event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and
(not okta.authentication_context.issuer.id:Okta and event.action:(user.authentication.auth_via_IDP
or user.authentication.auth_via_inbound_SAML
or user.authentication.auth_via_mfa
or user.authentication.auth_via_social)
or event.action:user.session.start) or
(event.action:user.authentication.auth_via_IDP and okta.outcome.result:FAILURE
and okta.outcome.reason:("A SAML assert with the same ID has already been processed by Okta for a previous request"
or "Unable to match transformed username"
or "Unable to resolve IdP endpoint"
or "Unable to validate SAML Response"
or "Unable to validate incoming SAML Assertion"))
Install detection rules in Elastic Security
Detect Okta Sign-In Events via Third-Party IdP in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).