Detection: Okta Non-Standard VPN Usage

EXPERIMENTAL DETECTION

This detection status is set to experimental. The Splunk Threat Research team has not yet fully tested, simulated, or built comprehensive datasets for this detection. As such, this analytic is not officially supported. If you have any questions or concerns, please reach out to us at research@splunk.com.

Updated Date: 2025-06-03 ID: 58eb9f80-896c-42f8-86c6-27ab59026c9c Author: Marissa Bower, Raven Tait Type: TTP Product: Splunk Enterprise Security

Description

Remote Employment Fraud (REF) actors will often use virtual private networks (VPNs) to conceal their true physical location. Threat actors mask their originating IP address and instead appear to be situated in any location where the VPN service has a node.

1`okta` debugContext.debugData.tunnels IN (*Astrill*,*Azire*,*CyberGhost*,*Express*VPN,*HideMe*, *IPVanish*,*Mullvad*,*Nord*VPN*,*OVPN*,*PIA*VPN*,*Proton*VPN*,*Pure*VPN*,*Slick*VPN*,*Surf*Easy*, *SurfShark*,*Star*VPN*,*TorGuard*,*TorProxy*,*Tiger*VPN*,*TunnelBear*,*Unblock*VPN*,*Warp*VPN*,*WarpSpeed*, *VPNReactor*,*VPN*Shield*,*VPN*Super*VPN*,*ZenMate*) ```listing of commonly used known VPN providers. Add or remove whatever is appropriate for your environment``` 
2| eval user=coalesce('actor.alternateId',user), user=mvindex(split(user, "@"), 0) 
3| rename targetUserAlternateId as user client.* as * request.* as * ipChain{}.* as * geographicalContext.* as * debugContext.* as * debugData.* as * 
4| eval status=case(match(_raw, "FAILURE"), "failure", !match(_raw, "FAILURE"), "success") 
5| stats count values(status) as status max(published) as UTC min(_time) as firsttime max(_time) as lasttime values(target_data) as target_data values(displayMessage) as displayMessage values(eventType) as eventType values(city) as city values(country) as country values(action) as action values(src_ip) as src_ip values(outcome.*) as * values(user) as user by tunnels,_time,host sourcetype index 
6| fillnull value="N/A" 
7| convert ctime(*ttime) 
8| `okta_non_standard_vpn_usage_filter`

Data Source

Name Platform Sourcetype Source
Okta N/A 'OktaIM2:log' 'Okta'

Macros Used

Name Value
okta eventtype=okta_log OR sourcetype = "OktaIM2:log"
okta_non_standard_vpn_usage_filter search *
okta_non_standard_vpn_usage_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1078 Valid Accounts Defense Evasion
T1572 Protocol Tunneling Initial Access
T1090 Proxy Persistence
Command and Control
Delivery
Exploitation
Installation
DE.CM
CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Notable Yes
Rule Title %name%
Rule Description %description%
Notable Event Fields user, dest
Creates Risk Event True
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).

Known False Positives

Limited to no expected false positives once a baseline of common VPN software has been completed.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message:

Uncommon VPN software used by $user$ to connect to Okta.

Risk Object Risk Object Type Risk Score Threat Objects
user user 50 No Threat Objects

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Not Applicable N/A N/A N/A
Unit ❌ Failing N/A N/A N/A
Integration ❌ Failing N/A N/A N/A

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1