Malicious authentication attempt detected by Okta ThreatInsight

okta

Classification:

attack

Tactic:

TA0001-initial-access

Set up the okta integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect malicious Okta authentication attempts based on Okta ThreatInsight.

Strategy

This rule lets you monitor Okta authentication attempts where the @evt.name is security.threat.detected and the @debugContext.debugData.threatSuspected value is true.

Okta ThreatInsight uses these attributes to flag authentication attempts that are deemed as threats.

Triage and response

  1. Determine if the source IP {{@network.client.ip}} is anomalous within the organization:
    • Does threat intelligence indicate that this IP has been associated with malicious activity?
    • Is the geo-location, ASN, or domain uncommon for the organization?
    • Use the Cloud SIEM - IP Investigation dashboard to see if the IP address has taken other actions.
  2. Investigate the debugContext.debugData.threatDetections field to determine the threat reason and level.
  3. If the IP is deemed malicious:
    • Confirm that no successful authentication attempts have been made.
    • If a successful authentication attempt is observed, begin your company’s incident response process.

Changelog

  • 13 September 2023 - Updated critical case severities to medium and medium case severities to low.