Skip to content

Commit

Permalink
Update Athena D&R Okta Automation.ipynb
Browse files Browse the repository at this point in the history
  • Loading branch information
@rgi-group
rgi-group authored Nov 2, 2023
1 parent 01866ac commit 0b77a21
Showing 1 changed file with 10 additions and 10 deletions.
20 changes: 10 additions & 10 deletions Jupyter Notebooks/Okta D&R/Athena D&R Okta Automation.ipynb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,12 @@
"- **Tier 1: SaaS Applications**\n",
" - Okta logs\n",
" - GitHub audit logs\n",
" - Postman App Logs\n",
" - Postman Cloudflare Logs\n",
" - RGI App Logs\n",
" - RGI Cloudflare Logs\n",
"## Additional Tools\n",
"- AWS Glue and Brex Substation for log ingestion, transformation, and enrichment.\n",
"## Objective\n",
"To create scheduled Athena queries that will function as detections and run every minute. These detections will be based on the DDL table `postman_s3_okta_audit_logs`."
"To create scheduled Athena queries that will function as detections and run every minute. These detections will be based on the DDL table `RGI_s3_okta_audit_logs`."
]
},
{
Expand All @@ -39,7 +39,7 @@
},
"source": [
"## Athena Queries for Detections\n",
"Here are some example Athena queries that can be used for detections. These queries are based on the DDL table `postman_s3_okta_audit_logs` and are designed to detect suspicious activities."
"Here are some example Athena queries that can be used for detections. These queries are based on the DDL table `RGI_s3_okta_audit_logs` and are designed to detect suspicious activities."
]
},
{
Expand Down Expand Up @@ -116,7 +116,7 @@
},
"source": [
"## Athena Queries\n",
"The following Athena queries are designed to detect suspicious activities based on the Okta logs stored in the `postman_s3_okta_audit_logs` table. These queries will be executed by the AWS Lambda function."
"The following Athena queries are designed to detect suspicious activities based on the Okta logs stored in the `RGI_s3_okta_audit_logs` table. These queries will be executed by the AWS Lambda function."
]
},
{
Expand All @@ -134,33 +134,33 @@
"queries = {\n",
" 'suspicious_ips': '''\n",
" SELECT detail.client.ipaddress AS suspicious_ip, COUNT(*) AS count\n",
" FROM your_database.postman_s3_okta_audit_logs\n",
" FROM your_database.RGI_s3_okta_audit_logs\n",
" WHERE detail.outcome.result = 'FAILURE'\n",
" GROUP BY detail.client.ipaddress\n",
" HAVING COUNT(*) > 5\n",
" ''',\n",
" 'unusual_user_agents': '''\n",
" SELECT detail.client.useragent.rawuseragent AS user_agent, COUNT(*) AS count\n",
" FROM your_database.postman_s3_okta_audit_logs\n",
" FROM your_database.RGI_s3_okta_audit_logs\n",
" GROUP BY detail.client.useragent.rawuseragent\n",
" HAVING COUNT(*) < 3\n",
" ''',\n",
" 'high_frequency_failed_logins': '''\n",
" SELECT detail.actor.id AS user_id, COUNT(*) AS failed_count\n",
" FROM your_database.postman_s3_okta_audit_logs\n",
" FROM your_database.RGI_s3_okta_audit_logs\n",
" WHERE detail.outcome.result = 'FAILURE'\n",
" GROUP BY detail.actor.id\n",
" HAVING COUNT(*) > 10\n",
" ''',\n",
" 'unusual_times_of_activity': '''\n",
" SELECT date_parse(time, '%Y-%m-%dT%H:%i:%s.%fZ') AS parsed_time, COUNT(*) AS count\n",
" FROM your_database.postman_s3_okta_audit_logs\n",
" FROM your_database.RGI_s3_okta_audit_logs\n",
" WHERE date_format(date_parse(time, '%Y-%m-%dT%H:%i:%s.%fZ'), '%H') NOT BETWEEN '08' AND '18'\n",
" GROUP BY date_parse(time, '%Y-%m-%dT%H:%i:%s.%fZ')\n",
" ''',\n",
" 'unusual_geographical_locations': '''\n",
" SELECT detail.client.geographicalcontext.country AS country, COUNT(*) AS count\n",
" FROM your_database.postman_s3_okta_audit_logs\n",
" FROM your_database.RGI_s3_okta_audit_logs\n",
" GROUP BY detail.client.geographicalcontext.country\n",
" HAVING COUNT(*) < 5\n",
" '''\n",
Expand Down

0 comments on commit 0b77a21

Please sign in to comment.