Techniques
Sample rules
Okta Suspicious Activity Reported
- source: splunk
- technicques:
- T1078
- T1078.001
Description
The following analytic identifies when an associate reports a login attempt as suspicious via an email from Okta. It leverages Okta Identity Management logs, specifically the user.account.report_suspicious_activity_by_enduser event type. This activity is significant as it indicates potential unauthorized access attempts, warranting immediate investigation to prevent possible security breaches. If confirmed malicious, the attacker could gain unauthorized access to sensitive systems and data, leading to data theft, privilege escalation, or further compromise of the environment.
Detection logic
`okta` eventType=user.account.report_suspicious_activity_by_enduser
| stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser client.geographicalContext.city client.geographicalContext.country
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `okta_suspicious_activity_reported_filter`