Analytics Story: Suspicious Okta Activity

Description

Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating over to leverage cloud services more and more. Okta is a popular tool to manage multiple users and the web-based applications they need to stay productive. The searches in this story will help monitor your Okta environment for suspicious activities and associated user behaviors.

Why it matters

Okta is the leading single sign on (SSO) provider, allowing users to authenticate once to Okta, and from there access a variety of web-based applications. These applications are assigned to users and allow administrators to centrally manage which users are allowed to access which applications. It also provides centralized logging to help understand how the applications are used and by whom. While SSO is a major convenience for users, it also provides attackers with an opportunity. If the attacker can gain access to Okta, they can access a variety of applications. As such monitoring the environment is important. With people moving quickly to adopt web-based applications and ways to manage them, many are still struggling to understand how best to monitor these environments. This analytic story provides searches to help monitor this environment, and identify events and activity that warrant further investigation such as credential stuffing or password spraying attacks, and users logging in from multiple locations when travel is disallowed.

1| tstats `security_content_summariesonly` values(All_Risk.analyticstories) as analyticstories  sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk  where All_Risk.risk_object_type = user All_Risk.analyticstories IN ("Okta Account Takeover", "Suspicious Okta Activity","Okta MFA Exhaustion") by All_Risk.risk_object,All_Risk.risk_object_type | `drop_dm_object_name("All_Risk")` |  search mitre_technique_id_count > 5 | `okta_risk_threshold_exceeded_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Okta IDP Lifecycle Modifications Cloud Account Anomaly
Okta Suspicious Use of a Session Cookie Steal Web Session Cookie Anomaly
Multiple Okta Users With Invalid Credentials From The Same IP Password Spraying, Valid Accounts, Default Accounts TTP
Okta Account Locked Out Brute Force Anomaly
Okta Account Lockout Events Valid Accounts, Default Accounts Anomaly
Okta Failed SSO Attempts Valid Accounts, Default Accounts Anomaly
Okta ThreatInsight Login Failure with High Unknown users Valid Accounts, Default Accounts, Credential Stuffing TTP
Okta ThreatInsight Suspected PasswordSpray Attack Valid Accounts, Default Accounts, Password Spraying TTP
Okta Two or More Rejected Okta Pushes Brute Force TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Okta N/A OktaIM2:log Okta

References


Source: GitHub | Version: 1