Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Hunt] Add Initial Okta Hunting Queries #4064

Merged
merged 14 commits into from
Sep 16, 2024
Merged

[New Hunt] Add Initial Okta Hunting Queries #4064

merged 14 commits into from
Sep 16, 2024

Conversation

terrancedejesus
Copy link
Contributor

@terrancedejesus terrancedejesus commented Sep 9, 2024
edited
Loading

Pull Request

Issue link(s):

Summary - What I changed

Adding initial Okta threat hunting queries. The original goal is to add 10 qualitative hunting queries.

How To Test

Checklist

  • Added a label for the type of pr: bug, enhancement, schema, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
  • Added the meta:rapid-merge label if planning to merge within 24 hours
  • Secret and sensitive material has been managed correctly
  • Automated testing was updated or added to match the most common scenarios
  • Documentation and comments were added for features that require explanation

Contributor checklist

@terrancedejesus terrancedejesus self-assigned this Sep 9, 2024
@protectionsmachine
Copy link
Collaborator

Hunt: New - Guidelines

Welcome to the hunting folder within the detection-rules repository! This directory houses a curated collection of threat hunting queries designed to enhance security monitoring and threat detection capabilities using the Elastic Stack.

Documentation and Context

  • Detailed description of the Hunt.
  • List any new fields required in ECS/data sources.
  • Link related issues or PRs.
  • Include references.
  • Field Usage: Ensure standardized fields for compatibility across different data environments and sources.

Hunt Metadata Checks

  • author: The name of the individual or organization authoring the rule.
  • creation_date matches the date of creation PR initially merged.
  • min_stack_version supports the widest stack versions.
  • name and description are descriptive and typo-free.
  • language: The query language(s) used in the rule, such as KQL, EQL, ES|QL, OsQuery, or YARA.
  • query is inclusive, not overly exclusive, considering performance for diverse environments.
  • integration aligns with the index. Ensure updates if the integration is newly introduced.
  • setup includes necessary steps to configure the integration.
  • note includes additional information (e.g., Triage and analysis investigation guides, timeline templates).
  • tags are relevant to the threat and align with EXPECTED_HUNT_TAGS in definitions.py.
  • threat, techniques, and subtechniques map to ATT&CK whenever possible.

Testing and Validation

  • Evidence of testing and detecting the expected threat.
  • Check for the existence of coverage to prevent duplication.
  • Generate Markdown: Run python generate_markdown.py to update the documentation.

@terrancedejesus terrancedejesus marked this pull request as ready for review September 13, 2024 17:11
Mikaayenson
Mikaayenson reviewed Sep 13, 2024
View reviewed changes
hunting/llm/docs/aws_bedrock_ignore_previous_prompt_detection.md
@@ -33,7 +33,7 @@ from logs-aws_bedrock.invocation-*

## Notes

- Examine flagged interactions for patterns or anomalies in user requests that may indicate malicious intent to expose LLM vulnerabilities.
- Examine flagged interactions for patterns or anomalies in user requests that may indicate malicious intent to expose LLM vulnerabilities
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why did it remove the period?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Mikaayenson - It removed the period because the TOML file was edited, but the docs were not regenerated before the PR was merged.

Ref:

detection-rules/hunting/llm/queries/aws_bedrock_ignore_previous_prompt_detection.toml

Line 29 in bb9a772

"Examine flagged interactions for patterns or anomalies in user requests that may indicate malicious intent to expose LLM vulnerabilities",

Samirbous
Samirbous approved these changes Sep 16, 2024
View reviewed changes
Copy link
Contributor

@Samirbous Samirbous left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

awesome list of OKTA hunts!

...g/okta/docs/queries/credential_access_rapid_reset_password_requests_for_different_users.toml Outdated Show resolved Hide resolved
.../docs/queries/defense_evasion_failed_oauth_access_token_retrieval_via_public_client_app.toml Outdated Show resolved Hide resolved
.../docs/queries/defense_evasion_failed_oauth_access_token_retrieval_via_public_client_app.toml Outdated Show resolved Hide resolved
...okta/docs/queries/defense_evasion_multiple_application_sso_authentication_repeat_source.toml Outdated Show resolved Hide resolved
...okta/docs/queries/defense_evasion_multiple_application_sso_authentication_repeat_source.toml Outdated Show resolved Hide resolved
hunting/okta/docs/queries/defense_evasion_rare_oauth_access_token_granted_by_application.toml Outdated Show resolved Hide resolved
hunting/okta/docs/queries/initial_access_hgher_than_average_failed_authentication.toml Outdated Show resolved Hide resolved
hunting/okta/docs/queries/initial_access_impossible_travel_sign_on.toml Outdated Show resolved Hide resolved
hunting/okta/docs/queries/initial_access_impossible_travel_sign_on.toml Outdated Show resolved Hide resolved
hunting/okta/docs/queries/initial_access_password_spraying_from_repeat_source.toml Outdated Show resolved Hide resolved
@terrancedejesus terrancedejesus merged commit 9181c00 into main Sep 16, 2024
9 checks passed
@terrancedejesus terrancedejesus deleted the new-hunts-initial-okta-queries branch September 16, 2024 18:36
protectionsmachine pushed a commit that referenced this pull request Sep 16, 2024
@terrancedejesus @github-actions
[New Hunt] Add Initial Okta Hunting Queries (#4064)
64f2c82 
* adding new Okta hunting queries

* query format changes

* adding docs

* added query for mfa bombing

* adding remainder hunting queries

* adjusted incorrect hunt

* updated queries

* updated queries based on Samir's feedback

* removed failed login eval

* updated docs

(cherry picked from commit 9181c00)
protectionsmachine pushed a commit that referenced this pull request Sep 16, 2024
@terrancedejesus @github-actions
[New Hunt] Add Initial Okta Hunting Queries (#4064)
d8fa1b4 
* adding new Okta hunting queries

* query format changes

* adding docs

* added query for mfa bombing

* adding remainder hunting queries

* adjusted incorrect hunt

* updated queries

* updated queries based on Samir's feedback

* removed failed login eval

* updated docs

(cherry picked from commit 9181c00)
protectionsmachine pushed a commit that referenced this pull request Sep 16, 2024
@terrancedejesus @github-actions
[New Hunt] Add Initial Okta Hunting Queries (#4064)
a6bd8df 
* adding new Okta hunting queries

* query format changes

* adding docs

* added query for mfa bombing

* adding remainder hunting queries

* adjusted incorrect hunt

* updated queries

* updated queries based on Samir's feedback

* removed failed login eval

* updated docs

(cherry picked from commit 9181c00)
protectionsmachine pushed a commit that referenced this pull request Sep 16, 2024
@terrancedejesus @github-actions
[New Hunt] Add Initial Okta Hunting Queries (#4064)
8649387 
* adding new Okta hunting queries

* query format changes

* adding docs

* added query for mfa bombing

* adding remainder hunting queries

* adjusted incorrect hunt

* updated queries

* updated queries based on Samir's feedback

* removed failed login eval

* updated docs

(cherry picked from commit 9181c00)
protectionsmachine pushed a commit that referenced this pull request Sep 16, 2024
@terrancedejesus @github-actions
[New Hunt] Add Initial Okta Hunting Queries (#4064)
0598d01 
* adding new Okta hunting queries

* query format changes

* adding docs

* added query for mfa bombing

* adding remainder hunting queries

* adjusted incorrect hunt

* updated queries

* updated queries based on Samir's feedback

* removed failed login eval

* updated docs

(cherry picked from commit 9181c00)
protectionsmachine pushed a commit that referenced this pull request Sep 16, 2024
@terrancedejesus @github-actions
[New Hunt] Add Initial Okta Hunting Queries (#4064)
526b3a2 
* adding new Okta hunting queries

* query format changes

* adding docs

* added query for mfa bombing

* adding remainder hunting queries

* adjusted incorrect hunt

* updated queries

* updated queries based on Samir's feedback

* removed failed login eval

* updated docs

(cherry picked from commit 9181c00)
@terrancedejesus terrancedejesus mentioned this pull request Sep 18, 2024
Draft
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Samirbous Samirbous Samirbous approved these changes

@Mikaayenson Mikaayenson Mikaayenson approved these changes

@aarju aarju Awaiting requested review from aarju

@DefSecSentinel DefSecSentinel Awaiting requested review from DefSecSentinel

@imays11 imays11 Awaiting requested review from imays11

@Aegrah Aegrah Awaiting requested review from Aegrah

@shashank-elastic shashank-elastic Awaiting requested review from shashank-elastic

@eric-forte-elastic eric-forte-elastic Awaiting requested review from eric-forte-elastic

@w0rk3r w0rk3r Awaiting requested review from w0rk3r

Assignees

@terrancedejesus terrancedejesus

Labels
backport: auto Domain: Cloud Domain: SaaS Hunt: New Integration: Okta okta related rules meta:rapid-merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@terrancedejesus @protectionsmachine @Mikaayenson @Samirbous