Okta user reported suspicious activity

okta

Classification:

attack

Set up the okta integration.

Goal

Detect when an Okta user reports suspicious activity in response to an end user security notification.

Strategy

This rule monitors the case when an Okta user reports suspicious activity in response to an end user security notification. Suspicious Activity Reporting provides a user with the option to report unrecognized activity from email notifications about account activity. Account activity includes:

  • New sign-on notification
  • Authenticator enrolled
  • Authenticator reset
  • Password changed

Triage and response

  1. Identify the event type (@debugContext.debugData.suspiciousActivityEventType) that occurred and the IP address (@debugContext.debugData.suspiciousActivityEventIp) from which suspicious activity originated.
  2. Determine if any other activity has originated from this address by using the Cloud SIEM - IP Investigation dashboard.
  3. If the activity appears to be harmful:
    • Begin your organization’s incident response process and investigate for any account takeovers.