For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-wq4.md. A documentation index is available at /llms.txt.

Okta suspicious user login after breach credentials detected

okta

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Goal

Detects when a user successfully authenticates or changes their password from an unfamiliar device or location after Okta identifies their credentials in a known breach.

Strategy

This rule monitors Okta logs for a two-stage sequence. First, a security.breached_credential.detected event indicates that Okta has identified a user’s credentials in a public data breach. Then, within the evaluation window, the same user performs a successful authentication (user.authentication.*), password reset (user.account.reset_password), or password update (user.account.update_password) from an unfamiliar device or geo-location, as indicated by @debugContext.debugData.behaviors containing Device=POSITIVE or Geo-Location=POSITIVE.

The combination of exposed credentials followed by activity from an unrecognized source is a strong indicator that an attacker has obtained the breached credentials and is actively using them to access or take over the account.

Triage and response

  • Review the security.breached_credential.detected event for {{@usr.email}} to understand when the breach notification occurred and which credential source was identified.
  • Examine the follow-up authentication or password change event to determine the source IP, device, and geo-location, and assess whether they are consistent with the user’s normal activity.
  • Contact {{@usr.email}} to verify whether they initiated the login or password change from the flagged device or location.
  • Check if the user’s password was changed after the breach notification, and determine whether the reset was performed by the user or by an attacker who already had access.
  • Review subsequent session activity for {{@usr.email}} to identify any application access, privilege changes, or data exfiltration that occurred after the suspicious authentication.
  • Determine if other accounts with credentials from the same breach source have shown similar authentication anomalies.