Okta user reported suspicious activity

okta

Classification:

attack

Set up the okta integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when an Okta user reports suspicious activity in response to an end user security notification.

Strategy

This rule monitors the case when an Okta user reports suspicious activity in response to an end user security notification. Suspicious Activity Reporting provides a user with the option to report unrecognized activity from email notifications about account activity. Account activity includes:

  • New sign-on notification
  • Authenticator enrolled
  • Authenticator reset
  • Password changed

Triage and response

  1. Identify the event type (@debugContext.debugData.suspiciousActivityEventType) that occurred and the IP address (@debugContext.debugData.suspiciousActivityEventIp) from which suspicious activity originated.
  2. Determine if any other activity has originated from this address by using the Cloud SIEM - IP Investigation dashboard.
  3. If the activity appears to be harmful:
    • Begin your organization’s incident response process and investigate for any account takeovers.