{
    "componentChunkName": "component---src-templates-blog-blog-post-blog-post-js",
    "path": "/articles/2023/08/telling-more-okta-detection-stories-google-chronicle/",
    "result": {"data":{"contentfulSecOktaComBlogPost":{"title":"Telling More Okta Detection Stories with Google Chronicle ","slug":"/articles/2023/08/telling-more-okta-detection-stories-google-chronicle","date":"2023-08-02T17:42:12+00:00","updatedAt":"2025-05-01T18:16:44.238Z","body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Robust protection comes from layers, and many of you are already familiar with the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://en.wikipedia.org/wiki/Swiss_cheese_model\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Swiss Cheese Model\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". Simply stated, even when you're confident in your primary controls, that confidence only grows with each additional layer added. Because who wants to have a defense that’s built around a single slice of sad cheese, wrapped in a pitiful film of plastic? No thanks, we’ll take that sturdy block of Swiss each and every time.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Of course, given how thin most security teams are spread, robust layering is often easier said than done. Not every security team has the luxury of dedicated Detection Engineers to craft, research and develop custom logic to catch threat actor activity, and not every security team has the time and skill to synthesize and recreate our logic in other SIEM platforms. With this in mind, Okta Security \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/shareddetections\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"recently published a number of our bespoke detections\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"“But,” quoth the game show hosts, “ that’s not all!” Today we’re excited to share that Chronicle and Okta have been collaborating to help these detections reach an even wider audience. And this time around, the Chronicle team threw a few extra slices of cheese on top!\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Not only did they rewrite these detections for their environment, they also did their own research and wrote additional detections. You can read more about each of them over at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.googlecloudcommunity.com/gc/Community-Blog/Better-Together-Detecting-Suspicious-Okta-Events-with-Google/ba-p/721331\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle’s blog\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". We’ve described them below too.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To channel the words of Oprah, “You get a new detection, and you get a new detection, and you get a new detection!”\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Phishing Detection with FastPass Origin Check\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1566/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1566\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Phishing\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_phishing_detection_with_fastpass_origin_check.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_phishing_detection_with_fastpass_origin_check\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta provides a platform detection for when a user enrolled in FastPass fails to authenticate via a real-time AiTM phishing proxy.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/fastpassphishingdetection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detecting Real-Time Phishing Attacks\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"user.authentication.auth_via_mfa\\\" AND result eq \\\"FAILURE\\\" AND outcome.reason eq \\\"FastPass declined phishing attempt\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Successful MFA After Multiple Failures\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Credential Access\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_mfa_brute_force_attack.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_mfa_brute_force_attack\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detects a successful login after multiple failed MFA pushes\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/pushfatigueworkflows\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Using Workflows to Respond to Anomalous Push Requests\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Repeated MFA Rejections by User\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Brute Force\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_user_rejected_multiple_push_notifications.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_user_rejected_multiple_push_notifications\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Detects when an Okta user rejects more than 2 Push notifications in a 10 minute window.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/pushfatigueworkflows\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Using Workflows to Respond to Anomalous Push Requests\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Engine\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"user.authentication.auth_via_mfa\\\" AND outcome.result=\\\"FAILURE\\\" and outcome.reason=\\\"INVALID_CREDENTIALS\\\" and debugContext.debugData.factor eq \\\"OKTA_VERIFY_PUSH\\\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Classic Engine\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq  \\\"user.mfa.okta_verify.deny_push\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspicious Use of an Okta Session Cookie\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1539/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1539\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Steal Web Session Cookie\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_suspicious_use_of_a_session_cookie.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_suspicious_use_of_a_session_cookie\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detects when an adversary attempts to reuse a stolen web session cookie in a different device that has a different OS, IP, Browser or User Agent.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/sessioncookietheft\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Defending against Session Hijacking\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Failed Number Challenge\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1621/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1621\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Multi-Factor Authentication Request Generation\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_user_failed_number_challenge_during_push_notification.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_user_failed_number_challenge_during_push_notification\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detects when an Okta user failed a number challenge during push notification.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.asqula.com/help/s/article/Number-Challenge-for-Okta-Verify\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Number Challenge for Okta Verify\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Mismatch Between Source and Response for Verify Push Request\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1621\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1621\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Multi-Factor Authentication Request Generation\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_mismatch_between_source_and_response_for_verify_push_request.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_mismatch_between_source_and_response_for_verify_push_request\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Mismatch Between Source and Response for Verify Push Request\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/shareddetections\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta and Splunk Combine to Detect Common Attacks\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Multiple Failed Users with Invalid Credentials from the same IP\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1078/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1078\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Valid Accounts\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_multiple_users_logins_with_invalid_credentials_from_the_same_ip.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_multiple_users_logins_with_invalid_credentials_from_the_same_ip\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Detects multiple user logins with invalid credentials from a single IP.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"System Log events for Okta ThreatInsight\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User Reported Suspicious Activity\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1078/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1078\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Valid Account\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_user_suspicious_activity_reported.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_user_suspicious_activity_reported\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: An Okta user reports suspicious activity in response to an end user security notification.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspicious Activity Reporting\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"user.account.report_suspicious_activity_by_enduser\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Multiple Failed Requests to Access Okta Applications\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1550/004/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1550.004\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Use Alternate Authentication Material: Web Session Cookie\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_multiple_failed_requests_to_access_applications.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_multiple_failed_requests_to_access_applications\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detects multiple failed requests to access applications\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/shareddetections\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta and Splunk Combine to Detect Common Attacks\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight Alert: Suspected Brute Force\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/001/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110.001\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Brute Force: Password Guessing\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_threatinsight_suspected_brute_force_attack.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_threatinsight_suspected_brute_force_attack\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Okta ThreatInsight detects multiple login failures from the same IP across one or more Okta orgs\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"System Log events for Okta ThreatInsight\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.threat.detected\\\" and outcome.reason eq \\\"Login Failures\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight Alert: Suspected Targeted Brute Force\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Brute Force\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_threatinsight_targeted_brute_force_attack.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_threatinsight_targeted_brute_force_attack\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Okta ThreatInsight detects access requests from known malicious IPs targeting a specific org.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"System Log events for Okta ThreatInsight\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.attack.start\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight Alert: Login Failure with High Unknown Users\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/004/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110.004\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Brute Force: Credential Stuffing\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_threatinsight_login_failure_with_high_unknown_users.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_threatinsight_login_failure_with_high_unknown_users\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta's ThreatInsight can identify multiple login failures with high unknown users count from the same IP across one or more Okta orgs.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"System Log events for Okta ThreatInsight\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.threat.detected\\\" AND outcome.reason co \\\"Login failures with high unknown users count\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight Alert: Suspected Password Spray Attack\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/003/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110.003\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Brute Force: Password Spraying\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_threatinsight_suspected_password_spray_attack.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_threatinsight_suspected_password_spray_attack\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta's ThreatInsight can identify Password Spray attacks.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"System Log events for Okta ThreatInsight\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.threat.detected\\\" and outcome.reason eq \\\"Password Spray\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Successful Login Evaluated as High Risk\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1078/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1078\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Valid Accounts\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_successful_high_risk_user_logins.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_successful_high_risk_user_logins\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Detects successfully authenticated user logins based on Okta's Behavior Detection pattern analysis.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/Content/Topics/Security/behavior-detection/logs-behavior-detection.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Behavior Detection System Log events\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"outcome.result eq \\\"SUCCESS\\\" and debugContext.debugData.risk co \\\"HIGH\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta User Account Lockout\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1078/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1078\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Valid Accounts\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_user_account_lockout.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_user_account_lockout\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Detects when a user's account is locked out or a user account has reached the lockout limit.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/resources/whitepaper/how-adaptive-mfa-helps-mitigate-brute-force-attacks\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"How Adaptive MFA Helps Mitigate Brute Force Attacks\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"user.account.lock\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"New Okta API Token Created\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1078/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1078\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Valid Accounts\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle Identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_new_api_token_created.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_new_api_token_created\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Detects when a new API token is created.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.asqula.com/docs/guides/tokens/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Tokens\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"system.api_token.create\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Out of Hours Successful Authentication\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1078/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1078\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Valid Accounts\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_user_login_out_of_hours.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_user_login_out_of_hours\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Detects out of hours successful authentication.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.asqula.com/help/s/article/User-Signin-and-Recovery-Events-in-the-Okta-System-Log\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"User Sign-in and Recovery Events in the Okta System Log\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User Logins from Multiple Cities\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1078/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1078\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Valid Accounts\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_user_logins_from_multiple_cities.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_user_logins_from_multiple_cities\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Detects user logins for the same user from different cities within 24 hours.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/Content/Topics/Security/behavior-detection/logs-behavior-detection.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Behavior Detection System Log events\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We found this exercise to be fulfilling. Writing YARA-L queries is new to us, but they have been super easy to read and collaborate on. Even if you’re not a Chronicle customer, you might find it valuable to read the detection logic in Chronicle to frame your thinking about how you might go about detecting these types of threats.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What’s next?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Once we’re happy with our detections, phishing resistant factors and other control slices; where should we invest our energy next? I’d suggest considering what an adversary might now need to do for persistence and lateral movement. Perhaps they could socially engineer a new factor, a managed device or even a whole new account?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Best get thinking about how you’d detect:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User factors added or modified \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.asqula.com/docs/reference/api/event-types/#catalog\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"(user.mfa.factor*)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"New users created (user.lifecycle.create)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Devices added to MDM\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Remote Monitoring and Management tool installation or execution\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"VM installation on workstations\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Duplicate hostnames\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Gouda luck!\",\"marks\":[],\"data\":{}}]}]}","references":[]},"secAuthor":[{"id":"40144a58-c93f-5b84-895a-5658f212b168","name":"Defensive Cyber Operations","slug":"defensive-cyber-operations","jobTitle":"","bio":{"bio":"<p>The Defensive Cyber Operations (DCO) team is responsible for detecting and responding to cyber threats that impact Okta or our customers via the Okta platform. Our intelligence-driven capability identifies the adversaries most likely to impact Okta and our customers, and prioritises our defensive capabilities based on the threats most likely to be realised.</p>"},"image":null}]}},"pageContext":{"slug":"/articles/2023/08/telling-more-okta-detection-stories-google-chronicle"}},
    "staticQueryHashes": []}