From 65de03aa292c80cbfd373b595a976b25d3da7b54 Mon Sep 17 00:00:00 2001 From: Leonardo Grasso Date: Mon, 9 May 2022 13:20:28 +0200 Subject: [PATCH] update(rules): remove plugins ruleset files Plugins' rules files now lives in their repositories. See https://github.com/falcosecurity/plugins/pull/98 Signed-off-by: Leonardo Grasso --- rules/aws_cloudtrail_rules.yaml | 442 ------------------- rules/k8s_audit_rules.yaml | 742 -------------------------------- rules/okta_rules.yaml | 177 -------- 3 files changed, 1361 deletions(-) delete mode 100644 rules/aws_cloudtrail_rules.yaml delete mode 100644 rules/k8s_audit_rules.yaml delete mode 100644 rules/okta_rules.yaml diff --git a/rules/aws_cloudtrail_rules.yaml b/rules/aws_cloudtrail_rules.yaml deleted file mode 100644 index 991b6f29..00000000 --- a/rules/aws_cloudtrail_rules.yaml +++ /dev/null @@ -1,442 +0,0 @@ -# -# Copyright (C) 2022 The Falco Authors. -# -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -# All rules files related to plugins should require engine version 10 -- required_engine_version: 10 - -# These rules can be read by cloudtrail plugin version 0.1.0, or -# anything semver-compatible. -- required_plugin_versions: - - name: cloudtrail - version: 0.2.3 - - name: json - version: 0.2.2 - -# Note that this rule is disabled by default. It's useful only to -# verify that the cloudtrail plugin is sending events properly. The -# very broad condition evt.num > 0 only works because the rule source -# is limited to aws_cloudtrail. This ensures that the only events that -# are matched against the rule are from the cloudtrail plugin (or -# a different plugin with the same source). -- rule: All Cloudtrail Events - desc: Match all cloudtrail events. - condition: - evt.num > 0 - output: Some Cloudtrail Event (evtnum=%evt.num info=%evt.plugininfo ts=%evt.time.iso8601 id=%ct.id error=%ct.error) - priority: DEBUG - tags: - - cloud - - aws - source: aws_cloudtrail - enabled: false - -- rule: Console Login Through Assume Role - desc: Detect a console login through Assume Role. - condition: - ct.name="ConsoleLogin" and not ct.error exists - and ct.user.identitytype="AssumedRole" - and json.value[/responseElements/ConsoleLogin]="Success" - output: - Detected a console login through Assume Role - (principal=%ct.user.principalid, - assumedRole=%ct.user.arn, - requesting IP=%ct.srcip, - AWS region=%ct.region) - priority: WARNING - tags: - - cloud - - aws - - aws_console - - aws_iam - source: aws_cloudtrail - -- rule: Console Login Without MFA - desc: Detect a console login without MFA. - condition: - ct.name="ConsoleLogin" and not ct.error exists - and ct.user.identitytype!="AssumedRole" - and json.value[/responseElements/ConsoleLogin]="Success" - and json.value[/additionalEventData/MFAUsed]="No" - output: - Detected a console login without MFA - (requesting user=%ct.user, - requesting IP=%ct.srcip, - AWS region=%ct.region) - priority: CRITICAL - tags: - - cloud - - aws - - aws_console - - aws_iam - source: aws_cloudtrail - -- rule: Console Root Login Without MFA - desc: Detect root console login without MFA. - condition: - ct.name="ConsoleLogin" and not ct.error exists - and json.value[/additionalEventData/MFAUsed]="No" - and ct.user.identitytype!="AssumedRole" - and json.value[/responseElements/ConsoleLogin]="Success" - and ct.user.identitytype="Root" - output: - Detected a root console login without MFA. - (requesting user=%ct.user, - requesting IP=%ct.srcip, - AWS region=%ct.region) - priority: CRITICAL - tags: - - cloud - - aws - - aws_console - - aws_iam - source: aws_cloudtrail - -- rule: Deactivate MFA for Root User - desc: Detect deactivating MFA configuration for root. - condition: - ct.name="DeactivateMFADevice" and not ct.error exists - and ct.user.identitytype="Root" - and ct.request.username="AWS ROOT USER" - output: - Multi Factor Authentication configuration has been disabled for root - (requesting user=%ct.user, - requesting IP=%ct.srcip, - AWS region=%ct.region, - MFA serial number=%ct.request.serialnumber) - priority: CRITICAL - tags: - - cloud - - aws - - aws_iam - source: aws_cloudtrail - -- rule: Create AWS user - desc: Detect creation of a new AWS user. - condition: - ct.name="CreateUser" and not ct.error exists - output: - A new AWS user has been created - (requesting user=%ct.user, - requesting IP=%ct.srcip, - AWS region=%ct.region, - new user created=%ct.request.username) - priority: INFO - tags: - - cloud - - aws - - aws_iam - source: aws_cloudtrail - -- rule: Create Group - desc: Detect creation of a new user group. - condition: - ct.name="CreateGroup" and not ct.error exists - output: - A new user group has been created. - (requesting user=%ct.user, - requesting IP=%ct.srcip, - AWS region=%ct.region, - group name=%ct.request.groupname) - priority: WARNING - tags: - - cloud - - aws - - aws_iam - source: aws_cloudtrail - -- rule: Delete Group - desc: Detect deletion of a user group. - condition: - ct.name="DeleteGroup" and not ct.error exists - output: - A user group has been deleted. - (requesting user=%ct.user, - requesting IP=%ct.srcip, - AWS region=%ct.region, - group name=%ct.request.groupname) - priority: WARNING - tags: - - cloud - - aws - - aws_iam - source: aws_cloudtrail - -- rule: ECS Service Created - desc: Detect a new service is created in ECS. - condition: - ct.src="ecs.amazonaws.com" and - ct.name="CreateService" and - not ct.error exists - output: - A new service has been created in ECS - (requesting user=%ct.user, - requesting IP=%ct.srcip, - AWS region=%ct.region, - cluster=%ct.request.cluster, - service name=%ct.request.servicename, - task definition=%ct.request.taskdefinition) - priority: WARNING - tags: - - cloud - - aws - - aws_ecs - - aws_fargate - source: aws_cloudtrail - -- rule: ECS Task Run or Started - desc: Detect a new task is started in ECS. - condition: - ct.src="ecs.amazonaws.com" and - (ct.name="RunTask" or ct.name="StartTask") and - not ct.error exists - output: - A new task has been started in ECS - (requesting user=%ct.user, - requesting IP=%ct.srcip, - AWS region=%ct.region, - cluster=%ct.request.cluster, - task definition=%ct.request.taskdefinition) - priority: WARNING - tags: - - cloud - - aws - - aws_ecs - - aws_fargate - source: aws_cloudtrail - -- rule: Create Lambda Function - desc: Detect creation of a Lambda function. - condition: - ct.name="CreateFunction20150331" and not ct.error exists - output: - Lambda function has been created. - (requesting user=%ct.user, - requesting IP=%ct.srcip, - AWS region=%ct.region, - lambda function=%ct.request.functionname) - priority: WARNING - tags: - - cloud - - aws - - aws_lambda - source: aws_cloudtrail - -- rule: Update Lambda Function Code - desc: Detect updates to a Lambda function code. - condition: - ct.name="UpdateFunctionCode20150331v2" and not ct.error exists - output: - The code of a Lambda function has been updated. - (requesting user=%ct.user, - requesting IP=%ct.srcip, - AWS region=%ct.region, - lambda function=%ct.request.functionname) - priority: WARNING - tags: - - cloud - - aws - - aws_lambda - source: aws_cloudtrail - -- rule: Update Lambda Function Configuration - desc: Detect updates to a Lambda function configuration. - condition: - ct.name="UpdateFunctionConfiguration20150331v2" and not ct.error exists - output: - The configuration of a Lambda function has been updated. - (requesting user=%ct.user, - requesting IP=%ct.srcip, - AWS region=%ct.region, - lambda function=%ct.request.functionname) - priority: WARNING - tags: - - cloud - - aws - - aws_lambda - source: aws_cloudtrail - -- rule: Run Instances - desc: Detect launching of a specified number of instances. - condition: - ct.name="RunInstances" and not ct.error exists - output: - A number of instances have been launched. - (requesting user=%ct.user, - requesting IP=%ct.srcip, - AWS region=%ct.region, - availability zone=%ct.request.availabilityzone, - subnet id=%ct.response.subnetid, - reservation id=%ct.response.reservationid) - priority: WARNING - tags: - - cloud - - aws - - aws_ec2 - source: aws_cloudtrail - -# Only instances launched on regions in this list are approved. -- list: approved_regions - items: - - us-east-0 - -- rule: Run Instances in Non-approved Region - desc: Detect launching of a specified number of instances in a non-approved region. - condition: - ct.name="RunInstances" and not ct.error exists and - not ct.region in (approved_regions) - output: - A number of instances have been launched in a non-approved region. - (requesting user=%ct.user, - requesting IP=%ct.srcip, - AWS region=%ct.region, - availability zone=%ct.request.availabilityzone, - subnet id=%ct.response.subnetid, - reservation id=%ct.response.reservationid, - image id=%json.value[/responseElements/instancesSet/items/0/instanceId]) - priority: WARNING - tags: - - cloud - - aws - - aws_ec2 - source: aws_cloudtrail - -- rule: Delete Bucket Encryption - desc: Detect deleting configuration to use encryption for bucket storage. - condition: - ct.name="DeleteBucketEncryption" and not ct.error exists - output: - A encryption configuration for a bucket has been deleted - (requesting user=%ct.user, - requesting IP=%ct.srcip, - AWS region=%ct.region, - bucket=%s3.bucket) - priority: CRITICAL - tags: - - cloud - - aws - - aws_s3 - source: aws_cloudtrail - -- rule: Delete Bucket Public Access Block - desc: Detect deleting blocking public access to bucket. - condition: - ct.name="PutBucketPublicAccessBlock" and not ct.error exists and - json.value[/requestParameters/publicAccessBlock]="" and - (json.value[/requestParameters/PublicAccessBlockConfiguration/RestrictPublicBuckets]=false or - json.value[/requestParameters/PublicAccessBlockConfiguration/BlockPublicPolicy]=false or - json.value[/requestParameters/PublicAccessBlockConfiguration/BlockPublicAcls]=false or - json.value[/requestParameters/PublicAccessBlockConfiguration/IgnorePublicAcls]=false) - output: - A public access block for a bucket has been deleted - (requesting user=%ct.user, - requesting IP=%ct.srcip, - AWS region=%ct.region, - bucket=%s3.bucket) - priority: CRITICAL - tags: - - cloud - - aws - - aws_s3 - source: aws_cloudtrail - -- rule: List Buckets - desc: Detect listing of all S3 buckets. - condition: - ct.name="ListBuckets" and not ct.error exists - output: - A list of all S3 buckets has been requested. - (requesting user=%ct.user, - requesting IP=%ct.srcip, - AWS region=%ct.region, - host=%ct.request.host) - priority: WARNING - enabled: false - tags: - - cloud - - aws - - aws_s3 - source: aws_cloudtrail - -- rule: Put Bucket ACL - desc: Detect setting the permissions on an existing bucket using access control lists. - condition: - ct.name="PutBucketAcl" and not ct.error exists - output: - The permissions on an existing bucket have been set using access control lists. - (requesting user=%ct.user, - requesting IP=%ct.srcip, - AWS region=%ct.region, - bucket name=%s3.bucket) - priority: WARNING - tags: - - cloud - - aws - - aws_s3 - source: aws_cloudtrail - -- rule: Put Bucket Policy - desc: Detect applying an Amazon S3 bucket policy to an Amazon S3 bucket. - condition: - ct.name="PutBucketPolicy" and not ct.error exists - output: - An Amazon S3 bucket policy has been applied to an Amazon S3 bucket. - (requesting user=%ct.user, - requesting IP=%ct.srcip, - AWS region=%ct.region, - bucket name=%s3.bucket, - policy=%ct.request.policy) - priority: WARNING - tags: - - cloud - - aws - - aws_s3 - source: aws_cloudtrail - -- rule: CloudTrail Trail Created - desc: Detect creation of a new trail. - condition: - ct.name="CreateTrail" and not ct.error exists - output: - A new trail has been created. - (requesting user=%ct.user, - requesting IP=%ct.srcip, - AWS region=%ct.region, - trail name=%ct.request.name) - priority: WARNING - tags: - - cloud - - aws - - aws_cloudtrail - source: aws_cloudtrail - -- rule: CloudTrail Logging Disabled - desc: The CloudTrail logging has been disabled, this could be potentially malicious. - condition: - ct.name="StopLogging" and not ct.error exists - output: - The CloudTrail logging has been disabled. - (requesting user=%ct.user, - requesting IP=%ct.srcip, - AWS region=%ct.region, - resource name=%ct.request.name) - priority: WARNING - tags: - - cloud - - aws - - aws_cloudtrail - source: aws_cloudtrail - diff --git a/rules/k8s_audit_rules.yaml b/rules/k8s_audit_rules.yaml deleted file mode 100644 index e758c065..00000000 --- a/rules/k8s_audit_rules.yaml +++ /dev/null @@ -1,742 +0,0 @@ -# -# Copyright (C) 2022 The Falco Authors. -# -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -- required_engine_version: 11 - -- required_plugin_versions: - - name: k8saudit - version: 0.1.0 - - name: json - version: 0.2.2 - -# Like always_true/always_false, but works with k8s audit events -- macro: k8s_audit_always_true - condition: (jevt.rawtime exists) - -- macro: k8s_audit_never_true - condition: (jevt.rawtime=0) - -# Generally only consider audit events once the response has completed -- list: k8s_audit_stages - items: ["ResponseComplete"] - -# Generally exclude users starting with "system:" -- macro: non_system_user - condition: (not ka.user.name startswith "system:") - -# This macro selects the set of Audit Events used by the below rules. -- macro: kevt - condition: (jevt.value[/stage] in (k8s_audit_stages)) - -- macro: kevt_started - condition: (jevt.value[/stage]=ResponseStarted) - -# If you wish to restrict activity to a specific set of users, override/append to this list. -# users created by kops are included -- list: vertical_pod_autoscaler_users - items: ["vpa-recommender", "vpa-updater"] - -- list: allowed_k8s_users - items: [ - "minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy", "kube-apiserver-healthcheck", - "kubernetes-admin", - vertical_pod_autoscaler_users, - cluster-autoscaler, - "system:addon-manager", - "cloud-controller-manager", - "system:kube-controller-manager" - ] - -- list: eks_allowed_k8s_users - items: [ - "eks:node-manager", - "eks:certificate-controller", - "eks:fargate-scheduler", - "eks:k8s-metrics", - "eks:authenticator", - "eks:cluster-event-watcher", - "eks:nodewatcher", - "eks:pod-identity-mutating-webhook" - ] -- -- rule: Disallowed K8s User - desc: Detect any k8s operation by users outside of an allowed set of users. - condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users) and not ka.user.name in (eks_allowed_k8s_users) - output: K8s Operation performed by user not in allowed list of users (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code) - priority: WARNING - source: k8s_audit - tags: [k8s] - -# In a local/user rules file, you could override this macro to -# explicitly enumerate the container images that you want to run in -# your environment. In this main falco rules file, there isn't any way -# to know all the containers that can run, so any container is -# allowed, by using the always_true macro. In the overridden macro, the condition -# would look something like (ka.req.pod.containers.image.repository in (my-repo/my-image)) -- macro: allowed_k8s_containers - condition: (k8s_audit_always_true) - -- macro: response_successful - condition: (ka.response.code startswith 2) - -- macro: kget - condition: ka.verb=get - -- macro: kcreate - condition: ka.verb=create - -- macro: kmodify - condition: (ka.verb in (create,update,patch)) - -- macro: kdelete - condition: ka.verb=delete - -- macro: pod - condition: ka.target.resource=pods and not ka.target.subresource exists - -- macro: pod_subresource - condition: ka.target.resource=pods and ka.target.subresource exists - -- macro: deployment - condition: ka.target.resource=deployments - -- macro: service - condition: ka.target.resource=services - -- macro: configmap - condition: ka.target.resource=configmaps - -- macro: namespace - condition: ka.target.resource=namespaces - -- macro: serviceaccount - condition: ka.target.resource=serviceaccounts - -- macro: clusterrole - condition: ka.target.resource=clusterroles - -- macro: clusterrolebinding - condition: ka.target.resource=clusterrolebindings - -- macro: role - condition: ka.target.resource=roles - -- macro: secret - condition: ka.target.resource=secrets - -- macro: health_endpoint - condition: ka.uri=/healthz - -- macro: live_endpoint - condition: ka.uri=/livez - -- macro: ready_endpoint - condition: ka.uri=/readyz - -- rule: Create Disallowed Pod - desc: > - Detect an attempt to start a pod with a container image outside of a list of allowed images. - condition: kevt and pod and kcreate and not allowed_k8s_containers - output: Pod started with container not in allowed list (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image) - priority: WARNING - source: k8s_audit - tags: [k8s] - -- rule: Create Privileged Pod - desc: > - Detect an attempt to start a pod with a privileged container - condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (falco_privileged_images) - output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image) - priority: WARNING - source: k8s_audit - tags: [k8s] - -- macro: sensitive_vol_mount - condition: > - (ka.req.pod.volumes.hostpath intersects (/proc, /var/run/docker.sock, /, /etc, /root, /var/run/crio/crio.sock, /home/admin, /var/lib/kubelet, /var/lib/kubelet/pki, /etc/kubernetes, /etc/kubernetes/manifests)) - -- rule: Create Sensitive Mount Pod - desc: > - Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc). - Exceptions are made for known trusted images. - condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (falco_sensitive_mount_images) - output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image volumes=%jevt.value[/requestObject/spec/volumes]) - priority: WARNING - source: k8s_audit - tags: [k8s] - -# These container images are allowed to run with hostnetwork=true -- list: falco_hostnetwork_images - items: [ - gcr.io/google-containers/prometheus-to-sd, - gcr.io/projectcalico-org/typha, - gcr.io/projectcalico-org/node, - gke.gcr.io/gke-metadata-server, - gke.gcr.io/kube-proxy, - gke.gcr.io/netd-amd64, - k8s.gcr.io/ip-masq-agent-amd64 - k8s.gcr.io/prometheus-to-sd, - ] - -# Corresponds to K8s CIS Benchmark 1.7.4 -- rule: Create HostNetwork Pod - desc: Detect an attempt to start a pod using the host network. - condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostnetwork_images) - output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image) - priority: WARNING - source: k8s_audit - tags: [k8s] - -- list: falco_hostpid_images - items: [] - -- rule: Create HostPid Pod - desc: Detect an attempt to start a pod using the host pid namespace. - condition: kevt and pod and kcreate and ka.req.pod.host_pid intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostpid_images) - output: Pod started using host pid namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image) - priority: WARNING - source: k8s_audit - tags: [k8s] - -- list: falco_hostipc_images - items: [] - -- rule: Create HostIPC Pod - desc: Detect an attempt to start a pod using the host ipc namespace. - condition: kevt and pod and kcreate and ka.req.pod.host_ipc intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostipc_images) - output: Pod started using host ipc namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image) - priority: WARNING - source: k8s_audit - tags: [k8s] - -- macro: user_known_node_port_service - condition: (k8s_audit_never_true) - -- rule: Create NodePort Service - desc: > - Detect an attempt to start a service with a NodePort service type - condition: kevt and service and kcreate and ka.req.service.type=NodePort and not user_known_node_port_service - output: NodePort Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace ports=%ka.req.service.ports) - priority: WARNING - source: k8s_audit - tags: [k8s] - -- macro: contains_private_credentials - condition: > - (ka.req.configmap.obj contains "aws_access_key_id" or - ka.req.configmap.obj contains "aws-access-key-id" or - ka.req.configmap.obj contains "aws_s3_access_key_id" or - ka.req.configmap.obj contains "aws-s3-access-key-id" or - ka.req.configmap.obj contains "password" or - ka.req.configmap.obj contains "passphrase") - -- rule: Create/Modify Configmap With Private Credentials - desc: > - Detect creating/modifying a configmap containing a private credential (aws key, password, etc.) - condition: kevt and configmap and kmodify and contains_private_credentials - output: K8s configmap with private credential (user=%ka.user.name verb=%ka.verb configmap=%ka.req.configmap.name config=%ka.req.configmap.obj) - priority: WARNING - source: k8s_audit - tags: [k8s] - -# Corresponds to K8s CIS Benchmark, 1.1.1. -- rule: Anonymous Request Allowed - desc: > - Detect any request made by the anonymous user that was allowed - condition: kevt and ka.user.name=system:anonymous and ka.auth.decision="allow" and not health_endpoint and not live_endpoint and not ready_endpoint - output: Request by anonymous user allowed (user=%ka.user.name verb=%ka.verb uri=%ka.uri reason=%ka.auth.reason)) - priority: WARNING - source: k8s_audit - tags: [k8s] - -# Roughly corresponds to K8s CIS Benchmark, 1.1.12. In this case, -# notifies an attempt to exec/attach to a privileged container. - -# Ideally, we'd add a more stringent rule that detects attaches/execs -# to a privileged pod, but that requires the engine for k8s audit -# events to be stateful, so it could know if a container named in an -# attach request was created privileged or not. For now, we have a -# less severe rule that detects attaches/execs to any pod. -# -# For the same reason, you can't use things like image names/prefixes, -# as the event that creates the pod (which has the images) is a -# separate event than the actual exec/attach to the pod. - -- macro: user_known_exec_pod_activities - condition: (k8s_audit_never_true) - -- rule: Attach/Exec Pod - desc: > - Detect any attempt to attach/exec to a pod - condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach) and not user_known_exec_pod_activities - output: Attach/Exec to pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace action=%ka.target.subresource command=%ka.uri.param[command]) - priority: NOTICE - source: k8s_audit - tags: [k8s] - -- macro: user_known_pod_debug_activities - condition: (k8s_audit_never_true) - -# Only works when feature gate EphemeralContainers is enabled -- rule: EphemeralContainers Created - desc: > - Detect any ephemeral container created - condition: kevt and pod_subresource and kmodify and ka.target.subresource in (ephemeralcontainers) and not user_known_pod_debug_activities - output: Ephemeral container is created in pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace ephemeral_container_name=%jevt.value[/requestObject/ephemeralContainers/0/name] ephemeral_container_image=%jevt.value[/requestObject/ephemeralContainers/0/image]) - priority: NOTICE - source: k8s_audit - tags: [k8s] - -# In a local/user rules fie, you can append to this list to add additional allowed namespaces -- list: allowed_namespaces - items: [kube-system, kube-public, default] - -- rule: Create Disallowed Namespace - desc: Detect any attempt to create a namespace outside of a set of known namespaces - condition: kevt and namespace and kcreate and not ka.target.name in (allowed_namespaces) - output: Disallowed namespace created (user=%ka.user.name ns=%ka.target.name) - priority: WARNING - source: k8s_audit - tags: [k8s] - -# Only defined for backwards compatibility. Use the more specific -# user_allowed_kube_namespace_image_list instead. -- list: user_trusted_image_list - items: [] - -- list: user_allowed_kube_namespace_image_list - items: [user_trusted_image_list] - -# Only defined for backwards compatibility. Use the more specific -# allowed_kube_namespace_image_list instead. -- list: k8s_image_list - items: [] - -- list: allowed_kube_namespace_image_list - items: [ - gcr.io/google-containers/prometheus-to-sd, - gcr.io/projectcalico-org/node, - gke.gcr.io/addon-resizer, - gke.gcr.io/heapster, - gke.gcr.io/gke-metadata-server, - k8s.gcr.io/ip-masq-agent-amd64, - k8s.gcr.io/kube-apiserver, - gke.gcr.io/kube-proxy, - gke.gcr.io/netd-amd64, - gke.gcr.io/watcher-daemonset, - k8s.gcr.io/addon-resizer - k8s.gcr.io/prometheus-to-sd, - k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64, - k8s.gcr.io/k8s-dns-kube-dns-amd64, - k8s.gcr.io/k8s-dns-sidecar-amd64, - k8s.gcr.io/metrics-server-amd64, - kope/kube-apiserver-healthcheck, - k8s_image_list - ] - -- macro: allowed_kube_namespace_pods - condition: (ka.req.pod.containers.image.repository in (user_allowed_kube_namespace_image_list) or - ka.req.pod.containers.image.repository in (allowed_kube_namespace_image_list)) - -# Detect any new pod created in the kube-system namespace -- rule: Pod Created in Kube Namespace - desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces - condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not allowed_kube_namespace_pods - output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image) - priority: WARNING - source: k8s_audit - tags: [k8s] - -- list: user_known_sa_list - items: [] - -- list: known_sa_list - items: [ - coredns, - coredns-autoscaler, - cronjob-controller, - daemon-set-controller, - deployment-controller, - disruption-controller, - endpoint-controller, - endpointslice-controller, - endpointslicemirroring-controller, - generic-garbage-collector, - horizontal-pod-autoscaler, - job-controller, - namespace-controller, - node-controller, - persistent-volume-binder, - pod-garbage-collector, - pv-protection-controller, - pvc-protection-controller, - replicaset-controller, - resourcequota-controller, - root-ca-cert-publisher, - service-account-controller, - statefulset-controller - ] - -- macro: trusted_sa - condition: (ka.target.name in (known_sa_list, user_known_sa_list)) - -# Detect creating a service account in the kube-system/kube-public namespace -- rule: Service Account Created in Kube Namespace - desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces - condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful and not trusted_sa - output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace) - priority: WARNING - source: k8s_audit - tags: [k8s] - -# Detect any modify/delete to any ClusterRole starting with -# "system:". "system:coredns" is excluded as changes are expected in -# normal operation. -- rule: System ClusterRole Modified/Deleted - desc: Detect any attempt to modify/delete a ClusterRole/Role starting with system - condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and - not ka.target.name in (system:coredns, system:managed-certificate-controller) - output: System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name ns=%ka.target.namespace action=%ka.verb) - priority: WARNING - source: k8s_audit - tags: [k8s] - -# Detect any attempt to create a ClusterRoleBinding to the cluster-admin user -# (expand this to any built-in cluster role that does "sensitive" things) -- rule: Attach to cluster-admin Role - desc: Detect any attempt to create a ClusterRoleBinding to the cluster-admin user - condition: kevt and clusterrolebinding and kcreate and ka.req.binding.role=cluster-admin - output: Cluster Role Binding to cluster-admin role (user=%ka.user.name subject=%ka.req.binding.subjects) - priority: WARNING - source: k8s_audit - tags: [k8s] - -- rule: ClusterRole With Wildcard Created - desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs - condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*")) - output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules) - priority: WARNING - source: k8s_audit - tags: [k8s] - -- macro: writable_verbs - condition: > - (ka.req.role.rules.verbs intersects (create, update, patch, delete, deletecollection)) - -- rule: ClusterRole With Write Privileges Created - desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions - condition: kevt and (role or clusterrole) and kcreate and writable_verbs - output: Created Role/ClusterRole with write privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules) - priority: NOTICE - source: k8s_audit - tags: [k8s] - -- rule: ClusterRole With Pod Exec Created - desc: Detect any attempt to create a Role/ClusterRole that can exec to pods - condition: kevt and (role or clusterrole) and kcreate and ka.req.role.rules.resources intersects ("pods/exec") - output: Created Role/ClusterRole with pod exec privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules) - priority: WARNING - source: k8s_audit - tags: [k8s] - -# The rules below this point are less discriminatory and generally -# represent a stream of activity for a cluster. If you wish to disable -# these events, modify the following macro. -- macro: consider_activity_events - condition: (k8s_audit_always_true) - -- macro: kactivity - condition: (kevt and consider_activity_events) - -- rule: K8s Deployment Created - desc: Detect any attempt to create a deployment - condition: (kactivity and kcreate and deployment and response_successful) - output: K8s Deployment Created (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) - priority: INFO - source: k8s_audit - tags: [k8s] - -- rule: K8s Deployment Deleted - desc: Detect any attempt to delete a deployment - condition: (kactivity and kdelete and deployment and response_successful) - output: K8s Deployment Deleted (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) - priority: INFO - source: k8s_audit - tags: [k8s] - -- rule: K8s Service Created - desc: Detect any attempt to create a service - condition: (kactivity and kcreate and service and response_successful) - output: K8s Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) - priority: INFO - source: k8s_audit - tags: [k8s] - -- rule: K8s Service Deleted - desc: Detect any attempt to delete a service - condition: (kactivity and kdelete and service and response_successful) - output: K8s Service Deleted (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) - priority: INFO - source: k8s_audit - tags: [k8s] - -- rule: K8s ConfigMap Created - desc: Detect any attempt to create a configmap - condition: (kactivity and kcreate and configmap and response_successful) - output: K8s ConfigMap Created (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) - priority: INFO - source: k8s_audit - tags: [k8s] - -- rule: K8s ConfigMap Deleted - desc: Detect any attempt to delete a configmap - condition: (kactivity and kdelete and configmap and response_successful) - output: K8s ConfigMap Deleted (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) - priority: INFO - source: k8s_audit - tags: [k8s] - -- rule: K8s Namespace Created - desc: Detect any attempt to create a namespace - condition: (kactivity and kcreate and namespace and response_successful) - output: K8s Namespace Created (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) - priority: INFO - source: k8s_audit - tags: [k8s] - -- rule: K8s Namespace Deleted - desc: Detect any attempt to delete a namespace - condition: (kactivity and non_system_user and kdelete and namespace and response_successful) - output: K8s Namespace Deleted (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) - priority: INFO - source: k8s_audit - tags: [k8s] - -- rule: K8s Serviceaccount Created - desc: Detect any attempt to create a service account - condition: (kactivity and kcreate and serviceaccount and response_successful) - output: K8s Serviceaccount Created (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) - priority: INFO - source: k8s_audit - tags: [k8s] - -- rule: K8s Serviceaccount Deleted - desc: Detect any attempt to delete a service account - condition: (kactivity and kdelete and serviceaccount and response_successful) - output: K8s Serviceaccount Deleted (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) - priority: INFO - source: k8s_audit - tags: [k8s] - -- rule: K8s Role/Clusterrole Created - desc: Detect any attempt to create a cluster role/role - condition: (kactivity and kcreate and (clusterrole or role) and response_successful) - output: K8s Cluster Role Created (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) - priority: INFO - source: k8s_audit - tags: [k8s] - -- rule: K8s Role/Clusterrole Deleted - desc: Detect any attempt to delete a cluster role/role - condition: (kactivity and kdelete and (clusterrole or role) and response_successful) - output: K8s Cluster Role Deleted (user=%ka.user.name role=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) - priority: INFO - source: k8s_audit - tags: [k8s] - -- rule: K8s Role/Clusterrolebinding Created - desc: Detect any attempt to create a clusterrolebinding - condition: (kactivity and kcreate and clusterrolebinding and response_successful) - output: K8s Cluster Role Binding Created (user=%ka.user.name binding=%ka.target.name subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) - priority: INFO - source: k8s_audit - tags: [k8s] - -- rule: K8s Role/Clusterrolebinding Deleted - desc: Detect any attempt to delete a clusterrolebinding - condition: (kactivity and kdelete and clusterrolebinding and response_successful) - output: K8s Cluster Role Binding Deleted (user=%ka.user.name binding=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) - priority: INFO - source: k8s_audit - tags: [k8s] - -- rule: K8s Secret Created - desc: Detect any attempt to create a secret. Service account tokens are excluded. - condition: (kactivity and kcreate and secret and ka.target.namespace!=kube-system and non_system_user and response_successful) - output: K8s Secret Created (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) - priority: INFO - source: k8s_audit - tags: [k8s] - -- rule: K8s Secret Deleted - desc: Detect any attempt to delete a secret. Service account tokens are excluded. - condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and non_system_user and response_successful) - output: K8s Secret Deleted (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) - priority: INFO - source: k8s_audit - tags: [k8s] - -- rule: K8s Secret Get Successfully - desc: > - Detect any attempt to get a secret. Service account tokens are excluded. - condition: > - secret and kget - and kactivity - and response_successful - output: K8s Secret Get Successfully (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) - priority: ERROR - source: k8s_audit - tags: [k8s] - -- rule: K8s Secret Get Unsuccessfully Tried - desc: > - Detect an unsuccessful attempt to get the secret. Service account tokens are excluded. - condition: > - secret and kget - and kactivity - and not response_successful - output: K8s Secret Get Unsuccessfully Tried (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) - priority: WARNING - source: k8s_audit - tags: [k8s] - -# This rule generally matches all events, and as a result is disabled -# by default. If you wish to enable these events, modify the -# following macro. -# condition: (jevt.rawtime exists) -- macro: consider_all_events - condition: (k8s_audit_never_true) - -- macro: kall - condition: (kevt and consider_all_events) - -- rule: All K8s Audit Events - desc: Match all K8s Audit Events - condition: kall - output: K8s Audit Event received (user=%ka.user.name verb=%ka.verb uri=%ka.uri obj=%jevt.obj) - priority: DEBUG - source: k8s_audit - tags: [k8s] - - -# This macro disables following rule, change to k8s_audit_never_true to enable it -- macro: allowed_full_admin_users - condition: (k8s_audit_always_true) - -# This list includes some of the default user names for an administrator in several K8s installations -- list: full_admin_k8s_users - items: ["admin", "kubernetes-admin", "kubernetes-admin@kubernetes", "kubernetes-admin@cluster.local", "minikube-user"] - -# This rules detect an operation triggered by an user name that is -# included in the list of those that are default administrators upon -# cluster creation. This may signify a permission setting too broader. -# As we can't check for role of the user on a general ka.* event, this -# may or may not be an administrator. Customize the full_admin_k8s_users -# list to your needs, and activate at your discretion. - -# # How to test: -# # Execute any kubectl command connected using default cluster user, as: -# kubectl create namespace rule-test - -- rule: Full K8s Administrative Access - desc: Detect any k8s operation by a user name that may be an administrator with full access. - condition: > - kevt - and non_system_user - and ka.user.name in (full_admin_k8s_users) - and not allowed_full_admin_users - output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code) - priority: WARNING - source: k8s_audit - tags: [k8s] - -- macro: ingress - condition: ka.target.resource=ingresses - -- macro: ingress_tls - condition: (jevt.value[/requestObject/spec/tls] exists) - -# # How to test: -# # Create an ingress.yaml file with content: -# apiVersion: networking.k8s.io/v1beta1 -# kind: Ingress -# metadata: -# name: test-ingress -# annotations: -# nginx.ingress.kubernetes.io/rewrite-target: / -# spec: -# rules: -# - http: -# paths: -# - path: /testpath -# backend: -# serviceName: test -# servicePort: 80 -# # Execute: kubectl apply -f ingress.yaml - -- rule: Ingress Object without TLS Certificate Created - desc: Detect any attempt to create an ingress without TLS certification. - condition: > - (kactivity and kcreate and ingress and response_successful and not ingress_tls) - output: > - K8s Ingress Without TLS Cert Created (user=%ka.user.name ingress=%ka.target.name - namespace=%ka.target.namespace) - source: k8s_audit - priority: WARNING - tags: [k8s, network] - -- macro: node - condition: ka.target.resource=nodes - -- macro: allow_all_k8s_nodes - condition: (k8s_audit_always_true) - -- list: allowed_k8s_nodes - items: [] - -# # How to test: -# # Create a Falco monitored cluster with Kops -# # Increase the number of minimum nodes with: -# kops edit ig nodes -# kops apply --yes - -- rule: Untrusted Node Successfully Joined the Cluster - desc: > - Detect a node successfully joined the cluster outside of the list of allowed nodes. - condition: > - kevt and node - and kcreate - and response_successful - and not allow_all_k8s_nodes - and not ka.target.name in (allowed_k8s_nodes) - output: Node not in allowed list successfully joined the cluster (user=%ka.user.name node=%ka.target.name) - priority: ERROR - source: k8s_audit - tags: [k8s] - -- rule: Untrusted Node Unsuccessfully Tried to Join the Cluster - desc: > - Detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes. - condition: > - kevt and node - and kcreate - and not response_successful - and not allow_all_k8s_nodes - and not ka.target.name in (allowed_k8s_nodes) - output: Node not in allowed list tried unsuccessfully to join the cluster (user=%ka.user.name node=%ka.target.name reason=%ka.response.reason) - priority: WARNING - source: k8s_audit - tags: [k8s] diff --git a/rules/okta_rules.yaml b/rules/okta_rules.yaml deleted file mode 100644 index cc9679e3..00000000 --- a/rules/okta_rules.yaml +++ /dev/null @@ -1,177 +0,0 @@ -#Example Rule on login in to OKTA. Disabled by default since it might be noisy -#- rule: User logged in to OKTA -# desc: Detect the user login in to OKTA -# condition: okta.evt.type = "user.session.start" -# output: "A user has logged in toOKTA (user=%okta.actor.name, ip=%okta.client.ip)" -# priority: NOTICE -# source: okta -# tags: [okta] - -- rule: User Changing password in to OKTA - desc: Detect a user change password in OKTA - condition: okta.evt.type = "user.account.update_password" - output: "A user has changed password from OKTA (user=%okta.actor.name, ip=%okta.client.ip)" - priority: NOTICE - source: okta - tags: [okta] - enabled: false - -- rule: Creating a new OKTA user account - desc: Detect a new OKTA user account created in the OKTA environment - condition: okta.evt.type = "user.lifecycle.create" - output: "A new OKTA user account created (user=%okta.actor.name, target user=%okta.target.user.name)" - priority: NOTICE - source: okta - tags: [okta] - enabled: false - -- rule: User accessing app via single sign on OKTA - desc: Detect a user accessing an app via OKTA - condition: okta.evt.type = "user.authentication.sso" - output: "A user has accessed an app using OKTA (user=%okta.actor.name, app=%okta.app)" - priority: NOTICE - source: okta - tags: [okta] - enabled: false - -- rule: User has been locked out in OKTA - desc: Detect a user who has been locked out in OKTA - condition: okta.evt.type = "user.account.lock" - output: "A user has been locked out in OKTA (user=%okta.actor.name, ip=%okta.client.ip)" - priority: NOTICE - source: okta - tags: [okta] - -- rule: User has been moved from suspended status in OKTA. - desc: Detect a user who has been moved from suspended status in OKTA - condition: okta.evt.type = "user.lifecycle.unsuspend" - output: "A user has been moved from suspended status in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)" - priority: NOTICE - source: okta - tags: [okta] - enabled: false - -- rule: User has been activated in OKTA - desc: Detect a user who has been activated in OKTA - condition: okta.evt.type = "user.lifecycle.activate" - output: "A user has been activated in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)" - priority: NOTICE - source: okta - tags: [okta] - enabled: false - -- rule: User has been deactivated in OKTA - desc: Detect a user who has been deactivated in OKTA - condition: okta.evt.type = "user.lifecycle.deactivate" - output: "A user has been deactivated in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)" - priority: NOTICE - source: okta - tags: [okta] - enabled: false - -- rule: User has been suspended in OKTA - desc: Detect a user who has been suspended in OKTA - condition: okta.evt.type = "user.lifecycle.suspended" - output: "A user has been suspended in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)" - priority: NOTICE - source: okta - tags: [okta] - -- rule: Admin permission has been assigned to a user in OKTA - desc: Detect an admin permission assigned to a user in OKTA - condition: okta.evt.type = "user.account.privilege.grant" - output: "A user has been locked out in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)" - priority: NOTICE - source: okta - tags: [okta] - -- rule: Creating a new OKTA API token - desc: Detect a new OKTA API token created in the OKTA environment - condition: okta.evt.type = "system.api_token.create" - output: "A new OKTA API token has been created in OKTA (user=%okta.actor.name, ip=%okta.client.ip)" - priority: NOTICE - source: okta - tags: [okta] - -- rule: User accessing OKTA admin section - desc: Detect a user accessing OKTA admin section of your OKTA instance - condition: okta.evt.type = "user.session.access_admin_app" - output: "A user accessed the OKTA admin section of your OKTA instance (user=%okta.actor.name, ip=%okta.client.ip)" - priority: NOTICE - source: okta - tags: [okta] - -- rule: Adding user in OKTA group - desc: Detect a new user added to an OKTA group - condition: okta.evt.type = "group.user_membership.add" - output: "A user has been added in an OKTA group (user=%okta.actor.name, target group=%okta.target.group.name, target user=%okta.target.user.name)" - priority: NOTICE - source: okta - tags: [okta] - enabled: false - -- rule: removing MFA factor from user in OKTA - desc: Detect a removing MFA activity on a user in OKTA - condition: okta.evt.type = "user.mfa.factor.deactivate" - output: "A user has removed MFA factor in the OKTA account (user=%okta.actor.name, ip=%okta.client.ip)" - priority: NOTICE - source: okta - tags: [okta] - -- rule: removing all MFA factor from user in OKTA - desc: Detect a removing MFA activity on a user in OKTA - condition: okta.evt.type = "user.mfa.factor.reset_all" - output: "A user has removed all MFA factor in the OKTA account (user=%okta.actor.name, ip=%okta.client.ip)" - priority: NOTICE - source: okta - tags: [okta] - -- rule: User password reset by OKTA admin - desc: Detect a password reset on a user done by OKTA Admin Account - condition: okta.evt.type = "user.account.reset_password" - output: "A user password has been reset by an OKTA Admin account (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)" - priority: NOTICE - source: okta - tags: [okta] - -- rule: User hitting the rate limit on requests in OKTA - desc: Detect a user who hit the rate limit on requests in OKTA - condition: okta.evt.type = "system.org.rate_limit.violation" - output: "A user has hitted the rate limit on requests in OKTA (user=%okta.actor.name, ip=%okta.client.ip)" - priority: NOTICE - source: okta - tags: [okta] - -- rule: Adding user to application membership in OKTA - desc: Detect a user who has been added o application membership in OKTA - condition: okta.evt.type = "application.user_membership.add" - output: "A user has been added to an application membership in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name, app=%okta.app)" - priority: NOTICE - source: okta - tags: [okta] - enabled: false - -- rule: User initiating impersonation session in OKTA - desc: Detect a user who initiate an impersonation session in OKTA - condition: okta.evt.type = "user.session.impersonation.initiate" - output: "A user has initiated an impersonation session in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)" - priority: NOTICE - source: okta - tags: [okta] - -# This list allows easily whitelisting countries that are -# expected to see OKTA logins from. -- list: allowed_countries_list - items: [] - -- macro: user_known_countries - condition: (okta.client.geo.country in (allowed_countries_list)) - -- rule: Detecting unknown logins using geolocation - desc: Detect a logins event based on user geolocation - condition: okta.evt.type = "user.session.start" and not user_known_countries - output: "A user logged in OKTA from a suspicious country (user=%okta.actor.name, ip=%okta.client.ip, country=%okta.client.geo.country)" - priority: NOTICE - source: okta - tags: [okta] - enabled: false