Try in Splunk Security Cloud

Description

Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating over to leverage cloud services more and more. Okta is a popular tool to manage multiple users and the web-based applications they need to stay productive. The searches in this story will help monitor your Okta environment for suspicious activities and associated user behaviors.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication, Risk
  • Last Updated: 2020-04-02
  • Author: Rico Valdez, Splunk
  • ID: 9cbd34af-8f39-4476-a423-bacd126c750b

Narrative

Okta is the leading single sign on (SSO) provider, allowing users to authenticate once to Okta, and from there access a variety of web-based applications. These applications are assigned to users and allow administrators to centrally manage which users are allowed to access which applications. It also provides centralized logging to help understand how the applications are used and by whom.
While SSO is a major convenience for users, it also provides attackers with an opportunity. If the attacker can gain access to Okta, they can access a variety of applications. As such monitoring the environment is important.
With people moving quickly to adopt web-based applications and ways to manage them, many are still struggling to understand how best to monitor these environments. This analytic story provides searches to help monitor this environment, and identify events and activity that warrant further investigation such as credential stuffing or password spraying attacks, and users logging in from multiple locations when travel is disallowed.

Detections

Name Technique Type
Multiple Okta Users With Invalid Credentials From The Same IP Valid Accounts, Default Accounts Hunting
Okta Account Locked Out Brute Force Anomaly
Okta Account Lockout Events Valid Accounts, Default Accounts Anomaly
Okta Failed SSO Attempts Valid Accounts, Default Accounts Anomaly
Okta MFA Exhaustion Hunt Brute Force Hunting
Okta Mismatch Between Source and Response for Verify Push Request Multi-Factor Authentication Request Generation TTP
Okta Multiple Failed Requests to Access Applications Web Session Cookie, Cloud Service Dashboard Hunting
Okta New API Token Created Valid Accounts, Default Accounts TTP
Okta New Device Enrolled on Account Valid Accounts, Default Accounts Anomaly
Okta Phishing Detection with FastPass Origin Check Valid Accounts, Default Accounts, Modify Authentication Process TTP
Okta Risk Threshold Exceeded Valid Accounts, Brute Force Correlation
Okta Suspicious Activity Reported Valid Accounts, Default Accounts TTP
Okta Suspicious Use of a Session Cookie Steal Web Session Cookie Hunting
Okta ThreatInsight Login Failure with High Unknown users Valid Accounts, Default Accounts, Credential Stuffing TTP
Okta ThreatInsight Suspected PasswordSpray Attack Valid Accounts, Default Accounts, Password Spraying TTP
Okta ThreatInsight Threat Detected Valid Accounts, Default Accounts Anomaly
Okta Two or More Rejected Okta Pushes Brute Force TTP
Okta User Logins From Multiple Cities Valid Accounts, Default Accounts Anomaly

Reference

source | version: 1