Vendor: Okta

July 25, 2023 · View on GitHub

Product: Okta Adaptive MFA

RulesModelsMITRE TTPsEvent TypesParsers
9343111111
Use-CaseEvent Types/ParsersMITRE TTPContent
Account Manipulationaccount-lockout
json-okta-account-lockout

account-password-reset
cef-okta-account-password-reset

account-unlocked
cef-okta-account-unlocked

app-activity
okta-app-activity-ad
s-okta-app-activity
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity

app-activity-failed
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity

app-login
s-okta-app-login
u-okta-app-login
q-okta-app-login-1
okta-app-login-1
s-okta-app-login-4
q-okta-app-login-6
s-okta-app-login-3
q-okta-app-login-5
q-okta-app-login
s-okta-app-login-1
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity
json-okta-app-login
json-okta-app-login-1

authentication-failed
json-okta-authentication-failed-4
json-okta-authentication-failed-5
json-okta-authentication-failed-3

authentication-successful
json-okta-authentication-success

failed-app-login
json-okta-failed-app-login-3
json-okta-failed-app-login-1
json-okta-failed-app-login-2
q-okta-failed-app-login-1
q-okta-failed-app-login-2
okta-failed-app-login
q-okta-failed-app-login
u-okta-failed-app-login
s-okta-failed-login-3
s-okta-failed-app-login
cef-okta-app-activity
s-okta-failed-login-4
q-okta-app-activity
json-okta-failed-app-login-5
json-okta-failed-app-login-6
json-okta-failed-app-login-4

member-added
json-okta-member-added

security-alert
cef-okta-logs-app-alert
json-okta-security-alert
cef-okta-logs-app-activity
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 12 Rules
  • 8 Models
Compromised Credentialsaccount-lockout
json-okta-account-lockout

account-password-reset
cef-okta-account-password-reset

account-unlocked
cef-okta-account-unlocked

app-activity
okta-app-activity-ad
s-okta-app-activity
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity

app-activity-failed
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity

app-login
s-okta-app-login
u-okta-app-login
q-okta-app-login-1
okta-app-login-1
s-okta-app-login-4
q-okta-app-login-6
s-okta-app-login-3
q-okta-app-login-5
q-okta-app-login
s-okta-app-login-1
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity
json-okta-app-login
json-okta-app-login-1

authentication-failed
json-okta-authentication-failed-4
json-okta-authentication-failed-5
json-okta-authentication-failed-3

authentication-successful
json-okta-authentication-success

failed-app-login
json-okta-failed-app-login-3
json-okta-failed-app-login-1
json-okta-failed-app-login-2
q-okta-failed-app-login-1
q-okta-failed-app-login-2
okta-failed-app-login
q-okta-failed-app-login
u-okta-failed-app-login
s-okta-failed-login-3
s-okta-failed-app-login
cef-okta-app-activity
s-okta-failed-login-4
q-okta-app-activity
json-okta-failed-app-login-5
json-okta-failed-app-login-6
json-okta-failed-app-login-4

member-added
json-okta-member-added

security-alert
cef-okta-logs-app-alert
json-okta-security-alert
cef-okta-logs-app-activity
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1059.001 - Command and Scripting Interperter: PowerShell
T1078 - Valid Accounts
T1110 - Brute Force
T1133 - External Remote Services
  • 62 Rules
  • 30 Models
Data Accessaccount-lockout
json-okta-account-lockout

account-password-reset
cef-okta-account-password-reset

account-unlocked
cef-okta-account-unlocked

app-activity
okta-app-activity-ad
s-okta-app-activity
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity

app-activity-failed
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity

app-login
s-okta-app-login
u-okta-app-login
q-okta-app-login-1
okta-app-login-1
s-okta-app-login-4
q-okta-app-login-6
s-okta-app-login-3
q-okta-app-login-5
q-okta-app-login
s-okta-app-login-1
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity
json-okta-app-login
json-okta-app-login-1

authentication-failed
json-okta-authentication-failed-4
json-okta-authentication-failed-5
json-okta-authentication-failed-3

authentication-successful
json-okta-authentication-success

failed-app-login
json-okta-failed-app-login-3
json-okta-failed-app-login-1
json-okta-failed-app-login-2
q-okta-failed-app-login-1
q-okta-failed-app-login-2
okta-failed-app-login
q-okta-failed-app-login
u-okta-failed-app-login
s-okta-failed-login-3
s-okta-failed-app-login
cef-okta-app-activity
s-okta-failed-login-4
q-okta-app-activity
json-okta-failed-app-login-5
json-okta-failed-app-login-6
json-okta-failed-app-login-4

member-added
json-okta-member-added

security-alert
cef-okta-logs-app-alert
json-okta-security-alert
cef-okta-logs-app-activity
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models
Data Leakaccount-lockout
json-okta-account-lockout

account-password-reset
cef-okta-account-password-reset

account-unlocked
cef-okta-account-unlocked

app-activity
okta-app-activity-ad
s-okta-app-activity
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity

app-activity-failed
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity

app-login
s-okta-app-login
u-okta-app-login
q-okta-app-login-1
okta-app-login-1
s-okta-app-login-4
q-okta-app-login-6
s-okta-app-login-3
q-okta-app-login-5
q-okta-app-login
s-okta-app-login-1
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity
json-okta-app-login
json-okta-app-login-1

authentication-failed
json-okta-authentication-failed-4
json-okta-authentication-failed-5
json-okta-authentication-failed-3

authentication-successful
json-okta-authentication-success

failed-app-login
json-okta-failed-app-login-3
json-okta-failed-app-login-1
json-okta-failed-app-login-2
q-okta-failed-app-login-1
q-okta-failed-app-login-2
okta-failed-app-login
q-okta-failed-app-login
u-okta-failed-app-login
s-okta-failed-login-3
s-okta-failed-app-login
cef-okta-app-activity
s-okta-failed-login-4
q-okta-app-activity
json-okta-failed-app-login-5
json-okta-failed-app-login-6
json-okta-failed-app-login-4

member-added
json-okta-member-added

security-alert
cef-okta-logs-app-alert
json-okta-security-alert
cef-okta-logs-app-activity
T1114.003 - Email Collection: Email Forwarding Rule
  • 2 Rules
Evasionaccount-lockout
json-okta-account-lockout

account-password-reset
cef-okta-account-password-reset

account-unlocked
cef-okta-account-unlocked

app-activity
okta-app-activity-ad
s-okta-app-activity
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity

app-activity-failed
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity

app-login
s-okta-app-login
u-okta-app-login
q-okta-app-login-1
okta-app-login-1
s-okta-app-login-4
q-okta-app-login-6
s-okta-app-login-3
q-okta-app-login-5
q-okta-app-login
s-okta-app-login-1
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity
json-okta-app-login
json-okta-app-login-1

authentication-failed
json-okta-authentication-failed-4
json-okta-authentication-failed-5
json-okta-authentication-failed-3

authentication-successful
json-okta-authentication-success

failed-app-login
json-okta-failed-app-login-3
json-okta-failed-app-login-1
json-okta-failed-app-login-2
q-okta-failed-app-login-1
q-okta-failed-app-login-2
okta-failed-app-login
q-okta-failed-app-login
u-okta-failed-app-login
s-okta-failed-login-3
s-okta-failed-app-login
cef-okta-app-activity
s-okta-failed-login-4
q-okta-app-activity
json-okta-failed-app-login-5
json-okta-failed-app-login-6
json-okta-failed-app-login-4

member-added
json-okta-member-added

security-alert
cef-okta-logs-app-alert
json-okta-security-alert
cef-okta-logs-app-activity
T1090.003 - Proxy: Multi-hop Proxy
  • 2 Rules
Lateral Movementaccount-lockout
json-okta-account-lockout

account-password-reset
cef-okta-account-password-reset

account-unlocked
cef-okta-account-unlocked

app-activity
okta-app-activity-ad
s-okta-app-activity
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity

app-activity-failed
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity

app-login
s-okta-app-login
u-okta-app-login
q-okta-app-login-1
okta-app-login-1
s-okta-app-login-4
q-okta-app-login-6
s-okta-app-login-3
q-okta-app-login-5
q-okta-app-login
s-okta-app-login-1
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity
json-okta-app-login
json-okta-app-login-1

authentication-failed
json-okta-authentication-failed-4
json-okta-authentication-failed-5
json-okta-authentication-failed-3

authentication-successful
json-okta-authentication-success

failed-app-login
json-okta-failed-app-login-3
json-okta-failed-app-login-1
json-okta-failed-app-login-2
q-okta-failed-app-login-1
q-okta-failed-app-login-2
okta-failed-app-login
q-okta-failed-app-login
u-okta-failed-app-login
s-okta-failed-login-3
s-okta-failed-app-login
cef-okta-app-activity
s-okta-failed-login-4
q-okta-app-activity
json-okta-failed-app-login-5
json-okta-failed-app-login-6
json-okta-failed-app-login-4

member-added
json-okta-member-added

security-alert
cef-okta-logs-app-alert
json-okta-security-alert
cef-okta-logs-app-activity
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
  • 1 Rules
Malwareaccount-lockout
json-okta-account-lockout

account-password-reset
cef-okta-account-password-reset

account-unlocked
cef-okta-account-unlocked

app-activity
okta-app-activity-ad
s-okta-app-activity
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity

app-activity-failed
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity

app-login
s-okta-app-login
u-okta-app-login
q-okta-app-login-1
okta-app-login-1
s-okta-app-login-4
q-okta-app-login-6
s-okta-app-login-3
q-okta-app-login-5
q-okta-app-login
s-okta-app-login-1
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity
json-okta-app-login
json-okta-app-login-1

authentication-failed
json-okta-authentication-failed-4
json-okta-authentication-failed-5
json-okta-authentication-failed-3

authentication-successful
json-okta-authentication-success

failed-app-login
json-okta-failed-app-login-3
json-okta-failed-app-login-1
json-okta-failed-app-login-2
q-okta-failed-app-login-1
q-okta-failed-app-login-2
okta-failed-app-login
q-okta-failed-app-login
u-okta-failed-app-login
s-okta-failed-login-3
s-okta-failed-app-login
cef-okta-app-activity
s-okta-failed-login-4
q-okta-app-activity
json-okta-failed-app-login-5
json-okta-failed-app-login-6
json-okta-failed-app-login-4

member-added
json-okta-member-added

security-alert
cef-okta-logs-app-alert
json-okta-security-alert
cef-okta-logs-app-activity
T1078 - Valid Accounts
T1090.003 - Proxy: Multi-hop Proxy
T1204 - User Execution
  • 8 Rules
  • 4 Models
Privilege Abuseaccount-lockout
json-okta-account-lockout

account-password-reset
cef-okta-account-password-reset

account-unlocked
cef-okta-account-unlocked

app-activity
okta-app-activity-ad
s-okta-app-activity
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity

app-activity-failed
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity

app-login
s-okta-app-login
u-okta-app-login
q-okta-app-login-1
okta-app-login-1
s-okta-app-login-4
q-okta-app-login-6
s-okta-app-login-3
q-okta-app-login-5
q-okta-app-login
s-okta-app-login-1
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity
json-okta-app-login
json-okta-app-login-1

authentication-failed
json-okta-authentication-failed-4
json-okta-authentication-failed-5
json-okta-authentication-failed-3

authentication-successful
json-okta-authentication-success

failed-app-login
json-okta-failed-app-login-3
json-okta-failed-app-login-1
json-okta-failed-app-login-2
q-okta-failed-app-login-1
q-okta-failed-app-login-2
okta-failed-app-login
q-okta-failed-app-login
u-okta-failed-app-login
s-okta-failed-login-3
s-okta-failed-app-login
cef-okta-app-activity
s-okta-failed-login-4
q-okta-app-activity
json-okta-failed-app-login-5
json-okta-failed-app-login-6
json-okta-failed-app-login-4

member-added
json-okta-member-added

security-alert
cef-okta-logs-app-alert
json-okta-security-alert
cef-okta-logs-app-activity
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 14 Rules
  • 8 Models
Privilege Escalationaccount-lockout
json-okta-account-lockout

account-password-reset
cef-okta-account-password-reset

account-unlocked
cef-okta-account-unlocked

app-activity
okta-app-activity-ad
s-okta-app-activity
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity

app-activity-failed
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity

app-login
s-okta-app-login
u-okta-app-login
q-okta-app-login-1
okta-app-login-1
s-okta-app-login-4
q-okta-app-login-6
s-okta-app-login-3
q-okta-app-login-5
q-okta-app-login
s-okta-app-login-1
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity
json-okta-app-login
json-okta-app-login-1

authentication-failed
json-okta-authentication-failed-4
json-okta-authentication-failed-5
json-okta-authentication-failed-3

authentication-successful
json-okta-authentication-success

failed-app-login
json-okta-failed-app-login-3
json-okta-failed-app-login-1
json-okta-failed-app-login-2
q-okta-failed-app-login-1
q-okta-failed-app-login-2
okta-failed-app-login
q-okta-failed-app-login
u-okta-failed-app-login
s-okta-failed-login-3
s-okta-failed-app-login
cef-okta-app-activity
s-okta-failed-login-4
q-okta-app-activity
json-okta-failed-app-login-5
json-okta-failed-app-login-6
json-okta-failed-app-login-4

member-added
json-okta-member-added

security-alert
cef-okta-logs-app-alert
json-okta-security-alert
cef-okta-logs-app-activity
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Privileged Activityaccount-lockout
json-okta-account-lockout

account-password-reset
cef-okta-account-password-reset

account-unlocked
cef-okta-account-unlocked

app-activity
okta-app-activity-ad
s-okta-app-activity
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity

app-activity-failed
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity

app-login
s-okta-app-login
u-okta-app-login
q-okta-app-login-1
okta-app-login-1
s-okta-app-login-4
q-okta-app-login-6
s-okta-app-login-3
q-okta-app-login-5
q-okta-app-login
s-okta-app-login-1
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity
json-okta-app-login
json-okta-app-login-1

authentication-failed
json-okta-authentication-failed-4
json-okta-authentication-failed-5
json-okta-authentication-failed-3

authentication-successful
json-okta-authentication-success

failed-app-login
json-okta-failed-app-login-3
json-okta-failed-app-login-1
json-okta-failed-app-login-2
q-okta-failed-app-login-1
q-okta-failed-app-login-2
okta-failed-app-login
q-okta-failed-app-login
u-okta-failed-app-login
s-okta-failed-login-3
s-okta-failed-app-login
cef-okta-app-activity
s-okta-failed-login-4
q-okta-app-activity
json-okta-failed-app-login-5
json-okta-failed-app-login-6
json-okta-failed-app-login-4

member-added
json-okta-member-added

security-alert
cef-okta-logs-app-alert
json-okta-security-alert
cef-okta-logs-app-activity
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 5 Rules
  • 2 Models
Ransomwareaccount-lockout
json-okta-account-lockout

account-password-reset
cef-okta-account-password-reset

account-unlocked
cef-okta-account-unlocked

app-activity
okta-app-activity-ad
s-okta-app-activity
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity

app-activity-failed
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity

app-login
s-okta-app-login
u-okta-app-login
q-okta-app-login-1
okta-app-login-1
s-okta-app-login-4
q-okta-app-login-6
s-okta-app-login-3
q-okta-app-login-5
q-okta-app-login
s-okta-app-login-1
cef-okta-app-activity
q-okta-app-activity
cef-okta-logs-app-activity
json-okta-app-login
json-okta-app-login-1

authentication-failed
json-okta-authentication-failed-4
json-okta-authentication-failed-5
json-okta-authentication-failed-3

authentication-successful
json-okta-authentication-success

failed-app-login
json-okta-failed-app-login-3
json-okta-failed-app-login-1
json-okta-failed-app-login-2
q-okta-failed-app-login-1
q-okta-failed-app-login-2
okta-failed-app-login
q-okta-failed-app-login
u-okta-failed-app-login
s-okta-failed-login-3
s-okta-failed-app-login
cef-okta-app-activity
s-okta-failed-login-4
q-okta-app-activity
json-okta-failed-app-login-5
json-okta-failed-app-login-6
json-okta-failed-app-login-4

member-added
json-okta-member-added

security-alert
cef-okta-logs-app-alert
json-okta-security-alert
cef-okta-logs-app-activity
T1078 - Valid Accounts
  • 2 Rules

ATT&CK Matrix for Enterprise

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
External Remote Services

Valid Accounts

Command and Scripting Interperter

User Execution

Command and Scripting Interperter: PowerShell

External Remote Services

Valid Accounts

Account Manipulation

Account Manipulation: Exchange Email Delegate Permissions

Valid Accounts

Exploitation for Privilege Escalation

Obfuscated Files or Information: Indicator Removal from Tools

Valid Accounts

Obfuscated Files or Information

Brute Force

Email Collection

Email Collection: Email Forwarding Rule

Proxy: Multi-hop Proxy

Proxy