MFA Fatigue OKTA

let PushThreshold = 10;
OktaSSO
| where ((eventType_s =="user.authentication.auth_via_mfa" and column_ifexists('debugContext_debugData_factor_s', '') == "OKTA_VERIFY_PUSH") or eventType_s == "system.push.send_factor_verify_push" or eventType_s == "user.mfa.okta_verify.deny_push") 
| summarize IPAddress = make_set(client_ipAddress_s,100), City = make_set(client_geographicalContext_city_s,100),
          successes = countif(eventType_s == "user.authentication.auth_via_mfa"),
          denies = countif(eventType_s == "user.mfa.okta_verify.deny_push"),
          pushes = countif(eventType_s == "system.push.send_factor_verify_push") by TimeGenerated, authenticationContext_externalSessionId_s, actor_alternateId_s,actor_displayName_s, outcome_result_s 
| summarize lasttime = max(TimeGenerated), firsttime = min(TimeGenerated),
          successes = sum(successes), failures = sum(denies), pushes = sum(pushes) by  authenticationContext_externalSessionId_s, actor_alternateId_s,actor_displayName_s, outcome_result_s 
| extend seconds = lasttime - firsttime
| where pushes >  (PushThreshold)
| extend totalattempts = successes + failures
| extend finding = case(
            failures == pushes and pushes > 1, "Authentication attempts not successful because multiple pushes denied",
            totalattempts == 0, "Multiple pushes sent and ignored",
            successes > 0 and pushes > 3, "Multiple pushes sent, eventual successful authentication!",
            "Normal authentication pattern")

description: |
  'MFA fatigue attack is a cybersecurity threat where attackers exploit user exhaustion from multi-factor authentication prompts to trick them into providing their MFA details thus compromising their own security. The query identifies MFA fatigue attempts in the Okta data. 
   Ref: https://sec.okta.com/everythingisyes.'  
kind: Scheduled
tactics:
- CredentialAccess
requiredDataConnectors:
- connectorId: OktaSSO
  dataTypes:
  - Okta_CL
- connectorId: OktaSSOv2
  dataTypes:
  - OktaSSO
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Okta Single Sign-On/Analytic Rules/MFAFatigue.yaml
severity: Medium
name: MFA Fatigue (OKTA)
triggerThreshold: 0
queryPeriod: 1h
query: |
  let PushThreshold = 10;
  OktaSSO
  | where ((eventType_s =="user.authentication.auth_via_mfa" and column_ifexists('debugContext_debugData_factor_s', '') == "OKTA_VERIFY_PUSH") or eventType_s == "system.push.send_factor_verify_push" or eventType_s == "user.mfa.okta_verify.deny_push") 
  | summarize IPAddress = make_set(client_ipAddress_s,100), City = make_set(client_geographicalContext_city_s,100),
            successes = countif(eventType_s == "user.authentication.auth_via_mfa"),
            denies = countif(eventType_s == "user.mfa.okta_verify.deny_push"),
            pushes = countif(eventType_s == "system.push.send_factor_verify_push") by TimeGenerated, authenticationContext_externalSessionId_s, actor_alternateId_s,actor_displayName_s, outcome_result_s 
  | summarize lasttime = max(TimeGenerated), firsttime = min(TimeGenerated),
            successes = sum(successes), failures = sum(denies), pushes = sum(pushes) by  authenticationContext_externalSessionId_s, actor_alternateId_s,actor_displayName_s, outcome_result_s 
  | extend seconds = lasttime - firsttime
  | where pushes >  (PushThreshold)
  | extend totalattempts = successes + failures
  | extend finding = case(
              failures == pushes and pushes > 1, "Authentication attempts not successful because multiple pushes denied",
              totalattempts == 0, "Multiple pushes sent and ignored",
              successes > 0 and pushes > 3, "Multiple pushes sent, eventual successful authentication!",
              "Normal authentication pattern")  
relevantTechniques:
- T1621
id: c2697b81-7fe9-4f57-ba1d-de46c6f91f9c
queryFrequency: 1h
status: Available
triggerOperator: gt
version: 1.1.1
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: actor_alternateId_s
    identifier: Name
  - columnName: actor_displayName_s
    identifier: DisplayName