revisions

2020-08-27 08:53:09 -07:00 · 2020-08-27 08:53:09 -07:00 · 167a139603
--- a/Detections/OktaSSO/FailedLoginsFromUnknownOrInvalidUser.yaml
+++ b/Detections/OktaSSO/FailedLoginsFromUnknownOrInvalidUser.yaml
@ -1,7 +1,7 @@
 id: 884be6e7-e568-418e-9c12-89229865ffde
 name: Failed Logins from Unknown or Invalid User
 description: |
-  'This creates an incident in the event that numerous login attempts to the management console with an unknown or invalid user name'
+  'This query searches for numerous login attempts to the management console with an unknown or invalid user name'
 severity: Medium
 requiredDataConnectors:
  - connectorId: OktaSSO
@ -27,7 +27,7 @@ query: |
  | project client_ipAddress_s, actor_alternateId_s;
  Okta_CL
  | where TimeGenerated > timeframe
-  | join kind=inner FailedLogins () on client_ipAddress_s, actor_alternateId_s
+  | join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s
  | where eventType_s =~ "user.session.start" and outcome_reason_s =~ "VERIFICATION_ERROR"
  | summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, published_t
  | sort by published_t desc
--- a/Detections/OktaSSO/LoginfromUsersfromDifferentCountrieswithin3hours.yaml
+++ b/Detections/OktaSSO/LoginfromUsersfromDifferentCountrieswithin3hours.yaml
@ -1,8 +1,8 @@
 id: 2954d424-f786-4677-9ffc-c24c44c6e7d5
-name: Login from User(s) from Different Countries within 3 hours
+name: User Login from Different Countries within 3 hours
 description: |
-  'This creates an incident in the event that a user logs into the Okta Console from different countries within 3 hours'
-severity: Medium
+  'This query searches for successful user logins to the Okta Console from different countries within 3 hours'
+severity: High
 requiredDataConnectors:
  - connectorId: OktaSSO
    dataTypes: 
--- a/Detections/OktaSSO/PasswordSpray.yaml
+++ b/Detections/OktaSSO/PasswordSpray.yaml
@ -1,7 +1,7 @@
 id: e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508
 name: Potential Password Spray Attack
 description: |
-  'This creates an incident in the event there are failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack'
+  'This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack'
 severity: Medium
 requiredDataConnectors:
  - connectorId: OktaSSO
@ -29,7 +29,7 @@ query: |
  | where TimeGenerated > timeframe
  | where eventType_s =~ "user.session.start"and outcome_reason_s in ("VERIFICATION_ERROR","INVALID_CREDENTIALS")
  | summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)
-  | joinkind=inner FailedEvents () on client_ipAddress_s, TimeGenerated
-  | sortby TimeGenerated desc
+  | join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated
+  | sort by TimeGenerated desc
  | extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s