Tool
Splunk ESCU
2,101 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 2,101O365 Multiple Service Principals Created by User
The following analytic identifies instances where a single user creates more than three unique OAuth applications within a 10-minute window in the Office 365 environment. It leverages O365 logs from the Unified Audit Log, focusing on the 'Add service principal' operation in Azure Active Directory. This activity is significant as it may indicate a compromised user account or unauthorized actions, potentially leading to broader network infiltration or privilege escalation. If confirmed malicious, this behavior could allow attackers to gain persistent access, escalate privileges, or exfiltrate sensitive information.
Show query
`o365_management_activity` Workload=AzureActiveDirectory Operation="Add service principal." | bucket span=10m _time | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | search userType = "User" | eval displayName = object | stats count earliest(_time) as firstTime latest(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps values(user) as user values(src) as src by src_user vendor_account vendor_product dest signature | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_multiple_service_principals_created_by_user_filter`O365 Multiple Users Failing To Authenticate From Ip
The following analytic identifies instances where more than 10 unique user accounts fail to authenticate from a single IP address within a 5-minute window. This detection leverages O365 audit logs, specifically Azure Active Directory login failures (AzureActiveDirectoryStsLogon). Such activity is significant as it may indicate brute-force attacks or password spraying attempts. If confirmed malicious, this behavior suggests an external entity is attempting to breach security by targeting multiple accounts, potentially leading to unauthorized access. Immediate action is required to block or monitor the suspicious IP and notify affected users to enhance their security measures.
Show query
`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ErrorNumber=50126
| bucket span=5m _time
| fillnull
| stats dc(user) as unique_accounts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as user_agent values(dest) as dest
BY _time src vendor_account
vendor_product
| where unique_accounts > 10
| `o365_multiple_users_failing_to_authenticate_from_ip_filter`O365 New Email Forwarding Rule Created
The following analytic identifies the creation of new email forwarding rules in an Office 365 environment. It detects events logged under New-InboxRule and Set-InboxRule operations within the o365_management_activity data source, focusing on parameters like ForwardTo, ForwardAsAttachmentTo, and RedirectTo. This activity is significant as unauthorized email forwarding can lead to data exfiltration and unauthorized access to sensitive information. If confirmed malicious, attackers could intercept and redirect emails, potentially compromising confidential communications and leading to data breaches.
Show query
`o365_management_activity` (Operation=New-InboxRule OR Operation=set-InboxRule) | eval match1=mvfind('Parameters{}.Name', "ForwardTo") | eval match2=mvfind('Parameters{}.Name', "ForwardAsAttachmentTo") | eval match3=mvfind('Parameters{}.Name', "RedirectTo") | where match1>= 0 OR match2>= 0 OR match3>= 0 | eval ForwardTo=coalesce(ForwardTo, ForwardAsAttachmentTo, RedirectTo) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name by signature dest user src vendor_account vendor_product ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_email_forwarding_rule_created_filter`O365 New Email Forwarding Rule Enabled
The following analytic identifies the creation of new email forwarding rules in an Office 365 environment via the UpdateInboxRules operation. It leverages Office 365 management activity events to detect rules that forward emails to external recipients by examining the OperationProperties for specific forwarding actions. This activity is significant as it may indicate unauthorized email redirection, potentially leading to data exfiltration. If confirmed malicious, attackers could intercept sensitive communications, leading to data breaches and information leakage.
Show query
`o365_management_activity` Workload=Exchange Operation=UpdateInboxRules | eval match1=mvfind('OperationProperties{}.Value', "ForwardToRecipientsAction") | eval match2=mvfind('OperationProperties{}.Value', "ForwardAsAttachmentToRecipientsAction") | eval match3=mvfind('OperationProperties{}.Value', "RedirectToRecipientsAction") | eval index = mvfind('OperationProperties{}.Name', "ServerRule") | where match1>=0 OR match2>= 0 OR match3>= 0 | eval ServerRule = mvindex('OperationProperties{}.Value',index-1) | spath input=ServerRule path=Actions{}.Recipients{}.Values{}.Value output=valueExtracted | mvexpand valueExtracted | search valueExtracted="*@*.*" | eval ForwardTo=if(match(valueExtracted,"^[^@]+@[^@]+\\.[^@]+$"), valueExtracted, null) | dedup ForwardTo | where isnotnull(ForwardTo) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name by signature dest user src vendor_account vendor_product ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_email_forwarding_rule_enabled_filter`O365 New Federated Domain Added
The following analytic identifies the addition of a new federated domain in an Office 365 environment. This behavior is detected by analyzing Office 365 management activity logs, specifically filtering for Workload=Exchange and Operation="Add-FederatedDomain". The addition of a new federated domain is significant as it may indicate unauthorized changes or potential compromises. If confirmed malicious, attackers could establish a backdoor, bypass security measures, or exfiltrate data, leading to data breaches and unauthorized access to sensitive information. Immediate investigation is required to review the details of the added domain and any concurrent suspicious activities.
Show query
`o365_management_activity` Operation IN ("*add*", "*new*") AND Operation="*domain*"
| eval src="NA"
| fillnull
| stats count values(ModifiedProperties{}.NewValue) as new_value
BY user user_agent authentication_service
signature Workload src
vendor_account vendor_product dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_new_federated_domain_added_filter`O365 New Forwarding Mailflow Rule Created
The following analytic detects the creation of new mail flow rules in Office 365 that may redirect or copy emails to unauthorized or external addresses. It leverages Office 365 Management Activity logs, specifically querying for the "New-TransportRule" operation and parameters like "BlindCopyTo", "CopyTo", and "RedirectMessageTo". This activity is significant as it can indicate potential data exfiltration or unauthorized access to sensitive information. If confirmed malicious, attackers could intercept or redirect email communications, leading to data breaches or information leakage.
Show query
`o365_management_activity` Workload=Exchange Operation="New-TransportRule" | eval match1=mvfind('Parameters{}.Name',"BlindCopyTo") | eval match2=mvfind('Parameters{}.Name',"CopyTo") | eval match3=mvfind('Parameters{}.Name', "RedirectMessageTo") | where match1>= 0 OR match2>= 0 OR match3>=0 | eval ForwardTo=coalesce(BlindCopyTo, CopyTo, RedirectMessageTo) | search ForwardTo!="" | rename UserId as user | fillnull | stats count earliest(_time) as firstTime latest(_time) as lastTime by user, Name, ForwardTo, vendor_account, vendor_product, dest, signature | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_forwarding_mailflow_rule_created_filter`O365 New MFA Method Registered
The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a user account within Office 365. It leverages O365 audit logs to identify changes in MFA configurations. This activity is significant as it may indicate an attacker's attempt to maintain persistence on a compromised account. If confirmed malicious, the attacker could bypass existing security measures, solidify their access, and potentially escalate privileges or access sensitive data. Immediate verification and remediation are required to secure the affected account.
Show query
`o365_management_activity`
Workload=AzureActiveDirectory
Operation="Update user."
| eval propertyName = mvindex('ModifiedProperties{}.Name', 0)
| search propertyName IN ("StrongAuthenticationMethod", "StrongAuthenticationPhoneAppDetail")
| eval oldvalue = mvindex('ModifiedProperties{}.OldValue',0)
| eval newvalue = mvindex('ModifiedProperties{}.NewValue',0)
| rex field=newvalue max_match=0 "(?i)(?<new_method_type>MethodType|DeviceName)"
| rex field=oldvalue max_match=0 "(?i)(?<old_method_type>MethodType|DeviceName)"
| eval count_new_method_type = coalesce(mvcount(new_method_type), 0)
| eval count_old_method_type = coalesce(mvcount(old_method_type), 0)
| where count_new_method_type > count_old_method_type
| fillnull
| stats earliest(_time) as firstTime
latest(_time) as lastTime
values(propertyName) as propertyName
by user newvalue oldvalue vendor_account
vendor_product dest signature src
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_new_mfa_method_registered_filter`
O365 OAuth App Mailbox Access via EWS
The following analytic detects when emails are accessed in Office 365 Exchange via Exchange Web Services (EWS) using OAuth-authenticated applications. It leverages the ClientInfoString field to identify EWS interactions and aggregates metrics such as access counts, timing, and client IP addresses, categorized by user, ClientAppId, OperationCount, and AppId. Monitoring OAuth applications accessing emails through EWS is crucial for identifying potential abuse or unauthorized data access. If confirmed malicious, this activity could lead to unauthorized email access, data exfiltration, or further compromise of sensitive information.
Show query
`o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* ClientAppId=*
| regex ClientInfoString="^Client=WebServices;ExchangeWebServices"
| fillnull
| stats count earliest(_time) as firstTime latest(_time) as lastTime values(ClientIPAddress) as src
BY user ClientAppId OperationCount
AppId vendor_account vendor_product
dest signature ClientInfoString
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_oauth_app_mailbox_access_via_ews_filter`O365 OAuth App Mailbox Access via Graph API
The following analytic detects when emails are accessed in Office 365 Exchange via the Microsoft Graph API using the client ID '00000003-0000-0000-c000-000000000000'. It leverages the 'MailItemsAccessed' operation within the Exchange workload, focusing on OAuth-authenticated applications. This activity is significant as unauthorized access to emails can lead to data breaches and information theft. If confirmed malicious, attackers could exfiltrate sensitive information, compromise user accounts, and further infiltrate the organization's network.
Show query
`o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* AppId=00000003-0000-0000-c000-000000000000
| fillnull
| stats count earliest(_time) as firstTime latest(_time) as lastTime values(ClientIPAddress) as src
BY user ClientAppId OperationCount
AppId vendor_account vendor_product
dest signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_oauth_app_mailbox_access_via_graph_api_filter`O365 PST export alert
The following analytic detects instances where a user has initiated an eDiscovery search or exported a PST file in an Office 365 environment. It leverages Office 365 management activity logs, specifically filtering for events under ThreatManagement with the name "eDiscovery search started or exported." This activity is significant as it may indicate data exfiltration attempts or unauthorized access to sensitive information. If confirmed malicious, it suggests an attacker or insider threat is attempting to gather or exfiltrate data, potentially leading to data breaches, loss of intellectual property, or unauthorized access to confidential communications. Immediate investigation is required.
Show query
`o365_management_activity` Category=ThreatManagement Name="eDiscovery search started or exported"
| fillnull
| stats count earliest(_time) as firstTime latest(_time) as lastTime
BY Source Severity AlertEntityId
Name user src
vendor_account vendor_product dest
signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_pst_export_alert_filter`O365 Privileged Graph API Permission Assigned
The following analytic detects the assignment of critical Graph API permissions in Azure AD using the O365 Unified Audit Log. It focuses on permissions such as Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory. The detection method leverages Azure Active Directory workload events, specifically 'Update application' operations. This activity is significant as these permissions provide extensive control over Azure AD settings, posing a high risk if misused. If confirmed malicious, this could allow unauthorized modifications, leading to potential data breaches or privilege escalation. Immediate investigation is crucial.
Show query
`o365_management_activity` Workload=AzureActiveDirectory Operation="Update application." | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | spath input=newvalue | search "{}.RequiredAppPermissions{}.EntitlementId"="1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9" OR "{}.RequiredAppPermissions{}.EntitlementId"="06b708a9-e830-4db3-a914-8e69da51d44f" OR "{}.RequiredAppPermissions{}.EntitlementId"="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | fillnull | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user src object user_agent signature vendor_account vendor_product dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_privileged_graph_api_permission_assigned_filter`O365 Privileged Role Assigned
The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment. This detection leverages the O365 Universal Audit Log data source.
Show query
`o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add member to role.","Add eligible member to role.") | eval user = ObjectId, src_user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)), object_name = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.DisplayName")), object_id = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.TemplateId")), signature = Operation, result = ResultStatus, category = mvindex('Target{}.ID',2) | fillnull | stats count, min(_time) as firstTime, max(_time) as lastTime by src_user, src, user, category, result, object_name, object_id, signature, vendor_account, vendor_product, dest | lookup privileged_azure_ad_roles azuretemplateid as object_id OUTPUT isprvilegedadrole | search isprvilegedadrole="TRUE" category="User" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_privileged_role_assigned_filter`O365 Privileged Role Assigned To Service Principal
The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. This detection leverages the O365 Universal Audit Log data source.
Show query
`o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add member to role.","Add eligible member to role.") | eval user = ObjectId, src_user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)), object_name = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.DisplayName")), object_id = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.TemplateId")), signature = Operation, result = ResultStatus, category = mvindex('Target{}.ID',2) | fillnull | stats count, min(_time) as firstTime, max(_time) as lastTime by src_user, src, user, category, result, object_name, object_id, signature,vendor_account, vendor_product, dest | lookup privileged_azure_ad_roles azuretemplateid as object_id OUTPUT isprvilegedadrole | search isprvilegedadrole="TRUE" category!="User" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_privileged_role_assigned_to_service_principal_filter`O365 Safe Links Detection
The following analytic detects when any Microsoft Safe Links alerting is triggered. This behavior may indicate when user has interacted with a phishing or otherwise malicious link within the Microsoft Office ecosystem.
Show query
`o365_management_activity` Name="*a potentially malicious URL*" Operation=AlertEntityGenerated
| fromjson Data
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime values(ObjectId) as url values(od) as desc
BY AlertId, trc, Name,
ot, dest, vendor_account,
vendor_product, src
| rename Name as signature, AlertId as signature_id, trc as user, ot as action
| eval action = CASE(action == "Allowed", "allowed", action=="BlockPageOverride", "allowed", true(),"blocked")
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_safe_links_detection_filter`O365 Security And Compliance Alert Triggered
The following analytic identifies alerts triggered by the Office 365 Security and Compliance Center, indicating potential threats or policy violations. It leverages data from the `o365_management_activity` dataset, focusing on events where the workload is SecurityComplianceCenter and the operation is AlertTriggered. This activity is significant as it highlights security and compliance issues within the O365 environment, which are crucial for maintaining organizational security. If confirmed malicious, these alerts could indicate attempts to breach security policies, leading to unauthorized access, data exfiltration, or other malicious activities.
Show query
`o365_management_activity` Workload=SecurityComplianceCenter Category=ThreatManagement Operation=AlertTriggered
| spath input=Data path=f3u output=user
| spath input=Data path=op output=operation
| spath input=_raw path=wl
| spath input=Data path=rid output=rule_id
| spath input=Data path=ad output=alert_description
| spath input=Data path=lon output=operation_name
| spath input=Data path=an output=alert_name
| spath input=Data path=sev output=severity
| fillnull
| stats count earliest(_time) as firstTime latest(_time) as lastTime
BY user, Name, rule_id,
alert_description, alert_name, severity,
dest, src, vendor_account,
vendor_product, signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_security_and_compliance_alert_triggered_filter`O365 Service Principal New Client Credentials
The following analytic detects the addition of new credentials for Service Principals within an Office 365 tenant. It uses O365 audit logs, focusing on events related to credential modifications or additions in the AzureActiveDirectory workload. This activity is significant because Service Principals represent application identities, and their credentials allow applications to authenticate and access resources. If an attacker successfully adds or modifies these credentials, they can impersonate the application, leading to unauthorized data access, data exfiltration, or malicious operations under the application's identity.
Show query
`o365_management_activity` Workload=AzureActiveDirectory Operation="Update application*Certificates and secrets management "
| fillnull
| stats earliest(_time) as firstTime latest(_time) as lastTime
BY user ModifiedProperties{}.NewValue object
ObjectId dest signature
src vendor_account vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_service_principal_new_client_credentials_filter`O365 Service Principal Privilege Escalation
This detection identifies when an Azure Service Principal elevates privileges by adding themself to a new app role assignment.
Show query
`o365_management_activity` Operation="Add app role assignment to service principal." "Actor{}.ID"=ServicePrincipal ResultStatus=Success | spath path=ModifiedProperties{} output=targetResources | eval src="NA" | stats min(_time) as _time values(eval(mvfilter(match(targetResources, "AppRole.Value")))) as appRole, values(eval(mvfilter(match(targetResources, "ServicePrincipal.DisplayName")))) as targetServicePrincipal values(object) as targetAppContext values(user_agent) as user_agent values(user) as servicePrincipal values(UserId) as servicePrincipalId by Operation InterSystemsId tenant_id user dest src vendor_account vendor_product signature | spath input=appRole path=NewValue output=appRole | spath input=targetServicePrincipal path=NewValue output=targetServicePrincipal | where servicePrincipal=targetServicePrincipal | fillnull | stats earliest(_time) as firstTime latest(_time) as lastTime by servicePrincipal servicePrincipalId appRole targetAppContext user_agent tenant_id InterSystemsId user dest src vendor_account vendor_product signature | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_service_principal_privilege_escalation_filter`O365 SharePoint Allowed Domains Policy Changed
The following analytic identifies when the allowed domain settings for O365 SharePoint have been changed. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations may also need access to OneDrive/SharePoint resources. These changed should be monitored by security teams as they could potentially lead to unauthorized access.
Show query
`o365_management_activity` Workload=SharePoint Operation=SharingPolicyChanged "ModifiedProperties{}.Name"=AllowDomainList | eval signature_id = CorrelationId, signature=Operation, src = ClientIP, user = UserId, object_name='ModifiedProperties{}.Name', object_attrs_new = split(replace('ModifiedProperties{}.NewValue',"\.\.\.",""),","), object_attrs_old = split(replace('ModifiedProperties{}.OldValue',"\.\.\.",""),",") | fillnull | stats values(object_attrs_new) as object_attrs_new, values(object_attrs_old) as object_attrs_old, values(src) as src, count, min(_time) as firstTime, max(_time) as lastTime by user,signature,signature_id,object_name,dest,action,vendor_account,vendor_product | eval diff_add=mvmap(object_attrs_new,if(isnull(mvfind(object_attrs_old,object_attrs_new)),object_attrs_new,null)) | eval diff_remove=mvmap(object_attrs_old,if(isnull(mvfind(object_attrs_new,object_attrs_old)),object_attrs_old,null)) | eval result = case(isnotnull(diff_add),"Added ".mvjoin(diff_add,","),isnotnull(diff_remove),"Removed ".mvjoin(diff_remove,",")), action = case(isnotnull(diff_add),"created",isnotnull(diff_remove),"deleted") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_sharepoint_allowed_domains_policy_changed_filter`O365 SharePoint Malware Detection
The following analytic identifies when a malicious file is detected within the SharePoint Online ecosystem. Attackers may stage and execute malicious files from within the Microsoft Office 365 ecosystem. Any detections from built-in Office 365 capabilities should be monitored and responded to appropriately. Certain premium Office 365 capabilities further enhance these detection and response functions.
Show query
`o365_management_activity` Operation=FileMalwareDetected
| rename UserId as user, Id as signature_id
| stats values(Workload) as category, values(SourceFileName) as file_name values(ObjectId) as file_path, values(VirusInfo) as signature, count, min(_time) as firstTime, max(_time) as lastTime
BY signature_id, user, dest,
src, vendor_account, vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_sharepoint_malware_detection_filter`O365 SharePoint Suspicious Search Behavior
The following analytic identifies when Office 365 users search for suspicious keywords or have an excessive number of queries to a SharePoint site within a limited timeframe. This behavior may indicate that a malicious actor has gained control of a user account and is conducting discovery or enumeration activities.
Show query
`o365_management_activity` (Workload=SharePoint Operation="SearchQueryPerformed" SearchQueryText=* EventData=*search*) OR Operation=SearchQueryInitiatedSharepoint | eval command = case(Operation=="SearchQueryPerformed",SearchQueryText,true(),QueryText), UserId = lower(UserId), signature_id = CorrelationId, signature=Operation, src = ClientIP, user = lower(UserId), object_name=case(Operation=="SearchQueryPerformed",'EventData',true(),QuerySource), -time = _time, suspect_terms = case(match(command, `o365_suspect_search_terms_regex`),command,true(),null()) | where command != "*" AND command != "(*)" | bin _time span=1hr | stats values(ScenarioName) as app, values(object_name) as object_name values(command) as command, values(suspect_terms) as suspect_terms, values(src) as src, dc(suspect_terms) as suspect_terms_count, dc(command) as count, min(-time) as firstTime, max(-time) as lastTime by user,signature,_time | where count > 20 OR suspect_terms_count >= 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_sharepoint_suspicious_search_behavior_filter`
O365 Tenant Wide Admin Consent Granted
The following analytic identifies instances where admin consent is granted to an application within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to the admin consent action within the AzureActiveDirectory workload. This activity is significant because admin consent allows applications to access data across the entire tenant, potentially exposing vast amounts of organizational data. If confirmed malicious, an attacker could gain extensive and persistent access to organizational data, leading to data exfiltration, espionage, further malicious activities, and potential compliance violations.
Show query
`o365_management_activity` Operation="Consent to application." | eval new_field=mvindex('ModifiedProperties{}.NewValue', 4) | rex field=new_field "ConsentType: (?<ConsentType>[^\,]+)" | rex field=new_field "Scope: (?<Scope>[^\,]+)" | search ConsentType = "AllPrincipals" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by user, object, ObjectId, ConsentType, Scope, dest, vendor_account, vendor_product, signature, src | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_tenant_wide_admin_consent_granted_filter`O365 Threat Intelligence Suspicious Email Delivered
The following analytic identifies when a suspicious email is detected within the Microsoft Office 365 ecosystem through the Advanced Threat Protection engine and delivered to an end user. Attackers may execute several attacks through email, any detections from built-in Office 365 capabilities should be monitored and responded to appropriately. Certain premium Office 365 capabilities such as Safe Attachment and Safe Links further enhance these detection and response functions.
Show query
`o365_management_activity` Workload=ThreatIntelligence Operation=TIMailData DeliveryAction!=Blocked Directionality=InBound
| rename P2Sender as src_user, P1Sender as sender, Recipients{} as user, DeliveryAction as action
| stats values(SenderIp) as src, values(Subject) as subject, values(user) as user, values(action) as action, values(SystemOverrides{}.Details) as reason, values(LatestDeliveryLocation) as result, values(ThreatsAndDetectionTech{}) as category, values(AttachmentData{}.FileName) as file_name, values(AttachmentData{}.FileType) as file_type, values(AttachmentData{}.SHA256) as file_hash values(DetectionMethod) as signature, min(_time) as firstTime max(_time) as lastTime, count
BY src_user,sender,dest,vendor_account,vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_threat_intelligence_suspicious_email_delivered_filter`O365 Threat Intelligence Suspicious File Detected
The following analytic identifies when a malicious file is detected within the Microsoft Office 365 ecosystem through the Advanced Threat Protection engine. Attackers may stage and execute malicious files from within the Microsoft Office 365 ecosystem. Any detections from built-in Office 365 capabilities should be monitored and responded to appropriately. Certain premium Office 365 capabilities such as Safe Attachment and Safe Links further enhance these detection and response functions.
Show query
`o365_management_activity` Workload=ThreatIntelligence Operation=AtpDetection
| eval dest="NA"
| eval src="NA"
| stats values(DetectionMethod) as category values(FileData.FileName) as file_name values(FileData.FilePath) as file_path values(FileData.FileSize) as file_size values(FileData.MalwareFamily) as signature count, min(_time) as firstTime, max(_time) as lastTime
BY Id, UserId, dest,
src, vendor_account, vendor_product
| rename Id as signature_id, UserId as user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_threat_intelligence_suspicious_file_detected_filter`O365 User Consent Blocked for Risky Application
The following analytic identifies instances where Office 365 has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This detection leverages O365 audit logs, specifically focusing on failed user consent actions due to system-driven blocks. Monitoring these blocked consent attempts is crucial as it highlights potential threats early on, indicating that a user might be targeted or that malicious applications are attempting to infiltrate the organization. If confirmed malicious, this activity suggests that O365's security measures successfully prevented a harmful application from accessing organizational data, warranting immediate investigation.
Show query
`o365_management_activity` Workload=AzureActiveDirectory Operation="Consent to application." ResultStatus=Failure | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4) | eval reason =mvindex('ModifiedProperties{}.NewValue', 5) | search reason = "Risky application detected" | rex field=permissions "Scope: (?<Scope>[^,]+)" | fillnull | stats max(_time) as lastTime by user, reason, object, Scope, dest, src, vendor_account, vendor_product, signature | `security_content_ctime(lastTime)` | `o365_user_consent_blocked_for_risky_application_filter`O365 User Consent Denied for OAuth Application
The following analytic identifies instances where a user has denied consent to an OAuth application seeking permissions within the Office 365 environment. This detection leverages O365 audit logs, focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, it captures instances where users have actively rejected permission requests. This activity is significant as it may indicate users spotting potentially suspicious or unfamiliar applications. If confirmed malicious, it suggests an attempt by a potentially harmful application to gain unauthorized access, which was proactively blocked by the user.
Show query
`o365_graph` status.errorCode=65004
| rename userPrincipalName as user
| rename ipAddress as src_ip
| stats min(_time) as firstTime max(_time) as lastTime
BY user src_ip appDisplayName
status.failureReason
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_user_consent_denied_for_oauth_application_filter`O365 ZAP Activity Detection
The following analytic detects when the Microsoft Zero-hour Automatic Purge (ZAP) capability takes action against a user's mailbox. This capability is an enhanced protection feature that retro-actively removes email with known malicious content for user inboxes. Since this is a retroactive capability, there is still a window in which the user may fall victim to the malicious content.
Show query
`o365_management_activity` Workload=SecurityComplianceCenter Operation=AlertEntityGenerated Name="*messages containing malicious*"
| fromjson Data
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime values(zu) as url values(zfn) as file_name values(ms) as subject values(ttr) as result values(tsd) as src_user
BY AlertId,trc,signature,Name,dest,src,vendor_account,vendor_product
| rename Name as signature, AlertId as signature_id, trc as user
| eval action = CASE(match(result,"Success"), "blocked", true(),"allowed"), url = split(url,";")
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_zap_activity_detection_filter`Okta Authentication Failed During MFA Challenge
The following analytic identifies failed authentication attempts during the Multi-Factor Authentication (MFA) challenge in an Okta tenant. It uses the Authentication datamodel to detect specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This activity is significant as it may indicate an adversary attempting to authenticate with compromised credentials on an account with MFA enabled. If confirmed malicious, this could suggest an ongoing attempt to bypass MFA protections, potentially leading to unauthorized access and further compromise of the affected account.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Authentication.app) as app values(Authentication.reason) as reason values(Authentication.signature) as signature values(Authentication.method) as method FROM datamodel=Authentication
WHERE Authentication.signature=user.authentication.auth_via_mfa Authentication.action = failure
BY _time Authentication.src Authentication.user
Authentication.dest Authentication.action
| `drop_dm_object_name("Authentication")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| iplocation src
| `okta_authentication_failed_during_mfa_challenge_filter`Okta IDP Lifecycle Modifications
The following analytic identifies modifications to Okta Identity Provider (IDP) lifecycle events, including creation, activation, deactivation, and deletion of IDP configurations. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud. Monitoring these events is crucial for maintaining the integrity and security of authentication mechanisms. Unauthorized or anomalous changes could indicate potential security breaches or misconfigurations. If confirmed malicious, attackers could manipulate authentication processes, potentially gaining unauthorized access or disrupting identity management systems.
Show query
`okta` eventType IN ("system.idp.lifecycle.activate","system.idp.lifecycle.create","system.idp.lifecycle.delete","system.idp.lifecycle.deactivate")
| stats count min(_time) as firstTime max(_time) as lastTime values(target{}.id) as target_id values(target{}.type) as target_modified
BY src dest src_user_id
user user_agent command
description
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `okta_idp_lifecycle_modifications_filter`Okta MFA Exhaustion Hunt
The following analytic detects patterns of successful and failed Okta MFA push attempts to identify potential MFA exhaustion attacks. It leverages Okta event logs, specifically focusing on push verification events, and uses statistical evaluations to determine suspicious activity. This activity is significant as it may indicate an attacker attempting to bypass MFA by overwhelming the user with push notifications. If confirmed malicious, this could lead to unauthorized access, compromising the security of the affected accounts and potentially the entire environment.
Show query
`okta` eventType=system.push.send_factor_verify_push OR ((legacyEventType=core.user.factor.attempt_success) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) OR ((legacyEventType=core.user.factor.attempt_fail) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH))
| stats count(eval(legacyEventType="core.user.factor.attempt_success")) as successes count(eval(legacyEventType="core.user.factor.attempt_fail")) as failures count(eval(eventType="system.push.send_factor_verify_push")) as pushes
BY user,_time
| stats latest(_time) as lasttime earliest(_time) as firsttime sum(successes) as successes sum(failures) as failures sum(pushes) as pushes
BY user
| eval seconds=lasttime-firsttime
| eval lasttime=strftime(lasttime, "%c")
| search (pushes>1)
| eval totalattempts=successes+failures
| eval finding="Normal authentication pattern"
| eval finding=if(failures==pushes AND pushes>1,"Authentication attempts not successful because multiple pushes denied",finding)
| eval finding=if(totalattempts==0,"Multiple pushes sent and ignored",finding)
| eval finding=if(successes>0 AND pushes>3,"Probably should investigate. Multiple pushes sent, eventual successful authentication!",finding)
| `okta_mfa_exhaustion_hunt_filter`Okta Mismatch Between Source and Response for Verify Push Request
The following analytic identifies discrepancies between the source and response events for Okta Verify Push requests, indicating potential suspicious behavior. It leverages Okta System Log events, specifically `system.push.send_factor_verify_push` and `user.authentication.auth_via_mfa` with the factor "OKTA_VERIFY_PUSH." The detection groups events by SessionID, calculates the ratio of successful sign-ins to push requests, and checks for session roaming and new device/IP usage. This activity is significant as it may indicate push spam or unauthorized access attempts. If confirmed malicious, attackers could bypass MFA, leading to unauthorized access to sensitive systems.
Show query
`okta` eventType IN (system.push.send_factor_verify_push) OR (eventType IN (user.authentication.auth_via_mfa) debugContext.debugData.factor="OKTA_VERIFY_PUSH")
| eval groupby="authenticationContext.externalSessionId"
| eval group_push_time=_time
| bin span=2s group_push_time
| fillnull value=NULL
| stats min(_time) as _time
BY authenticationContext.externalSessionId eventType debugContext.debugData.factor
outcome.result actor.alternateId client.device
client.ipAddress client.userAgent.rawUserAgent debugContext.debugData.behaviors
group_push_time
| iplocation client.ipAddress
| fields - lat, lon, group_push_time
| stats min(_time) as _time dc(client.ipAddress) as dc_ip sum(eval(if(eventType="system.push.send_factor_verify_push" AND $outcome.result$="SUCCESS", 1, 0))) as total_pushes sum(eval(if(eventType="user.authentication.auth_via_mfa" AND $outcome.result$="SUCCESS", 1, 0))) as total_successes sum(eval(if(eventType="user.authentication.auth_via_mfa" AND $outcome.result$="FAILURE", 1, 0))) as total_rejected sum(eval(if(eventType="system.push.send_factor_verify_push" AND $debugContext.debugData.behaviors$ LIKE "%New Device=POSITIVE%", 1, 0))) as suspect_device_from_source sum(eval(if(eventType="system.push.send_factor_verify_push" AND $debugContext.debugData.behaviors$ LIKE "%New IP=POSITIVE%", 1, 0))) as suspect_ip_from_source values(eval(if(eventType="system.push.send_factor_verify_push", $client.ipAddress$, ""))) as src values(eval(if(eventType="user.authentication.auth_via_mfa", $client.ipAddress$, ""))) as dest values(*) as *
BY authenticationContext.externalSessionId
| eval ratio = round(total_successes / total_pushes, 2)
| search ((ratio < 0.5 AND total_pushes > 1) OR (total_rejected > 0)) AND dc_ip > 1 AND suspect_device_from_source > 0 AND suspect_ip_from_source > 0
| rename actor.alternateId as user
| `okta_mismatch_between_source_and_response_for_verify_push_request_filter`Okta Multi-Factor Authentication Disabled
The following analytic identifies an attempt to disable multi-factor authentication (MFA) for an Okta user. It leverages OktaIM2 logs to detect when the 'user.mfa.factor.deactivate' command is executed. This activity is significant because disabling MFA can allow an adversary to maintain persistence within the environment using a compromised valid account. If confirmed malicious, this action could enable attackers to bypass additional security layers, potentially leading to unauthorized access to sensitive information and prolonged undetected presence in the network.
Show query
| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime FROM datamodel=Change
WHERE sourcetype="OktaIM2:log" All_Changes.object_category=User
AND
All_Changes.action=modified All_Changes.command=user.mfa.factor.deactivate
BY All_Changes.user All_Changes.result All_Changes.command
sourcetype All_Changes.src All_Changes.dest
| `drop_dm_object_name("All_Changes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `okta_multi_factor_authentication_disabled_filter`Okta Multiple Accounts Locked Out
The following analytic detects multiple Okta accounts being locked out within a short period. It uses the user.account.lock event from Okta logs, aggregated over a 5-minute window, to identify this behavior. This activity is significant as it may indicate a brute force or password spraying attack, where an adversary attempts to guess passwords, leading to account lockouts. If confirmed malicious, this could result in potential account takeovers or unauthorized access to sensitive Okta accounts, posing a significant security risk.
Show query
| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime values(All_Changes.user) as user FROM datamodel=Change
WHERE All_Changes.change_type=AAA All_Changes.object_category=User
AND
All_Changes.action=lockout
AND
All_Changes.command=user.account.lock
BY _time span=5m All_Changes.result
All_Changes.command sourcetype All_Changes.src
All_Changes.dest
| where count > 5
| `drop_dm_object_name("All_Changes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `okta_multiple_accounts_locked_out_filter`Okta Multiple Failed MFA Requests For User
The following analytic identifies multiple failed multi-factor authentication (MFA) requests for a single user within an Okta tenant. It triggers when more than 10 MFA attempts fail within 5 minutes, using Okta event logs to detect this pattern. This activity is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests, a technique used by threat actors like Lapsus and APT29. If confirmed malicious, this could lead to unauthorized access, potentially compromising sensitive information and systems.
Show query
`okta` eventType=user.authentication.auth_via_mfa outcome.result=FAILURE debugContext.debugData.factor!=PASSWORD_AS_FACTOR
| bucket _time span=5m
| stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) values(src_ip) as src_ip values(debugContext.debugData.factor) values(dest) as dest
BY _time src_user
| where count >= 10
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `okta_multiple_failed_mfa_requests_for_user_filter`Okta Multiple Failed Requests to Access Applications
The following analytic detects multiple failed attempts to access applications in Okta, potentially indicating the reuse of a stolen web session cookie. It leverages Okta logs to evaluate policy and SSO events, aggregating data by user, session, and IP. The detection triggers when more than half of the app sign-on attempts are unsuccessful across multiple applications. This activity is significant as it may indicate an attempt to bypass authentication mechanisms. If confirmed malicious, it could lead to unauthorized access to sensitive applications and data, posing a significant security risk.
Show query
`okta` target{}.type=AppInstance (eventType=policy.evaluate_sign_on outcome.result=CHALLENGE) OR (eventType=user.authentication.sso outcome.result=SUCCESS) | eval targets=mvzip('target{}.type', 'target{}.displayName', ": ") | eval targets=mvfilter(targets LIKE "AppInstance%") | stats count min(_time) as _time values(outcome.result) as outcome.result dc(eval(if(eventType="policy.evaluate_sign_on",targets,NULL))) as total_challenges sum(eval(if(eventType="user.authentication.sso",1,0))) as total_successes by authenticationContext.externalSessionId targets actor.alternateId client.ipAddress | search total_challenges > 0 | stats min(_time) as _time values(*) as * sum(total_challenges) as total_challenges sum(total_successes) as total_successes values(eval(if("outcome.result"="SUCCESS",targets,NULL))) as success_apps values(eval(if(":outcome.result"!="SUCCESS",targets,NULL))) as no_success_apps by authenticationContext.externalSessionId actor.alternateId client.ipAddress | fillnull | eval ratio=round(total_successes/total_challenges,2), severity="HIGH", mitre_technique_id="T1538", description="actor.alternateId". " from " . "client.ipAddress" . " seen opening " . total_challenges . " chiclets/apps with " . total_successes . " challenges successfully passed" | fields - count, targets | search ratio < 0.5 total_challenges > 2 | `okta_multiple_failed_requests_to_access_applications_filter`Okta Multiple Users Failing To Authenticate From Ip
The following analytic identifies instances where more than 10 unique user accounts have failed to authenticate from a single IP address within a 5-minute window in an Okta tenant. This detection uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud. Such activity is significant as it may indicate brute-force attacks or password spraying attempts. If confirmed malicious, this behavior suggests an external entity is attempting to compromise multiple user accounts, potentially leading to unauthorized access to organizational resources and data breaches.
Show query
| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime dc(Authentication.user) as unique_accounts values(Authentication.signature) as signature values(Authentication.user) as user values(Authentication.app) as app values(Authentication.authentication_method) as authentication_method values(Authentication.dest) as dest FROM datamodel=Authentication
WHERE Authentication.action="failure"
AND
Authentication.signature=user.session.start
BY _time span=5m Authentication.src
sourcetype
| where unique_accounts > 9
| `drop_dm_object_name("Authentication")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `okta_multiple_users_failing_to_authenticate_from_ip_filter`Okta New API Token Created
The following analytic detects the creation of a new API token within an Okta tenant. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud to identify events where the `system.api_token.create` command is executed. This activity is significant because creating a new API token can indicate potential account takeover attempts or unauthorized access, allowing an adversary to maintain persistence. If confirmed malicious, this could enable attackers to execute API calls, access sensitive data, and perform administrative actions within the Okta environment.
Show query
| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime FROM datamodel=Change
WHERE All_Changes.action=created
AND
All_Changes.command=system.api_token.create
BY _time span=5m All_Changes.user
All_Changes.result All_Changes.command sourcetype
All_Changes.src All_Changes.action All_Changes.object_category
All_Changes.dest
| `drop_dm_object_name("All_Changes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `okta_new_api_token_created_filter`Okta New Device Enrolled on Account
The following analytic identifies when a new device is enrolled on an Okta account. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud to detect the creation of new device enrollments. This activity is significant as it may indicate a legitimate user setting up a new device or an adversary adding a device to maintain unauthorized access. If confirmed malicious, this could lead to potential account takeover, unauthorized access, and persistent control over the compromised Okta account. Monitoring this behavior is crucial for detecting and mitigating unauthorized access attempts.
Show query
| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime FROM datamodel=Change
WHERE All_Changes.action=created All_Changes.command=device.enrollment.create
BY _time span=5m All_Changes.user
All_Changes.result All_Changes.command sourcetype
All_Changes.src All_Changes.action All_Changes.object_category
All_Changes.dest
| `drop_dm_object_name("All_Changes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `okta_new_device_enrolled_on_account_filter`Okta Non-Standard VPN Usage
Remote Employment Fraud (REF) actors will often use virtual private networks (VPNs) to conceal their true physical location. Threat actors mask their originating IP address and instead appear to be situated in any location where the VPN service has a node.
Show query
`okta` debugContext.debugData.tunnels IN (*Astrill*,*Azire*,*CyberGhost*,*Express*VPN,*HideMe*, *IPVanish*,*Mullvad*,*Nord*VPN*,*OVPN*,*PIA*VPN*,*Proton*VPN*,*Pure*VPN*,*Slick*VPN*,*Surf*Easy*, *SurfShark*,*Star*VPN*,*TorGuard*,*TorProxy*,*Tiger*VPN*,*TunnelBear*,*Unblock*VPN*,*Warp*VPN*,*WarpSpeed*, *VPNReactor*,*VPN*Shield*,*VPN*Super*VPN*,*ZenMate*) ```listing of commonly used known VPN providers. Add or remove whatever is appropriate for your environment``` | eval user=coalesce('actor.alternateId',user), user=mvindex(split(user, "@"), 0) | rename targetUserAlternateId as user client.* as * request.* as * ipChain{}.* as * geographicalContext.* as * debugContext.* as * debugData.* as * | eval status=case(match(_raw, "FAILURE"), "failure", !match(_raw, "FAILURE"), "success") | stats count values(status) as status max(published) as UTC min(_time) as firsttime max(_time) as lasttime values(target_data) as target_data values(displayMessage) as displayMessage values(eventType) as eventType values(city) as city values(country) as country values(action) as action values(src_ip) as src_ip values(outcome.*) as * values(user) as user by tunnels,_time,host sourcetype index | fillnull value="N/A" | convert ctime(*ttime) | `okta_non_standard_vpn_usage_filter`Okta Phishing Detection with FastPass Origin Check
The following analytic identifies failed user authentication attempts in Okta due to FastPass declining a phishing attempt. It leverages Okta logs, specifically looking for events where multi-factor authentication (MFA) fails with the reason "FastPass declined phishing attempt." This activity is significant as it indicates that attackers are targeting users with real-time phishing proxies, attempting to capture credentials. If confirmed malicious, this could lead to unauthorized access to user accounts, potentially compromising sensitive information and furthering lateral movement within the organization.
Show query
`okta` eventType="user.authentication.auth_via_mfa" AND result="FAILURE" AND outcome.reason="FastPass declined phishing attempt"
| stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage)
BY user eventType client.userAgent.rawUserAgent
client.userAgent.browser outcome.reason
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `okta_phishing_detection_with_fastpass_origin_check_filter`Okta Risk Threshold Exceeded
The following correlation identifies when a user exceeds a risk threshold based on multiple suspicious Okta activities. It leverages the Risk Framework from Enterprise Security, aggregating risk events from "Suspicious Okta Activity," "Okta Account Takeover," and "Okta MFA Exhaustion" analytic stories. This detection is significant as it highlights potentially compromised user accounts exhibiting multiple tactics, techniques, and procedures (TTPs) within a 24-hour period. If confirmed malicious, this activity could indicate a serious security breach, allowing attackers to gain unauthorized access, escalate privileges, or persist within the environment.
Show query
| tstats `security_content_summariesonly` values(All_Risk.analyticstories) as analyticstories sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count FROM datamodel=Risk.All_Risk
WHERE All_Risk.risk_object_type = user All_Risk.analyticstories IN ("Okta Account Takeover", "Suspicious Okta Activity","Okta MFA Exhaustion")
BY All_Risk.risk_object,All_Risk.risk_object_type
| `drop_dm_object_name("All_Risk")`
| search mitre_technique_id_count > 5
| `okta_risk_threshold_exceeded_filter`Okta Successful Single Factor Authentication
The following analytic identifies successful single-factor authentication events against the Okta Dashboard for accounts without Multi-Factor Authentication (MFA) enabled. It detects this activity by analyzing Okta logs for successful authentication events where "Okta Verify" is not used. This behavior is significant as it may indicate a misconfiguration, policy violation, or potential account takeover. If confirmed malicious, an attacker could gain unauthorized access to the account, potentially leading to data breaches or further exploitation within the environment.
Show query
`okta` action=success src_user_type = User eventType = user.authentication.verify OR eventType = user.authentication.auth_via_mfa
| stats dc(eventType) values(eventType) as eventType values(target{}.displayName) as targets values(debugContext.debugData.url) min(_time) as firstTime max(_time) as lastTime values(authentication_method)
BY src_ip user action
dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| search targets !="Okta Verify"
| `okta_successful_single_factor_authentication_filter`Okta Suspicious Activity Reported
The following analytic identifies when an associate reports a login attempt as suspicious via an email from Okta. It leverages Okta Identity Management logs, specifically the `user.account.report_suspicious_activity_by_enduser` event type. This activity is significant as it indicates potential unauthorized access attempts, warranting immediate investigation to prevent possible security breaches. If confirmed malicious, the attacker could gain unauthorized access to sensitive systems and data, leading to data theft, privilege escalation, or further compromise of the environment.
Show query
`okta` eventType=user.account.report_suspicious_activity_by_enduser
| stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage)
BY user dest src
eventType client.userAgent.rawUserAgent client.userAgent.browser
client.geographicalContext.city client.geographicalContext.country
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `okta_suspicious_activity_reported_filter`Okta Suspicious Use of a Session Cookie
The following analytic identifies suspicious use of a session cookie by detecting multiple client values (IP, User Agent, etc.) changing for the same Device Token associated with a specific user. It leverages policy evaluation events from successful authentication logs in Okta. This activity is significant as it may indicate an adversary attempting to reuse a stolen web session cookie, potentially bypassing authentication mechanisms. If confirmed malicious, this could allow unauthorized access to user accounts, leading to data breaches or further exploitation within the environment.
Show query
`okta` eventType IN (policy.evaluate_sign_on) outcome.result IN (ALLOW, SUCCESS)
| stats earliest(_time) as _time, values(client.ipAddress) as src_ip, values(client.userAgent.rawUserAgent) as user_agent, values(client.userAgent.os) as userAgentOS_list, values(client.geographicalContext.city) as city, values(client.userAgent.browser) as userAgentBrowser_list, values(device.os_platform) as okta_device_os, dc(client.userAgent.browser) as dc_userAgentBrowser, dc(client.userAgent.os) as dc_userAgentOS, dc(client.ipAddress) as dc_src_ip, values(outcome.reason) as reason values(dest) as dest
BY debugContext.debugData.dtHash, user
| where dc_src_ip>1 AND (dc_userAgentOS>1 OR dc_userAgentBrowser>1)
| `okta_suspicious_use_of_a_session_cookie_filter`Okta ThreatInsight Threat Detected
The following analytic identifies threats detected by Okta ThreatInsight, such as password spraying, login failures, and high counts of unknown user login attempts. It leverages Okta Identity Management logs, specifically focusing on security.threat.detected events. This activity is significant for a SOC as it highlights potential unauthorized access attempts and credential-based attacks. If confirmed malicious, these activities could lead to unauthorized access, data breaches, and further exploitation of compromised accounts, posing a significant risk to the organization's security posture.
Show query
`okta` eventType = security.threat.detected
| rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city
| stats count min(_time) as firstTime max(_time) as lastTime
BY app src_ip dest
signature eventType displayMessage
client.device city state
country user_agent outcome.reason
outcome.result severity
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `okta_threatinsight_threat_detected_filter`Okta Unauthorized Access to Application
The following analytic identifies attempts by users to access Okta applications that have not been assigned to them. It leverages Okta Identity Management logs, specifically focusing on failed access attempts to unassigned applications. This activity is significant for a SOC as it may indicate potential unauthorized access attempts, which could lead to exposure of sensitive information or disruption of services. If confirmed malicious, such activity could result in data breaches, non-compliance with data protection laws, and overall compromise of the IT environment.
Show query
| tstats values(Authentication.app) as app values(Authentication.action) as action values(Authentication.user) as user values(Authentication.reason) as reason FROM datamodel=Authentication
WHERE Authentication.signature=app.generic.unauth_app_access_attempt Authentication.action="failure"
BY _time Authentication.src Authentication.user
Authentication.dest
| `drop_dm_object_name("Authentication")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| iplocation src
| `okta_unauthorized_access_to_application_filter`Okta User Logins from Multiple Cities
The following analytic identifies instances where the same Okta user logs in from different cities within a 24-hour period. This detection leverages Okta Identity Management logs, analyzing login events and their geographic locations. Such behavior is significant as it may indicate a compromised account, with an attacker attempting unauthorized access from multiple locations. If confirmed malicious, this activity could lead to account takeovers and data breaches, allowing attackers to access sensitive information and potentially escalate their privileges within the environment.
Show query
| tstats `security_content_summariesonly` values(Authentication.app) as app values(Authentication.action) as action values(Authentication.user) as user values(Authentication.reason) as reason values(Authentication.dest) as dest values(Authentication.signature) as signature values(Authentication.method) as method FROM datamodel=Authentication
WHERE Authentication.signature=user.session.start
BY _time Authentication.src
| `drop_dm_object_name("Authentication")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| iplocation src
| stats count min(_time) as firstTime max(_time) as lastTime dc(src) as distinct_src dc(City) as distinct_city values(src) as src values(City) as City values(Country) as Country values(action) as action
BY user
| where distinct_city > 1
| `okta_user_logins_from_multiple_cities_filter`Ollama Abnormal Network Connectivity
Detects abnormal network activity and connectivity issues in Ollama including non-localhost API access attempts and warning-level network errors such as DNS lookup failures, TCP connection issues, or host resolution problems that may indicate network-based attacks, unauthorized access attempts, or infrastructure reconnaissance activity.
Show query
`ollama_server` level=WARN (msg="*failed*" OR msg="*dial tcp*" OR msg="*lookup*" OR msg="*no such host*" OR msg="*connection*" OR msg="*network*" OR msg="*timeout*" OR msg="*unreachable*" OR msg="*refused*")
| eval src=coalesce(src, src_ip, "N/A")
| stats count as incidents, values(src) as src, values(msg) as warning_messages, latest(_time) as last_incident
BY host
| eval last_incident=strftime(last_incident, "%Y-%m-%d %H:%M:%S")
| eval severity="medium"
| eval attack_type="Abnormal Network Connectivity"
| stats count
BY last_incident, host, incidents,
src, warning_messages, severity,
attack_type
| `ollama_abnormal_network_connectivity_filter`Ollama Abnormal Service Crash Availability Attack
Detects critical service crashes, fatal errors, and abnormal process terminations in Ollama that may indicate exploitation attempts, resource exhaustion attacks, malicious input triggering unhandled exceptions, or deliberate denial of service attacks designed to disrupt AI model availability and degrade system stability.
Show query
`ollama_server` (level=ERROR OR level=FATAL OR "service stopped" OR "terminated" OR "exit" OR "shutdown" OR "crash" OR "killed") | rex field=_raw "msg=\"(?<msg>[^\"]+)\"" | rex field=_raw "exit_code=(?<exit_code>\d+)" | bin _time span=5m | stats count as termination_count, earliest(_time) as first_seen, latest(_time) as last_seen, values(msg) as error_messages, values(exit_code) as exit_codes, dc(msg) as unique_errors by host | eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S") | eval last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S") | eval severity=case( termination_count > 5, "critical", termination_count > 2, "high", 1=1, "medium" ) | eval attack_type=case( termination_count > 5, "Resource Exhaustion", termination_count > 2, "Repeated Service Failures", 1=1, "Service Instability" ) | where termination_count > 1 | table first_seen, last_seen, host, termination_count, unique_errors, error_messages, severity, attack_type | `ollama_abnormal_service_crash_availability_attack_filter`
Ollama Excessive API Requests
Detects potential Distributed Denial of Service (DDoS) attacks or rate limit abuse against Ollama API endpoints by identifying excessive request volumes from individual client IP addresses. This detection monitors GIN-formatted Ollama server logs to identify clients generating abnormally high request rates within short time windows, which may indicate automated attacks, botnet activity, or resource exhaustion attempts targeting local AI model infrastructure.
Show query
`ollama_server` | rex field=_raw "\|\s+(?<client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+\|" | eval src=coalesce(src, client_ip) | eval dest=coalesce(dest, url, uripath, endpoint) | bin _time span=5m | stats count as request_count by _time, src, dest, host | where request_count > 120 | eval severity="high" | eval attack_type="Rate Limit Abuse / DDoS" | stats count by _time, host, src, dest, request_count, severity, attack_type | `ollama_excessive_api_requests_filter`Ollama Possible API Endpoint Scan Reconnaissance
Detects API reconnaissance and endpoint scanning activity against Ollama servers by identifying sources probing multiple API endpoints within short timeframes, particularly when using HEAD requests or accessing diverse endpoint paths, which indicates systematic enumeration to map the API surface, discover hidden endpoints, or identify vulnerabilities before launching targeted attacks.
Show query
`ollama_server` "[GIN]"
| bin _time span=5m
| stats count as total_requests, values(dest) as dest, values(http_method) as methods, values(status) as status_codes
BY _time, src, host
| where total_requests > 120
| eval severity="medium"
| eval attack_type="API Activity Surge"
| stats count
BY _time, host, src,
total_requests, dest, methods,
status_codes, severity, attack_type
| `ollama_possible_api_endpoint_scan_reconnaissance_filter`Showing 1001-1050 of 2,101