THIS IS A EXPERIMENTAL DETECTION
This detection has been marked experimental by the Splunk Threat Research team. This means we have not been able to test, simulate, or build datasets for this detection. Use at your own risk. This analytic is NOT supported.
The following analytic identifies variations in client-based values for source and response events to identify suspicious request behavior. The detection is enhanced if the org is evaluating behavior conditions in sign-on policies using Okta Behavior Detection. NOTE: This detection requires the use of Okta Identity Engine (OIE) and will not function on Okta Classic.
For each Okta Verify Push challenge, the following two events are recorded in Okta System Log
Source of Push (Sign-In)
eventType eq \"system.push.send_factor_verify_push\"
User Push Response (Okta Verify client)
eventType eq "user.authentication.auth_via_mfa" AND debugContext.debugData.factor eq "OKTA_VERIFY_PUSH"
In sequence, the logic for the analytic - \
- Groups by SessionID and retrieves any system.push.send_factor_verify_push events (the source of the push) and user.authentication.auth_via_mfa events where the factor is OKTA_VERIFY_PUSH - (the user response to the push) \
- Counts the total number of push events, successful authentication events, and any push sources where the client is a new device. \ * Creates a ratio of successful sign-ins to pushes. \
If the ratio (currently tuned aggressively) indicates push spam, or if a user has rejected a push, the detection proceeds to evaluate whether there is more than one IP address used during the session (session roaming) and the presence of both a new IP and new device during the session.
- Type: TTP
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2023-03-17
- Author: John Murphy and Jordan Ruocco, Okta, Michael Haag, Splunk
- ID: 8085b79b-9b85-4e67-ad63-351c9e9a5e9a
Kill Chain Phase
- CIS 10
1 2 3 4 5 6 7 8 9 10 11 12 `okta` eventType IN (system.push.send_factor_verify_push) OR (eventType IN (user.authentication.auth_via_mfa) debugContext.debugData.factor="OKTA_VERIFY_PUSH") | eval groupby="authenticationContext.externalSessionId" | eval group_push_time=_time | bin span=2s group_push_time | fillnull value=NULL | stats min(_time) as _time by authenticationContext.externalSessionId eventType debugContext.debugData.factor outcome.result actor.alternateId client.device client.ipAddress client.userAgent.rawUserAgent debugContext.debugData.behaviors group_push_time groupby | iplocation client.ipAddress | fields - lat, lon, group_push_time | stats min(_time) as _time dc(client.ipAddress) as dc_ip sum(eval(if(eventType="system.push.send_factor_verify_push" AND "outcome.result"="SUCCESS",1,0))) as total_pushes sum(eval(if(eventType="user.authentication.auth_via_mfa" AND "outcome.result"="SUCCESS",1,0))) as total_successes sum(eval(if(eventType="user.authentication.auth_via_mfa" AND "outcome.result"="FAILURE",1,0))) as total_rejected sum(eval(if(eventType="system.push.send_factor_verify_push" AND "debugContext.debugData.behaviors" LIKE "%New Device=POSITIVE%",1,0))) as suspect_device_from_source sum(eval(if(eventType="system.push.send_factor_verify_push" AND "debugContext.debugData.behaviors" LIKE "%New IP=POSITIVE%",0,0))) as suspect_ip_from_source values(eval(if(eventType="system.push.send_factor_verify_push","client.ipAddress",""))) as src values(eval(if(eventType="user.authentication.auth_via_mfa","client.ipAddress",""))) as dest values(*) as * by groupby | eval ratio = round(total_successes/total_pushes,2) | search ((ratio < 0.5 AND total_pushes > 1) OR (total_rejected > 0)) AND dc_ip > 1 AND suspect_device_from_source > 0 AND suspect_ip_from_source > 0 | `okta_mismatch_between_source_and_response_for_verify_push_request_filter`
The SPL above uses the following Macros:
okta_mismatch_between_source_and_response_for_verify_push_request_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
List of fields required to use this analytic.
How To Implement
This analytic is specific to Okta and requires Okta:im2 logs to be ingested.
Known False Positives
False positives may be present based on organization size and configuration of Okta. Monitor, tune and filter as needed.
Associated Analytic Story
|64.0||80||80||A mismatch between source and response for verifying a push request has occurred for $actor.alternateId$|
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
source | version: 1