Malicious authentication attempt detected by Okta ThreatInsight

okta

Classification:

attack

Tactic:

TA0001-initial-access

Set up the okta integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect malicious Okta authentication attempts based on Okta ThreatInsight.

Strategy

This rule lets you monitor Okta authentication attempts where the @evt.name is security.threat.detected and the @debugContext.debugData.threatSuspected value is true.

Okta ThreatInsight uses these attributes to flag authentication attempts that are deemed as threats.

Triage and response

  1. Determine if the source IP {{@network.client.ip}} is anomalous within the organization:
    • Does threat intelligence indicate that this IP has been associated with malicious activity?
    • Is the geo-location, ASN, or domain uncommon for the organization?
    • Use the Cloud SIEM - IP Investigation dashboard to see if the IP address has taken other actions.
  2. Investigate the debugContext.debugData.threatDetections field to determine the threat reason and level.
  3. If the IP is deemed malicious:
    • Confirm that no successful authentication attempts have been made.
    • If a successful authentication attempt is observed, begin your company’s incident response process.

Changelog

  • 13 September 2023 - Updated critical case severities to medium and medium case severities to low.