Sample rules
Okta Mismatch Between Source and Response for Verify Push Request
- source: splunk
- technicques:
- T1621
Description
The following analytic identifies variations in client-based values for source and response events to identify suspicious request behavior. The detection is enhanced if the org is evaluating behavior conditions in sign-on policies using Okta Behavior Detection. NOTE: This detection requires the use of Okta Identity Engine (OIE) and will not function on Okta Classic. For each Okta Verify Push challenge, the following two events are recorded in Okta System Log Source of Push (Sign-In) eventType eq "system.push.send_factor_verify_push" User Push Response (Okta Verify client) eventType eq “user.authentication.auth_via_mfa” AND debugContext.debugData.factor eq “OKTA_VERIFY_PUSH” In sequence, the logic for the analytic -
- Groups by SessionID and retrieves any system.push.send_factor_verify_push events (the source of the push) and user.authentication.auth_via_mfa events where the factor is OKTA_VERIFY_PUSH - (the user response to the push)
- Counts the total number of push events, successful authentication events, and any push sources where the client is a new device. * Creates a ratio of successful sign-ins to pushes.
- If the ratio (currently tuned aggressively) indicates push spam, or if a user has rejected a push, the detection proceeds to evaluate whether there is more than one IP address used during the session (session roaming) and the presence of both a new IP and new device during the session.
Detection logic
`okta` eventType IN (system.push.send_factor_verify_push) OR (eventType IN (user.authentication.auth_via_mfa) debugContext.debugData.factor="OKTA_VERIFY_PUSH")
| eval groupby="authenticationContext.externalSessionId"
| eval group_push_time=_time
| bin span=2s group_push_time
| fillnull value=NULL
| stats min(_time) as _time by authenticationContext.externalSessionId eventType debugContext.debugData.factor outcome.result actor.alternateId client.device client.ipAddress client.userAgent.rawUserAgent debugContext.debugData.behaviors group_push_time groupby
| iplocation client.ipAddress
| fields - lat, lon, group_push_time
| stats min(_time) as _time dc(client.ipAddress) as dc_ip sum(eval(if(eventType="system.push.send_factor_verify_push" AND "outcome.result"="SUCCESS",1,0))) as total_pushes sum(eval(if(eventType="user.authentication.auth_via_mfa" AND "outcome.result"="SUCCESS",1,0))) as total_successes sum(eval(if(eventType="user.authentication.auth_via_mfa" AND "outcome.result"="FAILURE",1,0))) as total_rejected sum(eval(if(eventType="system.push.send_factor_verify_push" AND "debugContext.debugData.behaviors" LIKE "%New Device=POSITIVE%",1,0))) as suspect_device_from_source sum(eval(if(eventType="system.push.send_factor_verify_push" AND "debugContext.debugData.behaviors" LIKE "%New IP=POSITIVE%",0,0))) as suspect_ip_from_source values(eval(if(eventType="system.push.send_factor_verify_push","client.ipAddress",""))) as src values(eval(if(eventType="user.authentication.auth_via_mfa","client.ipAddress",""))) as dest values(*) as * by groupby
| eval ratio = round(total_successes/total_pushes,2)
| search ((ratio < 0.5 AND total_pushes > 1) OR (total_rejected > 0)) AND dc_ip > 1 AND suspect_device_from_source > 0 AND suspect_ip_from_source > 0
| `okta_mismatch_between_source_and_response_for_verify_push_request_filter`
Okta Multiple Failed Requests to Access Applications
- source: splunk
- technicques:
- T1550.004
- T1538
Description
The following analytic identifies multiple failed app requests in an attempt to identify the reuse a stolen web session cookie. The logic of the analytic is as follows: * Retrieves policy evaluation and SSO details in events that contain the Application requested
- Formats target fields so we can aggregate specifically on Applications (AppInstances)
- Groups by User, Session and IP
- Creates a ratio of successful SSO events to total MFA challenges related to Application Sign On Policies
- Alerts when more than half of app sign on events are unsuccessful, and challenges were unsatisfied for more than three apps.
Detection logic
`okta` target{}.type=AppInstance (eventType=policy.evaluate_sign_on outcome.result=CHALLENGE) OR (eventType=user.authentication.sso outcome.result=SUCCESS)
| eval targets=mvzip('target{}.type', 'target{}.displayName', ": ")
| eval targets=mvfilter(targets LIKE "AppInstance%")
| stats count min(_time) as _time values(outcome.result) as outcome.result dc(eval(if(eventType="policy.evaluate_sign_on",targets,NULL))) as total_challenges sum(eval(if(eventType="user.authentication.sso",1,0))) as total_successes by authenticationContext.externalSessionId targets actor.alternateId client.ipAddress
| search total_challenges > 0
| stats min(_time) as _time values(*) as * sum(total_challenges) as total_challenges sum(total_successes) as total_successes values(eval(if("outcome.result"="SUCCESS",targets,NULL))) as success_apps values(eval(if(":outcome.result"!="SUCCESS",targets,NULL))) as no_success_apps by authenticationContext.externalSessionId actor.alternateId client.ipAddress
| fillnull
| eval ratio=round(total_successes/total_challenges,2), severity="HIGH", mitre_technique_id="T1538", description="actor.alternateId". " from " . "client.ipAddress" . " seen opening " . total_challenges . " chiclets/apps with " . total_successes . " challenges successfully passed"
| fields - count, targets
| search ratio < 0.5 total_challenges > 2
| `okta_multiple_failed_requests_to_access_applications_filter`