Welcome to the Okta Security Detection Catalog. This repository contains a collection of detection rules for security monitoring and detailed descriptions of log fields used for threat analysis within Okta environments.
Okta Identity Defense Operations is a team of security practitioners that help Okta customers investigate and respond to security incidents. If you are an Okta customer and need support with a security breach or incident, open a support case and indicate that you are investigating a security incident.
| Folder | Description |
|---|---|
detections/ |
List of YAML files for recommended security detections Okta customers can implement within their security monitoring system. |
hunts/ |
Threat hunting queries useful for aiding in detection use case creation |
logs/ |
CSV file with descriptions and examples of log fields within the Okta system log |
workflows/ |
Okta Workflows templates for security incident response and proactive threat mitigation |
The System Log provides a detailed log of user, admin and support events relevant to use of the Okta Workforce Identity Cloud.
These events can be browsed, searched or filtered in the admin console. They can also be queried and filtered programmatically via the System Log API, and can be exported or streamed to third-party security monitoring tools.
Okta Security recommends the use of Log Streaming to capture events in third-party security tools in close to real-time, and/or the use of Event Hooks and Workflows for security orchestration opportunities.
Most events in System Log follow a similar pattern:
user.account.password_reset
<domain>.<resource>.<action>
Some of the queries listed below use the following operators to group multiple events together:
| Operator | Description |
|---|---|
eq |
Equals |
ne |
Not Equal to |
sw |
Starts With |
ew |
Ends With |
co |
Contains |
Okta recommends customers review these detections and run searches using those that appear to be applicable to your environment. Perform any necessary tuning or baselining to ensure they deliver high fidelity results prior to creating an alert.
Note: Most of these detections leverage Okta system log query languages, however a subset is provided in splunk query language. A plain english description of the detection logic is provided for splunk queries to allow detection engineers to implement in their SIEM of choice.
