LoFP LoFP / t1078.004

t1078.004

TitleTags
a legitimate new admin account being created
a non malicious user is unaware of the proper process
a self-hosted runner is automatically removed from github if it has not connected to github actions for more than 14 days.
a user may have accidentally entered the wrong credentials during the mfa challenge. if the user is new to mfa, they may have trouble authenticating. ensure that the user is aware of the mfa process and has the correct credentials.
account disabled or blocked in error
actual admin using pim.
administrative users will likely use powershell commandlets to troubleshoot and maintain the environment. filter as needed.
administrator adding a legitimate temporary access pass
administrators may legitimately create azure runbook webhooks. filter as needed.
allowed administrative activities.
allowed self-hosted runners changes in the environment.
although not recommended, certain users may be exempt from multi-factor authentication. adjust the filter as necessary.
although not recommended, certain users may be required without multi-factor authentication. filter as needed
an ephemeral self-hosted runner is automatically removed from github if it has not connected to github actions for more than 1 day.
automated processes using tools like terraform may trigger this alert.
automation account has been blocked or disabled
aws tasks that require aws account root user credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
deletions by unfamiliar users should be investigated. if the behavior is known and expected, it can be exempted from the rule.
false positives have been minimized by removing attempts that result in 'mfa successfully completed messages', which were found to be generated when a user opts to use a different mfa method than the default. further reductions in finding events can be achieved through filtering 'mfa denied; duplicate authentication attempt' messages within the auth_msg field, as they could arguably be considered as false positives.
false positives may occur. it is recommended to fine-tune okta settings and the analytic to ensure high fidelity. adjust the risk score as necessary.
if this was approved by system administrator or confirmed user action.
if this was approved by system administrator.
it is possible that some accounts do not have mfa enabled for the aws account however its agaisnt the best practices of securing aws.
it's possible that a new user will start to modify ec2 instances when they haven't before for any number of reasons. verify with the user that is modifying instances that this is the intended behavior.
it's possible that a user will start to create compute instances for the first time, for any number of reasons. verify with the user launching instances that this is the intended behavior.
known legacy accounts
legit administrative pim setting configuration changes
legitimate administrative actions by authorized system administrators could cause this alert. verify the user identity, user agent, and hostname to ensure they are expected.
legitimate user wrong password attempts.
legitimate users may miss to reply the mfa challenge within the time window or deny it by mistake.
legtimate administrator actions of adding members from a role
many service accounts configured within a cloud infrastructure are known to exhibit this behavior. please adjust the threshold values and filter out service accounts from the output. always verify if this search alerted on a human user.
many service accounts configured within an aws infrastructure are known to exhibit this behavior. please adjust the threshold values and filter out service accounts from the output. always verify if this search alerted on a human user.
misconfigured systems
multiple failed mfa requests may also be a sign of authentication or application issues. filter as needed.
o365 security and compliance may also generate false positives or trigger on legitimate behavior, filter as needed.
service account misconfigured
service principals will legitimally authenticate remotely to your tenant. implementing this detection after establishing a baseline enables a more accurate identification of security threats, ensuring proactive and informed responses to safeguard the azure ad environment. source ips.
this detection cloud be noisy depending on the environment. it is recommended to keep a check on the new secrets when created and validate the \"actor\".
unknown
user has been put in acception group so they can use legacy authentication
users actually login but miss-click into the deny button when mfa prompt.
valid usage of s3 browser for iam loginprofile listing and/or creation
valid usage of s3 browser for iam user and/or accesskey creation
valid usage of s3 browser with accidental creation of default inline iam policy without changing default s3 bucket name placeholder value
vulnerability scanners
when an admin begins using the admin console and one of okta's heuristics incorrectly identifies the behavior as being unusual.
when and administrator is making legitimate appid uri configuration changes to an application. this should be a planned event.
when and administrator is making legitimate uri configuration changes to an application. this should be a planned event.