Multiple Okta push notifications denied
Set up the okta integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect Okta Multi-factor Authentication (MFA) fatigue attacks.
Strategy
This rule lets you monitor the following Okta events to determine when a user has rejected Okta MFA push verify more than once:
user.mfa.okta_verify.deny_push
for Okta Classicuser.authentication.auth_via_mfa
with debugContext.debugData.factor
of OKTA_VERIFY_PUSH
and @evt.outcome
of FAILURE
for Okta Identity Engine
An attacker may attempt to bombard users with repeated MFA push notifications in order to fatigue them, thereby forcing them into verifying their malicious authentication attempts.
Triage and response
- Verify if the user:
{{@usr.email}}
made the observed authentication attempts. - If the user did not make the observed authentication attempts:
- Rotate user credentials
- Confirm that no successful authentication attempts have been made.
- Investigate the source IP:
{{@network.client.ip}}
using the Cloud SIEM - IP Investigation dashboard to determine if the IP address has taken other actions.
Changelog
- 12 September 2023 - Updated query to add distinction between Okta Classic and Okta Identity Engine.