[Rule Tuning] Okta User Sessions Started from Different Geolocations
BCall-BT opened this issue · comments
Link to rule
Description
This generates a high number of False Positives as there is no validation for it being a successful sign-in. There are many actions that will generate a okta.event_type:user.session.start without a session starting. You will need to add either an "and okta.outcome.result:SUCCESS" or exclude unknown okta.actor.id's "not okta.actor.id:unknown"
Example Data
event.dataset:okta.system and okta.event_type:user.session.start and okta.outcome.result:SUCCESS and not okta.security_context.is_proxy:true
and okta.actor.id:* and client.geo.country_name:*
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.