Malicious authentication attempt detected by Okta ThreatInsight

Set up the okta integration.

Goal

Detect malicious Okta authentication attempts based on Okta ThreatInsight.

Strategy

This rule lets you monitor Okta authentication attempts where the @evt.name is security.threat.detected and the @debugContext.debugData.threatSuspected value is true.

Okta ThreatInsight uses these attributes to flag authentication attempts that are deemed as threats.

Triage and response

  1. Determine if the source IP {{@network.client.ip}} is anomalous within the organization:
    • Does threat intelligence indicate that this IP has been associated with malicious activity?
    • Is the geo-location, ASN, or domain uncommon for the organization?
    • Use the Cloud SIEM - IP Investigation dashboard to see if the IP address has taken other actions.
  2. Investigate the debugContext.debugData.threatDetections field to determine the threat reason and level.
  3. If the IP is deemed malicious:
    • Confirm that no successful authentication attempts have been made.
    • If a successful authentication attempt is observed, begin your company’s incident response process.

Changelog

  • 13 September 2023 - Updated critical case severities to medium and medium case severities to low.