← Back to Explore
sigmalowHunting
Okta Password Health Report Query
Detects all activities against the endpoint "/reports/password-health/*" which should only be accessed via OKTA Admin Console UI. Use this rule to hunt for potential suspicious requests. Correlate this event with "admin console" login and alert on requests without any corresponding admin console login
Detection Query
selection:
debugContext.debugData.requestUri|contains: /reports/password-health/
condition: selection
Author
Muhammad Faisal (@faisalusuf)
Created
2023-10-25
Data Sources
oktaokta
Platforms
okta
Tags
attack.credential-accessdetection.threat-hunting
Raw Content
title: Okta Password Health Report Query
id: 0d58814b-1660-4d31-8c93-d1086ed24cba
status: test
description: |
Detects all activities against the endpoint "/reports/password-health/*" which should only be accessed via OKTA Admin Console UI.
Use this rule to hunt for potential suspicious requests. Correlate this event with "admin console" login and alert on requests without any corresponding admin console login
references:
- https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
author: Muhammad Faisal (@faisalusuf)
date: 2023-10-25
tags:
- attack.credential-access
- detection.threat-hunting
logsource:
service: okta
product: okta
detection:
selection:
debugContext.debugData.requestUri|contains: '/reports/password-health/'
condition: selection
falsepositives:
- OKTA Admin Activites via Web Console UI.
- This rule is recommended to be used for threat hunting, especially in the context of OKTA support incident in OCT-2023.
- This rule can be used to hunt the activity against endpoints like /reports/password-health/async_csv_download_schedule?, which are typically used from Okta Admin Console UI only, without any corresponding admin console login. See reference
level: low