-
Notifications
You must be signed in to change notification settings - Fork 487
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[New Hunt] Add Initial Okta Hunting Queries #4064
Conversation
Hunt: New - GuidelinesWelcome to the Documentation and Context
Hunt Metadata Checks
Testing and Validation
|
@@ -33,7 +33,7 @@ from logs-aws_bedrock.invocation-* | |||
|
|||
## Notes | |||
|
|||
- Examine flagged interactions for patterns or anomalies in user requests that may indicate malicious intent to expose LLM vulnerabilities. | |||
- Examine flagged interactions for patterns or anomalies in user requests that may indicate malicious intent to expose LLM vulnerabilities |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why did it remove the period?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Mikaayenson - It removed the period because the TOML file was edited, but the docs were not regenerated before the PR was merged.
Ref:
detection-rules/hunting/llm/queries/aws_bedrock_ignore_previous_prompt_detection.toml
Line 29 in bb9a772
"Examine flagged interactions for patterns or anomalies in user requests that may indicate malicious intent to expose LLM vulnerabilities", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
awesome list of OKTA hunts!
...g/okta/docs/queries/credential_access_rapid_reset_password_requests_for_different_users.toml
Outdated
Show resolved
Hide resolved
.../docs/queries/defense_evasion_failed_oauth_access_token_retrieval_via_public_client_app.toml
Outdated
Show resolved
Hide resolved
.../docs/queries/defense_evasion_failed_oauth_access_token_retrieval_via_public_client_app.toml
Outdated
Show resolved
Hide resolved
...okta/docs/queries/defense_evasion_multiple_application_sso_authentication_repeat_source.toml
Outdated
Show resolved
Hide resolved
...okta/docs/queries/defense_evasion_multiple_application_sso_authentication_repeat_source.toml
Outdated
Show resolved
Hide resolved
hunting/okta/docs/queries/defense_evasion_rare_oauth_access_token_granted_by_application.toml
Outdated
Show resolved
Hide resolved
hunting/okta/docs/queries/initial_access_hgher_than_average_failed_authentication.toml
Outdated
Show resolved
Hide resolved
hunting/okta/docs/queries/initial_access_impossible_travel_sign_on.toml
Outdated
Show resolved
Hide resolved
hunting/okta/docs/queries/initial_access_impossible_travel_sign_on.toml
Outdated
Show resolved
Hide resolved
hunting/okta/docs/queries/initial_access_password_spraying_from_repeat_source.toml
Outdated
Show resolved
Hide resolved
* adding new Okta hunting queries * query format changes * adding docs * added query for mfa bombing * adding remainder hunting queries * adjusted incorrect hunt * updated queries * updated queries based on Samir's feedback * removed failed login eval * updated docs (cherry picked from commit 9181c00)
* adding new Okta hunting queries * query format changes * adding docs * added query for mfa bombing * adding remainder hunting queries * adjusted incorrect hunt * updated queries * updated queries based on Samir's feedback * removed failed login eval * updated docs (cherry picked from commit 9181c00)
* adding new Okta hunting queries * query format changes * adding docs * added query for mfa bombing * adding remainder hunting queries * adjusted incorrect hunt * updated queries * updated queries based on Samir's feedback * removed failed login eval * updated docs (cherry picked from commit 9181c00)
* adding new Okta hunting queries * query format changes * adding docs * added query for mfa bombing * adding remainder hunting queries * adjusted incorrect hunt * updated queries * updated queries based on Samir's feedback * removed failed login eval * updated docs (cherry picked from commit 9181c00)
* adding new Okta hunting queries * query format changes * adding docs * added query for mfa bombing * adding remainder hunting queries * adjusted incorrect hunt * updated queries * updated queries based on Samir's feedback * removed failed login eval * updated docs (cherry picked from commit 9181c00)
* adding new Okta hunting queries * query format changes * adding docs * added query for mfa bombing * adding remainder hunting queries * adjusted incorrect hunt * updated queries * updated queries based on Samir's feedback * removed failed login eval * updated docs (cherry picked from commit 9181c00)
Pull Request
Issue link(s):
okta.debug_context.debug_data
keyword field integrations#11049Summary - What I changed
Adding initial Okta threat hunting queries. The original goal is to add 10 qualitative hunting queries.
How To Test
Checklist
bug
,enhancement
,schema
,Rule: New
,Rule: Deprecation
,Rule: Tuning
,Hunt: New
, orHunt: Tuning
so guidelines can be generatedmeta:rapid-merge
label if planning to merge within 24 hoursContributor checklist