789013" level="3">
<if_sid>789007</if_sid>
<field name="displayMessage">Authentication of user via MFA</field>
<description>Authentication of user via MFA</description>
</rule>
<rule id="789014" level="3">
<if_sid>789007</if_sid>
<field name="displayMessage">Authentication of device via certificate</field>
<description>Authentication of device via certificate</description>
</rule>
<rule id="789015" level="3">
<if_sid>789007</if_sid>
<field name="displayMessage">A push was sent to a user for verification</field>
<description>A push was sent to a user for verification</description>
</rule>
<rule id="789016" level="3">
<if_sid>789007</if_sid>
<field name="severity">WARN</field>
<description>Okta Warning Event</description>
</rule>
<rule id="789017" level="7">
<if_sid>789015</if_sid>
<field name="eventType">user.account.reset_password</field>
<description>user's Okta password is reset</description>
</rule>
<rule id="789018" level="10">
<field name="debugContext.debugData.threatSuspected">true</field>
<description>Suspicious Okta Event</description>
</rule>
<rule id="789019" level="10" frequency="3" timeframe="60">
<if_matched_sid>789009</if_matched_sid>
<same_field>actor.alternateId</same_field>
<description>User login Brute Force attempt</description>
</rule>
<rule id="789020" level="10">
<field name="displayMessage">User report suspicious activity</field>
<description>User Reported Suspicious Activity</description>
</rule>
<rule id="789021" level="10">
<field name="debugContext.debugData.subject" type="pcre2">@admin</field>
<description>Admin User Login: $(debugContext.debugData.subject)</description>
</rule>
<rule id="789022" level="10">
<field name="eventType">user.session.access_admin_app</field>
<description>User accessing Okta admin app</description>
</rule>
<rule id="789023" level="10">
<field name="eventType">app.generic.unauth_app_access_attempt</field>
<description>User attempted unauthorized access to app</description>
</rule>
</group>