Techniques
Sample rules
Okta Authentication Failed During MFA Challenge
- source: splunk
- technicques:
- T1586
- T1586.003
- T1078
- T1078.004
- T1621
Description
The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is user.authentication.auth_via_mfa
. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Authentication.app) as app values(Authentication.reason) as reason values(Authentication.signature) as signature values(Authentication.method) as method from datamodel=Authentication where Authentication.signature=user.authentication.auth_via_mfa Authentication.action = failure by _time Authentication.src Authentication.user Authentication.dest Authentication.action
| `drop_dm_object_name("Authentication")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| iplocation src
| `okta_authentication_failed_during_mfa_challenge_filter`