[Rule Tuning] Okta User Sessions Started from Different Geolocations

Question

[Rule Tuning] Okta User Sessions Started from Different Geolocations

BCall-BT opened this issue 3 months ago · comments

Link to rule

https://github.com/elastic/detection-rules/blob/298d1bce0d6d295a390cf68e5e4983ad48760f5a/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml#

Description

This generates a high number of False Positives as there is no validation for it being a successful sign-in. There are many actions that will generate a okta.event_type:user.session.start without a session starting. You will need to add either an "and okta.outcome.result:SUCCESS" or exclude unknown okta.actor.id's "not okta.actor.id:unknown"

Example Data

event.dataset:okta.system and okta.event_type:user.session.start and okta.outcome.result:SUCCESS and not okta.security_context.is_proxy:true
and okta.actor.id:* and client.geo.country_name:*

botelastic · Answer 1 · Sun Apr 14 2024 22:13:23 GMT+0800 (China Standard Time)

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.