{"id":50681290,"url":"https://github.com/mostafa/streaming-log-to-rsigma-article","last_synced_at":"2026-06-08T19:04:18.376Z","repository":{"id":353533290,"uuid":"1219825460","full_name":"mostafa/streaming-log-to-rsigma-article","owner":"mostafa","description":null,"archived":false,"fork":false,"pushed_at":"2026-04-24T09:00:45.000Z","size":5,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-24T11:07:10.118Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mostafa.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-24T08:58:01.000Z","updated_at":"2026-04-24T09:00:49.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/mostafa/streaming-log-to-rsigma-article","commit_stats":null,"previous_names":["mostafa/streaming-log-to-rsigma-article"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/mostafa/streaming-log-to-rsigma-article","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mostafa%2Fstreaming-log-to-rsigma-article","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mostafa%2Fstreaming-log-to-rsigma-article/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mostafa%2Fstreaming-log-to-rsigma-article/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mostafa%2Fstreaming-log-to-rsigma-article/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mostafa","download_url":"https://codeload.github.com/mostafa/streaming-log-to-rsigma-article/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mostafa%2Fstreaming-log-to-rsigma-article/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34076022,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-08T02:00:07.615Z","response_time":111,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-08T19:04:16.886Z","updated_at":"2026-06-08T19:04:18.366Z","avatar_url":"https://github.com/mostafa.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Streaming Logs to RSigma for Real-Time Detection\n\nCompanion repository for the blog post [Streaming Logs to RSigma for Real-Time Detection](https://mostafa.dev/streaming-logs-to-rsigma-for-real-time-detection-72084b8041ad).\n\nThis repo contains the Sigma detection rules and sample events used throughout the article. Together they demonstrate how [RSigma](https://github.com/timescale/rsigma) correlates individual Okta detections into a single critical alert, reproducing the attack chain from Okta's [August 2023 cross-tenant impersonation advisory](https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection).\n\n## What's Inside\n\n```\nrules/\n  okta_user_session_start_via_anonymised_proxy.yml    # SigmaHQ – session via proxy\n  okta_mfa_reset_or_deactivated.yml                   # SigmaHQ – MFA deactivated\n  okta_admin_role_assigned_to_user_or_group.yml       # SigmaHQ – admin role assigned\n  okta_identity_provider_created.yml                  # SigmaHQ – rogue IdP created\n  okta_cross_tenant_impersonation_correlation.yml     # Custom – temporal_ordered correlation\nevents/\n  okta_audit.ndjson                                   # Sample Okta System Log events (NDJSON)\n```\n\nThe four detection rules are from [SigmaHQ](https://github.com/SigmaHQ/sigma/tree/master/rules/identity/okta) and use the native [Okta System Log](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/SystemLog/) field names (camelCase), so no processing pipeline is needed. The correlation rule is custom.\n\n## Quick Start\n\nInstall [RSigma](https://github.com/timescale/rsigma), then run:\n\n```bash\nrsigma eval -r rules/ \u003c events/okta_audit.ndjson\n```\n\nYou should see four individual detections (one per attack-chain step) and one `critical` correlation alert tying them together by actor within a 30-minute window.\n\n## The Attack Chain\n\n| Step | Okta Event | Sigma Rule | Level |\n|------|-----------|------------|-------|\n| 1 | `user.session.start` from proxy | `okta_user_session_start_via_anonymised_proxy` | high |\n| 2 | `user.mfa.factor.deactivate` | `okta_mfa_reset_or_deactivated` | medium |\n| 3 | `user.account.privilege.grant` | `okta_admin_role_assigned_to_user_or_group` | medium |\n| 4 | `system.idp.lifecycle.create` | `okta_identity_provider_created` | medium |\n| **Correlation** | All four from the same `actor.alternateId` within 30 min | `okta_cross_tenant_impersonation_correlation` | **critical** |\n\n## License\n\nThe SigmaHQ detection rules are licensed under the [DRL](https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md). Everything else in this repository is MIT.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmostafa%2Fstreaming-log-to-rsigma-article","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmostafa%2Fstreaming-log-to-rsigma-article","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmostafa%2Fstreaming-log-to-rsigma-article/lists"}