← Back to Explore
elasticmediumTTP
Okta ThreatInsight Threat Suspected Promotion
Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes, which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and other similar threats.
Detection Query
data_stream.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true)
Author
Elastic
Created
2020/05/21
Data Sources
Oktafilebeat-*logs-okta*
References
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
- https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html
- https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy
- https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security
- https://www.elastic.co/security-labs/starter-guide-to-understanding-okta
Tags
Use Case: Identity and Access AuditData Source: OktaResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2020/05/21"
integration = ["okta"]
maturity = "production"
promotion = true
updated_date = "2026/04/10"
[rule]
author = ["Elastic"]
description = """
Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes,
which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents
Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests
the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and
other similar threats.
"""
index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Okta ThreatInsight Threat Suspected Promotion"
note = """## Setup
## Triage and analysis
This is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor.
Consult vendor documentation on interpreting specific events.
"""
references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "6885d2ae-e008-4762-b98a-e8e1cd3a81e9"
rule_name_override = "okta.display_message"
severity = "medium"
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Resources: Investigation Guide"]
timestamp_override = "event.ingested"
type = "query"
query = '''
data_stream.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true)
'''
[[rule.severity_mapping]]
field = "okta.debug_context.debug_data.risk_level"
operator = "equals"
severity = "low"
value = "LOW"
[[rule.severity_mapping]]
field = "okta.debug_context.debug_data.risk_level"
operator = "equals"
severity = "medium"
value = "MEDIUM"
[[rule.severity_mapping]]
field = "okta.debug_context.debug_data.risk_level"
operator = "equals"
severity = "high"
value = "HIGH"