Techniques
Sample rules
Okta Successful Single Factor Authentication
- source: splunk
- technicques:
- T1586
- T1586.003
- T1078
- T1078.004
- T1621
Description
This analytic identifies successful authentication events against the Okta Dashboard for accounts without Multi-Factor Authentication enabled. It specifically searches for events where “Okta Verify” is not detected during authentication. This could indicate a misconfiguration, a policy violation, or an account takeover attempt that warrants investigation. If your organization has other authenticators configured in the environment, consider excluding those from the “targets” in the detection search.
Detection logic
`okta` action=success src_user_type = User eventType = user.authentication.verify OR eventType = user.authentication.auth_via_mfa
| stats dc(eventType) values(eventType) as eventType values(target{}.displayName) as targets values(debugContext.debugData.url) min(_time) as firstTime max(_time) as lastTime values(authentication_method) by src_ip user action
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| search targets !="Okta Verify"
| `okta_successful_single_factor_authentication_filter`