Push Security correlation rules

correlation_rules/okta_login_without_push.yml

@@ -0,0 +1,65 @@
+AnalysisType: correlation_rule
+RuleID: "Okta.Login.Without.Push"
+DisplayName: "Okta Login Without Push"
+Enabled: false
+Tags:
+  - Push Security
+  - Configuration Required
+Reports:
+  MITRE ATT&CK:
+    - T1212 # Exploitation for Credential Access
+    - T1539 # Steal Web Session Cookie
+Severity: Critical
+Detection:
+  - Sequence:
+      - ID: Okta
+        RuleID: Okta.Login.Success
+      - ID: Push
+        RuleID: Push.Security.Authorized.IdP.Login
+        Absence: true
+    Transitions:
+      - ID: Okta to Push
+        From: Okta
+        To: Push
+        Match:
+          - From: actor.alternateId
+            To: new.email
+    Schedule:
+      RateMinutes: 5
+      TimeoutMinutes: 2
+    LookbackWindowMinutes: 30
+Tests:
+  - Name: Okta Login, Followed By Push Authorized Login
+    ExpectedResult: false
+    RuleOutputs:
+      - ID: Okta
+        Matches:
+          actor.alternateId:
+            frodo.baggins@hobbiton.com:
+              - 0
+      - ID: Push
+        Matches:
+          new.email:
+            frodo.baggins@hobbiton.com:
+              - 3
+  - Name: Okta Login, Not Followed By Push Authorized Login
+    ExpectedResult: true
+    RuleOutputs:
+      - ID: Okta
+        Matches:
+          actor.alternateId:
+            frodo.baggins@hobbiton.com:
+              - 0
+  - Name: Okta Login, Followed By Push Authorized Login By Other User
+    ExpectedResult: true
+    RuleOutputs:
+      - ID: Okta
+        Matches:
+          actor.alternateId:
+            frodo.baggins@hobbiton.com:
+              - 0
+      - ID: Push
+        Matches:
+          new.email:
+            samwise.gamgee@hobbiton.com:
+              - 3

correlation_rules/potential_compromised_okta_credentials.yml

@@ -0,0 +1,64 @@
+AnalysisType: correlation_rule
+RuleID: "Potential.Compromised.Okta.Credentials"
+DisplayName: "Potential Compromised Okta Credentials"
+Enabled: false
+Tags:
+  - Push Security
+  - Configuration Required
+Reports:
+  MITRE ATT&CK:
+    - T1212 # Exploitation for Credential Access
+    - T1539 # Steal Web Session Cookie
+Severity: Critical
+Detection:
+  - Sequence:
+      - ID: Login Without Push Marker
+        RuleID: Okta.Login.Without.Push.Marker
+      - ID: Push Phishing
+        RuleID: Push.Security.Phishing.Attack
+    Transitions:
+      - ID: Match on user
+        From: Login Without Push Marker
+        To: Push Phishing
+        Match:
+          - From: actor.alternateId
+            To: new.employee.email
+    Schedule:
+      RateMinutes: 5
+      TimeoutMinutes: 1
+    LookbackWindowMinutes: 30
+Tests:
+  - Name: Login Without Marker, Followed By Phishing Detection
+    ExpectedResult: true
+    RuleOutputs:
+      - ID: Login Without Push Marker
+        Matches:
+          actor.alternateId:
+            frodo.baggins@hobbiton.com:
+              - 0
+      - ID: Push Phishing
+        Matches:
+          new.employee.email:
+            frodo.baggins@hobbiton.com:
+              - 3
+  - Name: Login Without Marker, Followed By Phishing Detection for Different User
+    ExpectedResult: false
+    RuleOutputs:
+      - ID: Login Without Push Marker
+        Matches:
+          actor.alternateId:
+            frodo.baggins@hobbiton.com:
+              - 0
+      - ID: Push Phishing
+        Matches:
+          new.employee.email:
+            samwise.gamgee@hobbiton.com:
+              - 3
+  - Name: Login Without Marker, Not Followed By Phishing Detection
+    ExpectedResult: false
+    RuleOutputs:
+      - ID: Login Without Push Marker
+        Matches:
+          actor.alternateId:
+            frodo.baggins@hobbiton.com:
+              - 0

packs/multisource_correlations.yml

@@ -4,7 +4,16 @@ Description: DO NOT ENABLE THIS PACK! This pack contains rules that require mult
 DisplayName: "Panther Multi-Source Correlations Pack"
 PackDefinition:
   IDs:
+  # AWS + Okta
     - Secret.Exposed.and.not.Quarantined
     - GitHub.Secret.Scanning.Alert.Created
     - AWS.CloudTrail.IAMCompromisedKeyQuarantine
-    - global_filter_github
+    - global_filter_github
+
+  # Okta + Push Security
+    - Okta.Login.Without.Push
+    - Potential.Compromised.Okta.Credentials
+    - Okta.Login.Success
+    - Push.Security.Authorized.IdP.Login
+    - Okta.Login.Without.Push.Marker
+    - Push.Security.Phishing.Attack

rules/okta_rules/okta_login_signal.py

@@ -0,0 +1,9 @@
+def rule(event):
+    return (
+        event.deep_get("eventType") == "user.session.start"
+        and event.deep_get("outcome", "result") == "SUCCESS"
+    )
+
+
+def title(event):
+    return f'{event.deep_get("actor", "displayName")} logged in to Okta'

rules/okta_rules/okta_login_signal.yml

@@ -0,0 +1,223 @@
+AnalysisType: rule
+Filename: okta_login_signal.py
+RuleID: "Okta.Login.Success"
+DisplayName: "Okta Login Signal"
+Enabled: false
+CreateAlert: false
+LogTypes:
+  - Okta.SystemLog
+Severity: Info
+DedupPeriodMinutes: 60
+Threshold: 1
+Tests:
+  - Name: Non-Login Event
+    ExpectedResult: false
+    Log:
+      actor:
+        alternateId: jim.kalafut@panther.com
+        displayName: Jim Kalafut
+        id: 00u99ped55av2JpGs5d7
+        type: User
+      authenticationContext:
+        authenticationStep: 0
+        externalSessionId: trsxcsf59kYRG-GwAbWjw-PZA
+      client:
+        device: Unknown
+        ipAddress: 11.22.33.44
+        userAgent:
+          browser: UNKNOWN
+          os: Unknown
+          rawUserAgent: Go-http-client/2.0
+        zone: "null"
+      debugContext:
+        debugData:
+          dtHash: 53dd1a7513e0256eb13b9a47bb07ed61e8ca3d35fbdc36c909567a21a65a2b19
+          rateLimitBucketUuid: b192d91c-b242-36da-9332-d97a5579f865
+          rateLimitScopeType: ORG
+          rateLimitSecondsToReset: "6"
+          requestId: 234cf34e0081e025e1fe14224464bbd6
+          requestUri: /api/v1/logs
+          threshold: "20"
+          timeSpan: "1"
+          timeUnit: MINUTES
+          url: /api/v1/logs?since=2023-09-21T17%3A04%3A22Z&limit=1000&after=1714675441520_1
+          userId: 00u99ped55av2JpGs5d7
+          warningPercent: "60"
+      displayMessage: Rate limit warning
+      eventType: system.org.rate_limit.warning
+      legacyEventType: core.framework.ratelimit.warning
+      outcome:
+        result: SUCCESS
+      published: "2024-05-02 18:46:21.121000000"
+      request:
+        ipChain:
+          - ip: 11.22.33.44
+            version: V4
+      securityContext: {}
+      severity: WARN
+      target:
+        - id: /api/v1/logs
+          type: URL Pattern
+        - id: b192d91c-b242-36da-9332-d97a5579f865
+          type: Bucket Uuid
+      transaction:
+        detail:
+          requestApiTokenId: 00T1bjatrp6Nl1dOc5d7
+        id: 234cf34e0081e025e1fe14224464bbd6
+        type: WEB
+      uuid: 44aeb388-08b4-11ef-9cec-73ffcb6f9fdd
+      version: "0"
+  - Name: Successful Login
+    ExpectedResult: true
+    Log:
+      actor:
+        alternateId: casey.hill@hey.com
+        displayName: Casey Hill
+        id: 00ubewfku1EX0WCFk697
+        type: User
+      authenticationContext:
+        authenticationStep: 0
+        externalSessionId: idxvF50v_5sT2-GOA7_K0Amyw
+      client:
+        device: Computer
+        geographicalContext:
+          city: Atlanta
+          country: United States
+          geolocation:
+            lat: 33.9794
+            lon: -84.3459
+          postalCode: "30350"
+          state: Georgia
+        ipAddress: 99.108.5.25
+        userAgent:
+          browser: CHROME
+          os: Mac OS 14.4.1 (Sonoma)
+          rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
+        zone: "null"
+      debugContext:
+        debugData:
+          authnRequestId: 5167029d2c8308348d651c0be650230f
+          dtHash: f23be3b6d8bfd69c14e0d1b33e790b84fa5358eab0a09a1058816ad65d633da4
+          oktaUserAgentExtended: okta-auth-js/7.0.1 okta-signin-widget-7.16.1
+          origin: https://trial-2340039.okta.com
+          requestId: 601b158a3b3e23be5bbf74d0fe63cd78
+          requestUri: /idp/idx/challenge/answer
+          threatSuspected: "false"
+          url: /idp/idx/challenge/answer?
+      displayMessage: User login to Okta
+      eventType: user.session.start
+      legacyEventType: core.user_auth.login_success
+      outcome:
+        result: SUCCESS
+      published: "2024-04-02 19:17:37.621000000"
+      request:
+        ipChain:
+          - geographicalContext:
+              city: Atlanta
+              country: United States
+              geolocation:
+                lat: 33.9794
+                lon: -84.3459
+              postalCode: "30350"
+              state: Georgia
+            ip: 99.108.5.25
+            version: V4
+      securityContext:
+        asNumber: 7018
+        asOrg: at&t corp.
+        domain: sbcglobal.net
+        isProxy: false
+        isp: att services inc
+      severity: INFO
+      target:
+        - alternateId: unknown
+          displayName: Password
+          id: lae1at5k3ir9bV1gr697
+          type: AuthenticatorEnrollment
+        - alternateId: Okta Dashboard
+          displayName: Okta Dashboard
+          id: 0oabewfkt83T8ve1o697
+          type: AppInstance
+      transaction:
+        detail: {}
+        id: 601b158a3b3e23be5bbf74d0fe63cd78
+        type: WEB
+      uuid: aac560bd-f125-11ee-9caa-cd5d09945def
+      version: "0"
+  - Name: Failed Login
+    ExpectedResult: false
+    Log:
+      actor:
+        alternateId: casey.hill@hey.com
+        displayName: Casey Hill
+        id: 00ubewfku1EX0WCFk697
+        type: User
+      authenticationContext:
+        authenticationStep: 0
+        externalSessionId: idxvF50v_5sT2-GOA7_K0Amyw
+      client:
+        device: Computer
+        geographicalContext:
+          city: Atlanta
+          country: United States
+          geolocation:
+            lat: 33.9794
+            lon: -84.3459
+          postalCode: "30350"
+          state: Georgia
+        ipAddress: 99.108.5.25
+        userAgent:
+          browser: CHROME
+          os: Mac OS 14.4.1 (Sonoma)
+          rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
+        zone: "null"
+      debugContext:
+        debugData:
+          authnRequestId: 5167029d2c8308348d651c0be650230f
+          dtHash: f23be3b6d8bfd69c14e0d1b33e790b84fa5358eab0a09a1058816ad65d633da4
+          oktaUserAgentExtended: okta-auth-js/7.0.1 okta-signin-widget-7.16.1
+          origin: https://trial-2340039.okta.com
+          requestId: 601b158a3b3e23be5bbf74d0fe63cd78
+          requestUri: /idp/idx/challenge/answer
+          threatSuspected: "false"
+          url: /idp/idx/challenge/answer?
+      displayMessage: User login to Okta
+      eventType: user.session.start
+      legacyEventType: core.user_auth.login_success
+      outcome:
+        result: FAILURE
+      published: "2024-04-02 19:17:37.621000000"
+      request:
+        ipChain:
+          - geographicalContext:
+              city: Atlanta
+              country: United States
+              geolocation:
+                lat: 33.9794
+                lon: -84.3459
+              postalCode: "30350"
+              state: Georgia
+            ip: 99.108.5.25
+            version: V4
+      securityContext:
+        asNumber: 7018
+        asOrg: at&t corp.
+        domain: sbcglobal.net
+        isProxy: false
+        isp: att services inc
+      severity: INFO
+      target:
+        - alternateId: unknown
+          displayName: Password
+          id: lae1at5k3ir9bV1gr697
+          type: AuthenticatorEnrollment
+        - alternateId: Okta Dashboard
+          displayName: Okta Dashboard
+          id: 0oabewfkt83T8ve1o697
+          type: AppInstance
+      transaction:
+        detail: {}
+        id: 601b158a3b3e23be5bbf74d0fe63cd78
+        type: WEB
+      uuid: aac560bd-f125-11ee-9caa-cd5d09945def
+      version: "0"