Okta Mismatch Between Source and Response for Verify Push Request

THIS IS A EXPERIMENTAL DETECTION

This detection has been marked experimental by the Splunk Threat Research team. This means we have not been able to test, simulate, or build datasets for this detection. Use at your own risk. This analytic is NOT supported.

Try in Splunk Security Cloud

Description

The following analytic identifies variations in client-based values for source and response events to identify suspicious request behavior. The detection is enhanced if the org is evaluating behavior conditions in sign-on policies using Okta Behavior Detection. NOTE: This detection requires the use of Okta Identity Engine (OIE) and will not function on Okta Classic.
For each Okta Verify Push challenge, the following two events are recorded in Okta System Log
Source of Push (Sign-In)
eventType eq \"system.push.send_factor_verify_push\"
User Push Response (Okta Verify client)
eventType eq "user.authentication.auth_via_mfa" AND debugContext.debugData.factor eq "OKTA_VERIFY_PUSH"
In sequence, the logic for the analytic - \

• Groups by SessionID and retrieves any system.push.send_factor_verify_push events (the source of the push) and user.authentication.auth_via_mfa events where the factor is OKTA_VERIFY_PUSH - (the user response to the push) \
• Counts the total number of push events, successful authentication events, and any push sources where the client is a new device. \ * Creates a ratio of successful sign-ins to pushes. \

• If the ratio (currently tuned aggressively) indicates push spam, or if a user has rejected a push, the detection proceeds to evaluate whether there is more than one IP address used during the session (session roaming) and the presence of both a new IP and new device during the session.

• Type: TTP

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2023-03-17
• Author: John Murphy and Jordan Ruocco, Okta, Michael Haag, Splunk
• ID: 8085b79b-9b85-4e67-ad63-351c9e9a5e9a

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1621	Multi-Factor Authentication Request Generation	Credential Access

Kill Chain Phase

• Exploitation

NIST

• DE.CM

CIS20

• CIS 10

CVE

Search

`okta` eventType IN (system.push.send_factor_verify_push) OR (eventType IN (user.authentication.auth_via_mfa) debugContext.debugData.factor="OKTA_VERIFY_PUSH") 
| eval groupby="authenticationContext.externalSessionId" 
| eval group_push_time=_time 
| bin span=2s group_push_time 
| fillnull value=NULL 
| stats min(_time) as _time by authenticationContext.externalSessionId eventType debugContext.debugData.factor outcome.result actor.alternateId client.device client.ipAddress client.userAgent.rawUserAgent debugContext.debugData.behaviors group_push_time groupby 
| iplocation client.ipAddress 
| fields - lat, lon, group_push_time 
| stats min(_time) as _time dc(client.ipAddress) as dc_ip sum(eval(if(eventType="system.push.send_factor_verify_push" AND "outcome.result"="SUCCESS",1,0))) as total_pushes sum(eval(if(eventType="user.authentication.auth_via_mfa" AND "outcome.result"="SUCCESS",1,0))) as total_successes sum(eval(if(eventType="user.authentication.auth_via_mfa" AND "outcome.result"="FAILURE",1,0))) as total_rejected sum(eval(if(eventType="system.push.send_factor_verify_push" AND "debugContext.debugData.behaviors" LIKE "%New Device=POSITIVE%",1,0))) as suspect_device_from_source sum(eval(if(eventType="system.push.send_factor_verify_push" AND "debugContext.debugData.behaviors" LIKE "%New IP=POSITIVE%",0,0))) as suspect_ip_from_source values(eval(if(eventType="system.push.send_factor_verify_push","client.ipAddress",""))) as src values(eval(if(eventType="user.authentication.auth_via_mfa","client.ipAddress",""))) as dest values(*) as * by groupby 
| eval ratio = round(total_successes/total_pushes,2) 
| search ((ratio < 0.5 AND total_pushes > 1) OR (total_rejected > 0)) AND dc_ip > 1 AND suspect_device_from_source > 0 AND suspect_ip_from_source > 0 
| `okta_mismatch_between_source_and_response_for_verify_push_request_filter`

Macros

The SPL above uses the following Macros:

• okta

okta_mismatch_between_source_and_response_for_verify_push_request_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• authenticationContext.externalSessionId
• eventType
• debugContext.debugData.factor
• outcome.result
• actor.alternateId
• client.device
• client.ipAddress
• client.userAgent.rawUserAgent
• debugContext.debugData.behaviors
• group_push_time

How To Implement

The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).

Known False Positives

False positives may be present based on organization size and configuration of Okta. Monitor, tune and filter as needed.

Associated Analytic Story

• Okta Account Takeover
• Okta MFA Exhaustion

RBA

Risk Score	Impact	Confidence	Message
64.0	80	80	A mismatch between source and response for verifying a push request has occurred for $actor.alternateId$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://attack.mitre.org/techniques/T1621
• https://splunkbase.splunk.com/app/6553

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1