What Changed
Version 3.1.8 of the Okta Single Sign-On solution delivers a broad quality pass across 9 Analytic Rules and 10 Hunting Queries. The changes are primarily detection logic improvements rather than new coverage.
Analytic Rules (9 updated)
Entity mapping corrections (all 9 rules): actor_alternateId_s was previously mapped as FullName or Name/DisplayName on a single Account entity. It is now split into AccountName (UPN prefix) and AccountUPNSuffix (domain) using split(actor_alternateId_s, “@”). Rules that previously mapped to FullName will now correctly populate Sentinel Account entity identity fields, improving UEBA correlation and incident investigation.
Configurable suppression variables introduced: Each rule gains one or more let variables (AllowedIPs, AllowedUsers, AllowedAdmins, AllowedThreshold) with empty dynamic arrays as defaults. These are no-ops out of the box but provide documented tuning hooks without requiring rule cloning.
isnotempty guards added: Several rules (FailedLoginsFromUnknownOrInvalidUser, DeviceRegistrationMaliciousIP) now gate on isnotempty(actor_alternateId_s) or isnotempty(client_ipAddress_s) to avoid null-value noise in entity mappings and join results.
customDetails and alertDetailsOverride added: Rules that previously surfaced no custom alert details now emit structured fields (ActorDisplayName, UserAgent, Location, FailedLoginCount) and dynamic alert display names, improving alert readability in the incidents queue.
MITRE sub-technique precision: Several rules had technique IDs updated to sub-techniques:
- T1098 to T1098.005 (Device Registration - DeviceRegistrationMaliciousIP)
- T1110 to T1110.001 (Password Guessing - FailedLoginsFromUnknownOrInvalidUser)
- T1110 to T1110.003 (Password Spraying - PasswordSpray)
- HighRiskAdminActivity gains PrivilegeEscalation tactic and T1078.004 technique
Explicit project statements added: Queries now carry explicit column projections, preventing accidental schema drift if upstream OktaSSO table fields change.
Rules updated:
- DeviceRegistrationMaliciousIP - IP allowlist, isnotempty guard, T1098.005, split entity mapping, alert override
- FailedLoginsFromUnknownOrInvalidUser - user allowlist, threshold variable, T1110.001, split entity mapping, alert override
- HighRiskAdminActivity - admin allowlist, added PrivilegeEscalation/T1078.004, split entity mapping, alert override
- LoginfromUsersfromDifferentCountrieswithin3hours - split entity mapping, configurable lookback/threshold, alert override
- MFAFatigue - split entity mapping, allowlists, alert override
- NewDeviceLocationCriticalOperation - split entity mapping, configurable variables, alert override
- PasswordSpray - T1110.003, threshold variable, split entity mapping
- PhishingDetection - split entity mapping, T1566.002, alert override
- UserSessionImpersonation - split entity mapping, session correlation improvements, alert override
Hunting Queries (10 updated)
All 10 queries receive the same treatment: improved JSON field extraction, explicit projections, and split AccountName/AccountUPNSuffix entity mapping. Several add configurable threshold or allowlist variables. Notable specifics:
- AdminPrivilegeGrant - adds AllowedAdmins exclusion list and T1098.001 sub-technique
- RareMFAOperation - adds AllowedMFAOperations allowlist and configurable LookbackDays variable
- UserPasswordReset - adds AllowedAdmins allowlist and configurable lookback
- ImpersonationSession - improved session join logic and explicit projection
- LegacyAuthentication / LoginFromMultipleLocations - parser field improvements
Workbook
OktaSingleSignOn.json receives updates (136 lines added, 23 removed); likely dashboard layout or query refresh.
Detection Logic Notes
Primary data source: OktaSSO (ASIM-normalised Okta parser over Okta_CL / OktaV2_CL tables)
Entities mapped: Account (Name + UPNSuffix), IP (Address) - consistently across all updated rules.
Tuning impact: The new AllowedIPs/AllowedUsers/AllowedAdmins variables are empty by default - no behavioural change until populated by the deploying team. Update these lists to suppress known-good service accounts and corporate egress IPs to reduce false positive volume.
Affected Files
Solutions/Okta Single Sign-On/Analytic Rules/DeviceRegistrationMaliciousIP.yaml
Solutions/Okta Single Sign-On/Analytic Rules/FailedLoginsFromUnknownOrInvalidUser.yaml
Solutions/Okta Single Sign-On/Analytic Rules/HighRiskAdminActivity.yaml
Solutions/Okta Single Sign-On/Analytic Rules/LoginfromUsersfromDifferentCountrieswithin3hours.yaml
Solutions/Okta Single Sign-On/Analytic Rules/MFAFatigue.yaml
Solutions/Okta Single Sign-On/Analytic Rules/NewDeviceLocationCriticalOperation.yaml
Solutions/Okta Single Sign-On/Analytic Rules/PasswordSpray.yaml
Solutions/Okta Single Sign-On/Analytic Rules/PhishingDetection.yaml
Solutions/Okta Single Sign-On/Analytic Rules/UserSessionImpersonation.yaml
Solutions/Okta Single Sign-On/Hunting Queries/AdminPrivilegeGrant.yaml
Solutions/Okta Single Sign-On/Hunting Queries/CreateAPIToken.yaml
Solutions/Okta Single Sign-On/Hunting Queries/ImpersonationSession.yaml
Solutions/Okta Single Sign-On/Hunting Queries/LegacyAuthentication.yaml
Solutions/Okta Single Sign-On/Hunting Queries/LoginFromMultipleLocations.yaml
Solutions/Okta Single Sign-On/Hunting Queries/LoginNordVPN.yaml
Solutions/Okta Single Sign-On/Hunting Queries/LoginsVPSProvider.yaml
Solutions/Okta Single Sign-On/Hunting Queries/NewDeviceRegistration.yaml
Solutions/Okta Single Sign-On/Hunting Queries/RareMFAOperation.yaml
Solutions/Okta Single Sign-On/Hunting Queries/UserPasswordReset.yaml
Solutions/Okta Single Sign-On/Workbooks/OktaSingleSignOn.json
(packaging artefacts: 3.1.8.zip, ReleaseNotes.md, Solution_Okta.json, createUiDefinition.json, mainTemplate.json)