Analytics Story: Okta Account Takeover

Description

The Okta Account Takeover analytic story encompasses a comprehensive suite of detections aimed at identifying unauthorized access and potential takeover attempts of Okta accounts. This collection leverages diverse data points and behavioral analytics to safeguard user identities and access within cloud environments. Monitor for activities and techniques associated with Account Takeover attacks against Okta tenants.

Why it matters

Okta is a cloud-based identity management service that provides organizations with a secure way to manage user access to various applications and services. It enables single sign-on (SSO), multi-factor authentication (MFA), lifecycle management, and more, helping organizations streamline the user authentication process. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, access sensitive applications, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential compromise of Okta accounts.

1| tstats `security_content_summariesonly` values(All_Risk.analyticstories) as analyticstories  sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk  where All_Risk.risk_object_type = user All_Risk.analyticstories IN ("Okta Account Takeover", "Suspicious Okta Activity","Okta MFA Exhaustion") by All_Risk.risk_object,All_Risk.risk_object_type | `drop_dm_object_name("All_Risk")` |  search mitre_technique_id_count > 5 | `okta_risk_threshold_exceeded_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Okta Authentication Failed During MFA Challenge Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
Okta MFA Exhaustion Hunt Brute Force Hunting
Okta Mismatch Between Source and Response for Verify Push Request Multi-Factor Authentication Request Generation TTP
Okta Multi-Factor Authentication Disabled Modify Authentication Process, Multi-Factor Authentication TTP
Okta Multiple Accounts Locked Out Brute Force Anomaly
Okta Multiple Failed MFA Requests For User Multi-Factor Authentication Request Generation Anomaly
Okta Multiple Failed Requests to Access Applications Web Session Cookie, Cloud Service Dashboard Hunting
Okta Multiple Users Failing To Authenticate From Ip Password Spraying Anomaly
Okta New API Token Created Valid Accounts, Default Accounts TTP
Okta New Device Enrolled on Account Account Manipulation, Device Registration TTP
Okta Phishing Detection with FastPass Origin Check Valid Accounts, Default Accounts, Modify Authentication Process TTP
Okta Successful Single Factor Authentication Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation Anomaly
Okta Suspicious Activity Reported Valid Accounts, Default Accounts TTP
Okta Suspicious Use of a Session Cookie Steal Web Session Cookie Anomaly
Okta ThreatInsight Threat Detected Valid Accounts, Cloud Accounts Anomaly
Okta Unauthorized Access to Application Cloud Account Anomaly
Okta User Logins from Multiple Cities Cloud Accounts Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Okta N/A OktaIM2:log Okta

References


Source: GitHub | Version: 1