Leveraging Okta System Logs for Proactive Threat Detection
Okta Threat Intelligence is thrilled to announce the launch of our Customer Detection Catalog, a repository of detection queries designed to help Okta customers proactively identify and respond to potential security threats.
This publicly accessible GitHub repository, found at https://github.com/okta/customer-detections, offers a growing collection of pre-built queries, contributed by Okta personnel and the wider security community, that surface suspicious activities ranging from anomalous user behavior and potential account takeovers to misconfigurations and emerging attack patterns.
Many of these detections were built while analyzing real cyber threats against Okta tenants. The detections also contain preventative configurations Okta administrators can implement to proactively mitigate the threat that’s being detected.
When paired with the broader Okta event library (numbering over 1000 events), the Okta Customer Detection Catalog is a versatile resource designed to provide SOC analysts with readily usable queries to integrate into their monitoring and alerting workflows, enabling faster identification of potential incidents. It also offers threat hunters a foundation for building and customizing more sophisticated detection rules tailored to their specific environment and risk appetite. Detailed descriptions of security-relevant log fields are also available to help security analysts interpret logs during an investigation.
Here are a few example detections that highlight the potential of the catalog:
Impossible Travel with New Device: This detection looks for authentication events originating from geographically distant locations within a short timeframe, coupled with the use of a previously unseen device for the user. This can be a strong indicator of account takeover.
Suspicious Okta Administrator Activity: Unusual activity conducted by an administrator such as deactivating all other super administrators to prevent response, disabling log streams to prevent detection, or downgrading MFA on authentication policies.
Application Access from Tor Exit Nodes: Identifying access attempts to sensitive applications originating from Tor exit nodes can flag potentially anonymized and suspicious activity.
Detection Queries vs. Hunting Queries
The repository makes a distinction between detection queries and hunting queries, both of which reside in different folders within the catalog:
Detection queries are designed for continuous monitoring and alerting. They are typically more specific and aim to identify high-confidence indicators of malicious activity or policy violations. When a detection query triggers, it ideally generates an alert for immediate investigation.
Hunting queries are more exploratory and are used for proactive investigations. They might look for broader patterns or anomalies that don't necessarily trigger immediate alerts but warrant further analysis by a threat hunter. Hunting queries can help uncover stealthy or sophisticated attacks that might evade standard detections.
Okta customers should baseline these detections against their environment and filter out business approved processes that may cause false positives.
Your Contribution Matters
At Okta, we believe that by sharing knowledge and expertise, our whole community can become more resilient against evolving threats. The community-driven nature of the catalog allows for the rapid dissemination of detection strategies for newly identified vulnerabilities and attack techniques.
We actively encourage customers to contribute your own detection ideas to this growing repository. If you see a gap in our current coverage, or find any issues, make a Github Issue to have it addressed.
To contribute new detection ideas, create a Github issue and include:
What activity is the idea attempting to detect?
How can this be leveraged by an adversary?
What Mitre ATT&CK TTP does it map to?
Add the detection query/logic.
Indicate whether you would like to be credited as the author
Happy hunting!
Ryan Mombourquette and Brett Winterford contributed to this post.