corrections to syntax

Detections/OktaSSO/FailedLoginsFromUnknownOrInvalidUser.yaml

@@ -21,14 +21,15 @@ query: |
   let FailureThreshold = 15;
   let FailedLogins = Okta_CL
   | where TimeGenerated > timeframe
-  | where eventType_s =~ "user.session.start" and outcome_reason_s =~ "UNKNOWN_USER"
-  | summarize count() by client_ipAddress_s, bin(TimeGenerated, 5m)
+  | where eventType_s =~ "user.session.start" and outcome_reason_s =~ "VERIFICATION_ERROR"
+  | summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)
   | where count_ > FailureThreshold
-  | project client_ipAddress_s;
+  | project client_ipAddress_s, actor_alternateId_s;
   Okta_CL
-  | where published_t > timeframe
-  | join kind=inner FailedLogins () on client_ipAddress_s
-  | where eventType_s =~ "user.session.start" and outcome_reason_s =~ "UNKNOWN_USER"
-  | summarize count() by ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)
-  | sort by TimeGenerated desc
-  | extend timestamp = TimeGenerated, IPCustomEntity = ClientIP
+  | where TimeGenerated > timeframe
+  | join kind=inner FailedLogins () on client_ipAddress_s, actor_alternateId_s
+  | where eventType_s =~ "user.session.start" and outcome_reason_s =~ "VERIFICATION_ERROR"
+  | summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, published_t
+  | sort by published_t desc
+  | extend timestamp = published_t, IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s
+ 

Detections/OktaSSO/PasswordSpray.yaml

@@ -1,7 +1,7 @@
 id: e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508
 name: Potential Password Spray Attack
 description: |
-  'This creates an incident when numerous lock out events from different accounts occurs'
+  'This creates an incident in the event there are failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack'
 severity: Medium
 requiredDataConnectors:
   - connectorId: OktaSSO
@@ -19,17 +19,17 @@ query: |
 
   let timeframe = ago(1h);
   let FailureThreshold = 15;
-  let LockOutEvents = Okta_CL
+  let FailedEvents = Okta_CL
   | where TimeGenerated > timeframe
-  | where eventType_s =~ "user.account.lock"
-  | summarize count() by client_ipAddress_s, bin(TimeGenerated, 5m)
-  | where count_ > FailureThreshold
-  | project TimeGenerated;
+  | where eventType_s =~ "user.session.start"and outcome_reason_s in ("VERIFICATION_ERROR","INVALID_CREDENTIALS")
+  | summarizedcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)
+  | where dcount_actor_alternateId_s > FailureThreshold
+  | project client_ipAddress_s, TimeGenerated;
   Okta_CL
   | where TimeGenerated > timeframe
-  | where eventType_s =~ "user.account.lock"
-  | extend TimeGenerated = bin(TimeGenerated, 5m)
-  | join kind=inner LockOutEvents () on TimeGenerated
-  | summarize User = make_set(actor_alternateId_s) by ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)
-  | sort by TimeGenerated desc
-  | extend timestamp = TimeGenerated, IPCustomEntity = ClientIP
+  | where eventType_s =~ "user.session.start"and outcome_reason_s in ("VERIFICATION_ERROR","INVALID_CREDENTIALS")
+  | summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)
+  | joinkind=inner FailedEvents () on client_ipAddress_s, TimeGenerated
+  | sortby TimeGenerated desc
+  | extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s
+