Analytics Story: Suspicious Okta Activity

Date: 2020-04-02 ID: 9cbd34af-8f39-4476-a423-bacd126c750b Author: Rico Valdez, Splunk Product: Splunk Enterprise Security

Description

Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating over to leverage cloud services more and more. Okta is a popular tool to manage multiple users and the web-based applications they need to stay productive. The searches in this story will help monitor your Okta environment for suspicious activities and associated user behaviors.

Why it matters

Okta is the leading single sign on (SSO) provider, allowing users to authenticate once to Okta, and from there access a variety of web-based applications. These applications are assigned to users and allow administrators to centrally manage which users are allowed to access which applications. It also provides centralized logging to help understand how the applications are used and by whom. While SSO is a major convenience for users, it also provides attackers with an opportunity. If the attacker can gain access to Okta, they can access a variety of applications. As such monitoring the environment is important. With people moving quickly to adopt web-based applications and ways to manage them, many are still struggling to understand how best to monitor these environments. This analytic story provides searches to help monitor this environment, and identify events and activity that warrant further investigation such as credential stuffing or password spraying attacks, and users logging in from multiple locations when travel is disallowed.

Correlation Search

1| tstats `security_content_summariesonly` values(All_Risk.analyticstories) as analyticstories  sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk  where All_Risk.risk_object_type = user All_Risk.analyticstories IN ("Okta Account Takeover", "Suspicious Okta Activity","Okta MFA Exhaustion") by All_Risk.risk_object,All_Risk.risk_object_type | `drop_dm_object_name("All_Risk")` |  search mitre_technique_id_count > 5 | `okta_risk_threshold_exceeded_filter`

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Okta IDP Lifecycle Modifications	Cloud Account	Anomaly
Okta Suspicious Use of a Session Cookie	Steal Web Session Cookie	Anomaly
Multiple Okta Users With Invalid Credentials From The Same IP	Password Spraying, Valid Accounts, Default Accounts	TTP
Okta Account Locked Out	Brute Force	Anomaly
Okta Account Lockout Events	Valid Accounts, Default Accounts	Anomaly
Okta Failed SSO Attempts	Valid Accounts, Default Accounts	Anomaly
Okta ThreatInsight Login Failure with High Unknown users	Valid Accounts, Default Accounts, Credential Stuffing	TTP
Okta ThreatInsight Suspected PasswordSpray Attack	Valid Accounts, Default Accounts, Password Spraying	TTP
Okta Two or More Rejected Okta Pushes	Brute Force	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Okta	N/A	`OktaIM2:log`	`Okta`

References

Source: GitHub | Version: 1