Device Registration from Malicious IP

Back Id e36c6bd6-f86a-4282-93a5-b4a1b48dd849 Rulename Device Registration from Malicious IP Description This query identifies Device Registration from IP addresses identified as malicious by Okta ThreatInsight. Severity High Tactics Persistence Techniques T1098 Required data connectors OktaSSO OktaSSOv2 Kind Scheduled Query frequency 1h Query period 1h Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Okta Single Sign-On/Analytic Rules/DeviceRegistrationMaliciousIP.yaml Version 1.1.1 Arm template e36c6bd6-f86a-4282-93a5-b4a1b48dd849.json KQL let Events = dynamic(["device.enrollment.create"]); let ThreatInsightOperations = dynamic(["security.threat.detected", "security.

Read full post gdoc_arrow_right_alt

Failed Logins from Unknown or Invalid User

Back Id 884be6e7-e568-418e-9c12-89229865ffde Rulename Failed Logins from Unknown or Invalid User Description This query searches for numerous login attempts to the management console with an unknown or invalid user name. Severity Medium Tactics CredentialAccess Techniques T1110 Required data connectors OktaSSO OktaSSOv2 Kind Scheduled Query frequency 1h Query period 1h Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Okta Single Sign-On/Analytic Rules/FailedLoginsFromUnknownOrInvalidUser.yaml Version 1.1.1 Arm template 884be6e7-e568-418e-9c12-89229865ffde.json KQL let FailureThreshold = 15; let FailedLogins = OktaSSO | where eventType_s =~ "user.

Read full post gdoc_arrow_right_alt

High-Risk Admin Activity

Back Id 9f82a735-ae43-4c03-afb4-d5d153e1ace1 Rulename High-Risk Admin Activity Description The Okta risk engine auto-assigns risk levels to each login attempt. This query identifies admin operations originating from events associated with high-risk profiles. Severity Medium Tactics Persistence Techniques T1098 Required data connectors OktaSSO OktaSSOv2 Kind Scheduled Query frequency 1h Query period 1h Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Okta Single Sign-On/Analytic Rules/HighRiskAdminActivity.yaml Version 1.1.1 Arm template 9f82a735-ae43-4c03-afb4-d5d153e1ace1.json KQL let AdminActivity = dynamic(["iam.

Read full post gdoc_arrow_right_alt

MFA Fatigue OKTA

Back Id c2697b81-7fe9-4f57-ba1d-de46c6f91f9c Rulename MFA Fatigue (OKTA) Description MFA fatigue attack is a cybersecurity threat where attackers exploit user exhaustion from multi-factor authentication prompts to trick them into providing their MFA details thus compromising their own security. The query identifies MFA fatigue attempts in the Okta data. Ref: https://www.okta.com/blog/identity-security/mfa-fatigue-growing-security-concern/. Severity Medium Tactics CredentialAccess Techniques T1621 Required data connectors OktaSSO OktaSSOv2 Kind Scheduled Query frequency 1h Query period 1h Trigger threshold 0 Trigger operator gt Source Uri https://github.

Read full post gdoc_arrow_right_alt

New DeviceLocation sign-in along with critical operation

Back Id 41e843a8-92e7-444d-8d72-638f1145d1e1 Rulename New Device/Location sign-in along with critical operation Description This query identifies users seen login from new geo location/country as well as a new device and performing critical operations. Severity Medium Tactics InitialAccess Persistence Techniques T1078 T1556 Required data connectors OktaSSO OktaSSOv2 Kind Scheduled Query frequency 1h Query period 1h Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Okta Single Sign-On/Analytic Rules/NewDeviceLocationCriticalOperation.yaml Version 1.1.1 Arm template 41e843a8-92e7-444d-8d72-638f1145d1e1.

Read full post gdoc_arrow_right_alt

Okta Fast Pass phishing Detection

Back Id 78d2b06c-8dc0-40e1-91c8-66d916c186f3 Rulename Okta Fast Pass phishing Detection Description This query detects cases in which Okta FastPass effectively prevented access to a known phishing website. Severity Medium Tactics InitialAccess Techniques T1566 Required data connectors OktaSSO OktaSSOv2 Kind Scheduled Query frequency 1h Query period 1h Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Okta Single Sign-On/Analytic Rules/PhishingDetection.yaml Version 1.1.0 Arm template 78d2b06c-8dc0-40e1-91c8-66d916c186f3.json KQL OktaSSO | where eventType_s == 'user.authentication.auth_via_mfa' | where outcome_result_s == 'FAILURE' | where outcome_reason_s == 'FastPass declined phishing attempt' | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by actor_alternateId_s, actor_displayName_s, client_userAgent_os_s, client_ipAddress_s, client_geographicalContext_state_s,displayMessage_s, outcome_result_s, outcome_reason_s, column_ifexists('debugContext_debugData_logOnlySecurityData_s', ""), debugContext_debugData_threatSuspected_s, client_userAgent_rawUserAgent_s,client_userAgent_browser_s, severity_s, client_geographicalContext_city_s, client_geographicalContext_country_s | extend Location = strcat(client_geographicalContext_city_s, "-", client_geographicalContext_country_s) YAML entityMappings: - fieldMappings: - identifier: Name columnName: actor_alternateId_s - identifier: DisplayName columnName: actor_displayName_s entityType: Account - fieldMappings: - identifier: Address columnName: client_ipAddress_s entityType: IP requiredDataConnectors: - dataTypes: - Okta_CL connectorId: OktaSSO - dataTypes: - OktaSSO connectorId: OktaSSOv2 kind: Scheduled severity: Medium description: | 'This query detects cases in which Okta FastPass effectively prevented access to a known phishing website.

Read full post gdoc_arrow_right_alt

Potential Password Spray Attack

Back Id e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508 Rulename Potential Password Spray Attack Description This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack. Severity Medium Tactics CredentialAccess Techniques T1110.003 Required data connectors OktaSSO OktaSSOv2 Kind Scheduled Query frequency 1h Query period 1h Trigger threshold 0 Trigger operator gt Source Uri https://github.

Read full post gdoc_arrow_right_alt

User Login from Different Countries within 3 hours

Back Id 2954d424-f786-4677-9ffc-c24c44c6e7d5 Rulename User Login from Different Countries within 3 hours Description This query searches for successful user logins to the Okta Console from different countries within 3 hours. Severity High Tactics InitialAccess Techniques T1078.004 Required data connectors OktaSSO OktaSSOv2 Kind Scheduled Query frequency 3h Query period 3h Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Okta Single Sign-On/Analytic Rules/LoginfromUsersfromDifferentCountrieswithin3hours.yaml Version 1.1.1 Arm template 2954d424-f786-4677-9ffc-c24c44c6e7d5.json KQL let timeframe = ago(3h); let threshold = 2; OktaSSO | where column_ifexists('published_t', now()) >= timeframe | where eventType_s =~ "user.

Read full post gdoc_arrow_right_alt

User Session ImpersonationOkta

Back Id 35846296-4052-4de2-8098-beb6bb5f2203 Rulename User Session Impersonation(Okta) Description A user has started a session impersonation, gaining access with the impersonated users permissions. This typically signifies Okta admin access and should only happen if anticipated and requested. Severity Medium Tactics PrivilegeEscalation Techniques T1134 T1134.003 Required data connectors OktaSSO OktaSSOv2 Kind Scheduled Query frequency 6h Query period 6h Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Okta Single Sign-On/Analytic Rules/UserSessionImpersonation.yaml Version 1.

Read full post gdoc_arrow_right_alt