Name:Okta Successful Single Factor Authentication id:98f6ad4f-4325-4096-9d69-45dc8e638e82 version:3 date:2024-09-30 author:Bhavin Patel, Splunk status:production type:Anomaly Description:The following analytic identifies successful single-factor authentication events against the Okta Dashboard for accounts without Multi-Factor Authentication (MFA) enabled. It detects this activity by analyzing Okta logs for successful authentication events where "Okta Verify" is not used. This behavior is significant as it may indicate a misconfiguration, policy violation, or potential account takeover. If confirmed malicious, an attacker could gain unauthorized access to the account, potentially leading to data breaches or further exploitation within the environment. Data_source:
-Okta
search:`okta` action=success src_user_type = User eventType = user.authentication.verify OR eventType = user.authentication.auth_via_mfa| stats dc(eventType) values(eventType) as eventType values(target{}.displayName) as targets values(debugContext.debugData.url) min(_time) as firstTime max(_time) as lastTime values(authentication_method) by src_ip user action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search targets !="Okta Verify" | `okta_successful_single_factor_authentication_filter`
how_to_implement:This detection utilizes logs from Okta environments and requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). known_false_positives:Although not recommended, certain users may be exempt from multi-factor authentication. Adjust the filter as necessary. References: -https://sec.okta.com/everythingisyes -https://attack.mitre.org/techniques/T1078/004/ drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Okta Account Takeover' asset_type:Okta Tenant confidence:60 impact:80 message:A user [$user$] has successfully logged in to Okta Dashboard with single factor authentication from IP Address - [$src_ip$]. mitre_attack_id: - 'T1586' - 'T1586.003' - 'T1078' - 'T1078.004' - 'T1621' observable: name:'user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - 'tag' - 'action' - 'src_user_type' - 'eventType' - 'target{}.displayName' - 'debugContext.debugData.url' - 'authentication_method' - 'src_ip' - 'user' - '_time' risk_score:48 security_domain:identity
