Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects failed Okta user identity verification attempts. Alerts when an identity verification challenge results in DENY.

Strategy

This rule monitors Okta identity verification events, highlighted by the team at Okta. It triggers when @evt.name is user.identity_verification and @evt.outcome is DENY. Identity verification failures during authentication or recovery workflows warrant review to distinguish user error from potential account takeover activity.

Adversaries may try to bypass ID Verification in order to reset a password, enroll a factor for a user with admin permissions, or unlock an account.

This detection has been adopted from rules published by the Okta team.

Triage & Response

1. Examine the identity verification context for {{@usr.email}} to confirm the prompt was expected (authentication challenge, recovery, or risk-based step).
2. Review recent authentication activity for {{@usr.email}} around the alert time, including failed logins, MFA challenges, and password reset attempts.
3. Identify the source IP {{@network.client.ip}} and geo-location and determine whether they align with normal usage patterns or corporate egress.
4. Check device and client details to verify whether the attempt originated from a recognized device for the user.
5. Analyze subsequent events to see if the identity verification later succeeded or if access attempts continued without resolution.
6. If user activity is suspicious, begin your organization’s incident response process and investigate for any account takeovers.