What Changed

Version 3.1.8 of the Okta Single Sign-On solution delivers a broad quality pass across 9 Analytic Rules and 10 Hunting Queries. The changes are primarily detection logic improvements rather than new coverage.

Analytic Rules (9 updated)

Entity mapping corrections (all 9 rules): actor_alternateId_s was previously mapped as FullName or Name/DisplayName on a single Account entity. It is now split into AccountName (UPN prefix) and AccountUPNSuffix (domain) using split(actor_alternateId_s, “@”). Rules that previously mapped to FullName will now correctly populate Sentinel Account entity identity fields, improving UEBA correlation and incident investigation.

Configurable suppression variables introduced: Each rule gains one or more let variables (AllowedIPs, AllowedUsers, AllowedAdmins, AllowedThreshold) with empty dynamic arrays as defaults. These are no-ops out of the box but provide documented tuning hooks without requiring rule cloning.

isnotempty guards added: Several rules (FailedLoginsFromUnknownOrInvalidUser, DeviceRegistrationMaliciousIP) now gate on isnotempty(actor_alternateId_s) or isnotempty(client_ipAddress_s) to avoid null-value noise in entity mappings and join results.

customDetails and alertDetailsOverride added: Rules that previously surfaced no custom alert details now emit structured fields (ActorDisplayName, UserAgent, Location, FailedLoginCount) and dynamic alert display names, improving alert readability in the incidents queue.

MITRE sub-technique precision: Several rules had technique IDs updated to sub-techniques:

  • T1098 to T1098.005 (Device Registration - DeviceRegistrationMaliciousIP)
  • T1110 to T1110.001 (Password Guessing - FailedLoginsFromUnknownOrInvalidUser)
  • T1110 to T1110.003 (Password Spraying - PasswordSpray)
  • HighRiskAdminActivity gains PrivilegeEscalation tactic and T1078.004 technique

Explicit project statements added: Queries now carry explicit column projections, preventing accidental schema drift if upstream OktaSSO table fields change.

Rules updated:

  • DeviceRegistrationMaliciousIP - IP allowlist, isnotempty guard, T1098.005, split entity mapping, alert override
  • FailedLoginsFromUnknownOrInvalidUser - user allowlist, threshold variable, T1110.001, split entity mapping, alert override
  • HighRiskAdminActivity - admin allowlist, added PrivilegeEscalation/T1078.004, split entity mapping, alert override
  • LoginfromUsersfromDifferentCountrieswithin3hours - split entity mapping, configurable lookback/threshold, alert override
  • MFAFatigue - split entity mapping, allowlists, alert override
  • NewDeviceLocationCriticalOperation - split entity mapping, configurable variables, alert override
  • PasswordSpray - T1110.003, threshold variable, split entity mapping
  • PhishingDetection - split entity mapping, T1566.002, alert override
  • UserSessionImpersonation - split entity mapping, session correlation improvements, alert override

Hunting Queries (10 updated)

All 10 queries receive the same treatment: improved JSON field extraction, explicit projections, and split AccountName/AccountUPNSuffix entity mapping. Several add configurable threshold or allowlist variables. Notable specifics:

  • AdminPrivilegeGrant - adds AllowedAdmins exclusion list and T1098.001 sub-technique
  • RareMFAOperation - adds AllowedMFAOperations allowlist and configurable LookbackDays variable
  • UserPasswordReset - adds AllowedAdmins allowlist and configurable lookback
  • ImpersonationSession - improved session join logic and explicit projection
  • LegacyAuthentication / LoginFromMultipleLocations - parser field improvements

Workbook

OktaSingleSignOn.json receives updates (136 lines added, 23 removed); likely dashboard layout or query refresh.

Detection Logic Notes

Primary data source: OktaSSO (ASIM-normalised Okta parser over Okta_CL / OktaV2_CL tables)

Entities mapped: Account (Name + UPNSuffix), IP (Address) - consistently across all updated rules.

Tuning impact: The new AllowedIPs/AllowedUsers/AllowedAdmins variables are empty by default - no behavioural change until populated by the deploying team. Update these lists to suppress known-good service accounts and corporate egress IPs to reduce false positive volume.

Affected Files

Solutions/Okta Single Sign-On/Analytic Rules/DeviceRegistrationMaliciousIP.yaml
Solutions/Okta Single Sign-On/Analytic Rules/FailedLoginsFromUnknownOrInvalidUser.yaml
Solutions/Okta Single Sign-On/Analytic Rules/HighRiskAdminActivity.yaml
Solutions/Okta Single Sign-On/Analytic Rules/LoginfromUsersfromDifferentCountrieswithin3hours.yaml
Solutions/Okta Single Sign-On/Analytic Rules/MFAFatigue.yaml
Solutions/Okta Single Sign-On/Analytic Rules/NewDeviceLocationCriticalOperation.yaml
Solutions/Okta Single Sign-On/Analytic Rules/PasswordSpray.yaml
Solutions/Okta Single Sign-On/Analytic Rules/PhishingDetection.yaml
Solutions/Okta Single Sign-On/Analytic Rules/UserSessionImpersonation.yaml
Solutions/Okta Single Sign-On/Hunting Queries/AdminPrivilegeGrant.yaml
Solutions/Okta Single Sign-On/Hunting Queries/CreateAPIToken.yaml
Solutions/Okta Single Sign-On/Hunting Queries/ImpersonationSession.yaml
Solutions/Okta Single Sign-On/Hunting Queries/LegacyAuthentication.yaml
Solutions/Okta Single Sign-On/Hunting Queries/LoginFromMultipleLocations.yaml
Solutions/Okta Single Sign-On/Hunting Queries/LoginNordVPN.yaml
Solutions/Okta Single Sign-On/Hunting Queries/LoginsVPSProvider.yaml
Solutions/Okta Single Sign-On/Hunting Queries/NewDeviceRegistration.yaml
Solutions/Okta Single Sign-On/Hunting Queries/RareMFAOperation.yaml
Solutions/Okta Single Sign-On/Hunting Queries/UserPasswordReset.yaml
Solutions/Okta Single Sign-On/Workbooks/OktaSingleSignOn.json
(packaging artefacts: 3.1.8.zip, ReleaseNotes.md, Solution_Okta.json, createUiDefinition.json, mainTemplate.json)