Detection: Okta User Logins from Multiple Cities

Updated Date: 2024-05-09 ID: a3d1df37-c2a9-41d0-aa8f-59f82d6192a8 Author: Bhavin Patel, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

The following analytic identifies instances where the same Okta user logs in from different cities within a 24-hour period. This detection leverages Okta Identity Management logs, analyzing login events and their geographic locations. Such behavior is significant as it may indicate a compromised account, with an attacker attempting unauthorized access from multiple locations. If confirmed malicious, this activity could lead to account takeovers and data breaches, allowing attackers to access sensitive information and potentially escalate their privileges within the environment.

Search

1
2| tstats  `security_content_summariesonly` values(Authentication.app) as app values(Authentication.action) as action values(Authentication.user) as user values(Authentication.reason) as reason values(Authentication.dest) as dest values(Authentication.signature) as signature  values(Authentication.method) as method  from datamodel=Authentication where  Authentication.signature=user.session.start by _time Authentication.src 
3| `drop_dm_object_name("Authentication")` 
4| `security_content_ctime(firstTime)` 
5| `security_content_ctime(lastTime)` 
6| iplocation src 
7| stats count min(_time) as firstTime max(_time) as lastTime dc(src) as distinct_src dc(City) as distinct_city values(src) as src values(City) as City values(Country) as Country values(action) as action by user 
8| where distinct_city > 1 
9| `okta_user_logins_from_multiple_cities_filter`

Data Source

Name	Platform	Sourcetype	Source	Supported App
Okta	N/A	`'OktaIM2:log'`	`'Okta'`	N/A

Macros Used

Name	Value
security_content_ctime	`convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)`
okta_user_logins_from_multiple_cities_filter	`search *`

okta_user_logins_from_multiple_cities_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1586.003	Cloud Accounts	Resource Development

KillChainPhase.WEAPONIZATION

NistCategory.DE_AE

Cis18Value.CIS_10

APT29

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	True

This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).

Known False Positives

It is uncommon for a user to log in from multiple cities simultaneously, which may indicate a false positive.

Associated Analytic Story

Okta Account Takeover

Risk Based Analytics (RBA)

Risk Message	Risk Score	Impact	Confidence
A user [$user$] has logged in from multiple cities [$City$] from IP Address - [$src$]. Investigate further to determine if this was authorized.	81	90	90

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

https://attack.mitre.org/techniques/T1110/003/

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`Okta`	`OktaIM2:log`
Integration	✅ Passing	Dataset	`Okta`	`OktaIM2:log`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 2