Hunting queries related to Okta Breach

.gitignore

@@ -336,4 +336,5 @@ ASALocalRun/
 Hunting Queries/DeployedQueries.json
 
 #Mac OSx
-.DS_Store
+.DS_Store
+/Notebooks

Hunting Queries/Okta/AdminPrivilegeGrant.yaml

@@ -0,0 +1,34 @@
+id: 5309ea6b-463c-4449-a3c4-2fc8ee0080ee
+name: Admin privilege granted (Okta)
+description: |
+  'This query searches for successful grant of administrator permissions to user/groups. Adversaries often attempt to assign administrator permission to users/group to maintain access as well as to elevate privileges.
+   Please verify that the behavior is known and filter out anything that is expected.
+   Refrence: https://developer.okta.com/docs/reference/api/event-types/'
+requiredDataConnectors:
+  - connectorId: OktaSSO
+    dataTypes: 
+      - Okta_CL
+tactics:
+  - Persistence
+relevantTechniques:
+  - T1098
+query: |
+  let Events = dynamic(["group.privilege.grant", "user.account.privilege.grant"]);
+  Okta_CL
+  | where isnotempty(eventType_s)
+  | where eventType_s in (Events)
+  | where outcome_result_s =~ "SUCCESS"
+  | extend Target=parsejson(target_s)
+  | mvexpand bagexpansion=array (Target)
+  | evaluate bag_unpack(Target)
+  | extend Target_Id = id, Target_type = type, Target_user = displayName, Target_alternateId = alternateId
+  | project-away id, type, displayName, alternateId
+  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by actor_id_s, actor_type_s, actor_alternateId_s, actor_displayName_s, Target_alternateId, Target_Id, Target_type, 
+    Target_user, debugContext_debugData_privilegeGranted_s, domain_s, authenticationContext_externalSessionId_s, eventType_s, displayMessage_s, transaction_id_s, uuid_g
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: actor_displayName_s
+      - identifier: FullName
+        columnName: Target_user

Hunting Queries/Okta/CreateAPIToken.yaml

@@ -0,0 +1,24 @@
+id: c5134bac-044d-447a-a260-d1d439653ae7
+name: Create API Token (Okta) 
+description: |
+  'Okta API tokens are used to authenticate requests to Okta APIs. This query searches for attempts to create new API Token.
+   Refrence: https://developer.okta.com/docs/reference/api/event-types/'
+requiredDataConnectors:
+  - connectorId: OktaSSO
+    dataTypes: 
+      - Okta_CL
+tactics:
+  - PrivilegeEscalation
+relevantTechniques:
+  - T1134
+query: |
+  let Events = dynamic(["system.api_token.create"]);
+  Okta_CL
+  | where isnotempty(eventType_s)
+  | where eventType_s in (Events)
+  | where outcome_result_s =~ "SUCCESS"
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: actor_displayName_s

Hunting Queries/Okta/ImpersonationSession.yaml

@@ -0,0 +1,27 @@
+id: 96fb9b37-e2b7-45f6-9b2a-cb9cdfd2b0fc
+name: Initiate impersonation session (Okta) 
+description: |
+  'User.session.impersonation are generally speaking rare events normally triggered when an Okta Support person requests admin access for troubleshooting. This query searches for impersonation events used in LAPSUS$ breach.
+   Please review user.session.impersonation events and co-relate that with legitimate opened Okta support tickets to determine if these are anomalous.
+   Refrence: https://developer.okta.com/docs/reference/api/event-types/
+   Refrence: https://twitter.com/JimmyVo/status/1506306703788326915
+   Refrence: https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/'
+requiredDataConnectors:
+  - connectorId: OktaSSO
+    dataTypes: 
+      - Okta_CL
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1195
+query: |
+  let Events = dynamic(["user.session.impersonation.initiate", "user.session.impersonation.grant", "user.session.impersonation.extend", "user.session.impersonation.end", "user.session.impersonation.revoke"]);
+  Okta_CL
+  | where isnotempty(eventType_s)
+  | where eventType_s in (Events)
+  | where outcome_result_s =~ "SUCCESS"
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: actor_displayName_s

Hunting Queries/Okta/RareMFAOperation.yaml

@@ -0,0 +1,36 @@
+id: 18667b4a-18e5-4982-ba75-92ace62bc79c
+name: Rare MFA Operations (Okta)
+description: |
+  'Multi-Factor Authentication (MFA) helps prevent credential compromise.This query searches for rare MFA operations like deactivating, updating, resetting and attempts to bypass MFA.
+   Adversaries often attempt these operations to compromise networks and high-value accounts.Please verify that the behavior is known and filter out anything that is expected.
+   Refrence: https://developer.okta.com/docs/reference/api/event-types/'
+requiredDataConnectors:
+  - connectorId: OktaSSO
+    dataTypes: 
+      - Okta_CL
+tactics:
+  - Persistence
+relevantTechniques:
+  - T1098
+query: |
+  let Events = dynamic(["user.mfa.factor.update", "system.mfa.factor.deactivate", "user.mfa.attempt_bypass", "user.mfa.factor.reset_all"]);
+  Okta_CL
+  | where isnotempty(eventType_s)
+  | where eventType_s in (Events)
+  | where outcome_result_s =~ "SUCCESS"
+  | extend Target=parsejson(target_s)
+  | mvexpand bagexpansion=array (Target)
+  | evaluate bag_unpack(Target)
+  | extend Target_Id = id, Target_type = type, Target_user = displayName, Target_alternateId = alternateId
+  | project-away id, type, displayName, alternateId
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: actor_displayName_s
+      - identifier: FullName
+        columnName: Target_user
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: client_ipAddress_s