LoFP / there is a possibility that a user may accidentally click on the wrong application, which could trigger this event. it is advisable to verify the location from which this activity originates.

Techniques

• T1087.004

Sample rules

Okta Unauthorized Access to Application

• source: splunk
• technicques:
  • T1087.004

Description

This search detects instances where a user attempts to access an Okta application that has not been assigned to them. Such unauthorized access to applications poses a significant security risk, potentially leading to the exposure of sensitive information, disruption of services, and breaches of data protection laws. Ensuring that only authorized users have access to applications is crucial for maintaining a secure and compliant IT environment.

Detection logic

| tstats values(Authentication.app) as app values(Authentication.action) as action values(Authentication.user) as user values(Authentication.reason) as reason from datamodel=Authentication where Authentication.signature=app.generic.unauth_app_access_attempt Authentication.action="failure" by _time Authentication.src Authentication.user 
| `drop_dm_object_name("Authentication")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| iplocation src 
| `okta_unauthorized_access_to_application_filter`